PayPal Bug Bounty Program

For Professional Researchers: Bug Bounty Program

Our team of dedicated security professionals works vigilantly to help keep customer information secure. We recognize the important role that security researchers and our user community play in helping to keep PayPal and our customers secure. If you discover a site or product vulnerability, please notify us using the guidelines below.

Program Terms

PayPal’s Bug Bounty Program has integrated with HackerOne. As a result, all PayPal Bug Bounty submissions should be presented for review via the HackerOne portal. If you have not registered with HackerOne, you may do so by clicking here.

Please note that your participation in the PayPal Bug Bounty Program is voluntary and subject to the terms and conditions set forth on this page (“Program Terms”). By submitting a site or product vulnerability to PayPal, Inc. (“PayPal”) you acknowledge that you have read and agreed to these Program Terms.

These Program Terms supplement the terms of PayPal User Agreement, the PayPal Acceptable Use Policy, and any other agreement in which you have entered with PayPal (collectively “PayPal Agreements”). The terms of those PayPal Agreements will apply to your use of, and participation in, the Bug Bounty Program as if fully set forth herein. If any inconsistency exists between the terms of the PayPal Agreements and these Program Terms, these Program Terms will control, but only with regard to the Bug Bounty Program.

Responsible Disclosure Policy

Eligibility Requirements

Eligible Domains

Scope for Web Applications

Out-of-Scope Vulnerabilities

Mobile Applications

Bug Submission Requirements and Guidelines

Bounty Payments

Ownership of Submissions

Termination

Confidentiality

Indemnification

Changes to Program Terms

Responsible Disclosure Policy

To encourage responsible disclosures, PayPal commits that, if we conclude, in our sole discretion, that a disclosure respects and meets all the guidelines of these Program Terms and the PayPal Agreements, PayPal will not bring a private action against you or refer a matter for public inquiry.

Eligibility Requirements

To participate in and receive a reward from the Bug Bounty Program, you must have a verified PayPal account in good standing, and present your Bug Bounty submission via the HackerOne portal. If you do not currently have a PayPal account, you can sign up for one here. If you have not registered with HackerOne, you may do so by clicking here.

To be eligible for the Bug Bounty Program, you must not:

  • Be a resident of, or make your Submission from, a country against which the United States has issued export sanctions or other trade restrictions (e.g., Cuba, Iran, North Korea, Sudan and Syria);
  • Be in violation of any national, state, or local law or regulation;
  • Be employed by PayPal, Inc. or its subsidiaries;
  • Be an immediate family member of a person employed by PayPal, Inc. or its subsidiaries or affiliates; or
  • Be less than 14 years of age. If you are at least 14 years old, but are considered a minor in your place of residence, you must get your parent’s or legal guardian’s permission prior to participating in the program.

If PayPal discovers that you meet any of the criteria above, PayPal will remove you from the Bug Bounty Program and disqualify you from receiving any Bounty Payments. Any submissions you make to PayPal via the HackerOne portal, whether they are eligible submissions to the Bug Bounty Program or ineligible submissions shall be considered “Submission(s)” for purposes of these Program Terms.

Eligible Domains Policy

The following services and related domains are included within the scope of the Bug Bounty Program:

The Bug Bounty Program is also valid on certain Partner Sites, such as:

  • www.paypal-__.com domains

PayPal's Partner Sites (www.paypal-__.com) are mainly marketing based sites that are not part of the core PayPal customer domains (.paypal.com) and are managed by hosting vendor companies. They have variable timelines and are often decommissioned. A listing of these sites designated for deprecation will not be publicly maintained due to frequent changes. When researching bugs on these sites, please keep this in mind as bug Submissions for sites on schedule for deprecation will not be honored.

Submissions of bugs relating to services or domains not referenced above or for sites on schedule for deprecation are ineligible for the Bug Bounty Program and will not be eligible for a Bounty Payment.

Scope for Web Applications

In-Scope Vulnerabilities

All Submissions must include the required information to be considered.

Vulnerabilities that are in-scope Submissions under the Bug Bounty Program include, but are not limited to:

  • Disclosure of sensitive or personally identifiable information
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF) for sensitive functions in a privileged context
  • Server-side or remote code execution (RCE)
  • Authentication or authorization flaws, including insecure direct object references and authentication bypass
  • Injection vulnerabilities, including SQL and XML injection
  • Directory traversal
  • Significant security misconfiguration with a verifiable vulnerability

Out-of-Scope Vulnerabilities

Certain vulnerabilities are considered out-of-scope Submissions under the Bug Bounty Program. Those out-of-scope vulnerabilities include, but are not limited to:

  • Any physical attacks against PayPal property or data centers
  • Scanner output or scanner-generated reports, including any automated or active exploit tool
  • Attacks involving payment fraud, theft, or malicious merchant accounts
  • Man-in-the-Middle attacks
  • Vulnerabilities involving stolen credentials or physical access to a device
  • Social engineering attacks, including those targeting internal employees
  • Vulnerabilities for which there are existing, documented controls (e.g. https://developer.paypal.com/docs/classic/paypal-payments-standard/integration-guide/encryptedwebpayments)
  • Open redirects with low security impact or requiring user interaction
  • Host header injections without a specific, demonstrable impact
  • Denial of service (DOS) attacks using automated tools
  • Self-XSS, which includes any payload entered by the victim
  • Any vulnerabilities requiring significant and unlikely user interaction, such as disabling browser controls
  • Login/logout CSRF
  • Content spoofing without embedded HTML or JavaScript
  • Infrastructure vulnerabilities, including:
    • Issues related to SSL certificates
    • DNS configuration issues
    • Server configuration issues (e.g. open ports, TLS versions, etc.)
  • Most vulnerabilities within our sandbox, lab, or staging environments, except Braintree.
  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
  • Information disclosure of public or non-protected information (e.g. code in a public repository, server banners, etc.)
  • Any other submission determined to be low risk, based on unlikely or theoretical attack vectors, requiring significant user interaction, or resulting in minimal impact

Mobile Applications

Submissions relating to the following mobile applications are in-scope for the Bug Bounty Program:

Mobile Application Name Android Package iOS Package
Claro Pay com.paypal.android.claro com.paypal.claro
PayPal com.paypal.android.p2pmobile com.yourcompany.PPClient
PayPal Business: Send Invoices com.paypal.merchant.client com.paypal.merchant
PayPal Carica com.paypal.android.carica com.paypal.carica
PayPal Here - POS, Credit Card Reader com.paypal.here com.paypal.here,
com.paypal.herehd
Telcel Pay com.paypal.android.telcel com.paypal.telcel
Venmo: Send & Receive Money com.venmo net.kortina.labs.Venmo
Xoom Money Transfer com.xoom.android.app com.xoom.app

In-Scope Mobile Application Vulnerabilities

In addition to in-scope applications referenced above, the following vulnerability types will be considered in-scope Submissions for mobile applications. These include:

  • Man-in-the-Middle attacks
  • Attacks requiring physical access to a device

Out-of-Scope Mobile Application Vulnerabilities

The following mobile application vulnerabilities are out-of-scope for the Bug Bounty Program:

  • Vulnerabilities requiring a rooted, jailbroken, or otherwise modified device
  • Vulnerabilities requiring extensive user interaction
  • Exposure of non-sensitive data on the device
  • Vulnerabilities on third party libraries without showing specific impact to the target application (e.g. a CVE with no exploit)

Bug Submission Requirements

Required Information

For all Submissions, please include:

  • Full description of the vulnerability being reported, including the exploitability and impact
  • Evidence and explanation of all steps required to reproduce the submission, which may include:
    • Videos
    • Screenshots
    • Exploit code
    • Traffic logs
    • Web/API requests and responses
  • Email address or user ID of any test accounts
  • IP address used during testing
  • For RCE submissions, see
  • Failure to include any of the above items may delay or jeopardize the Bounty Payment

Remote Code Execution (RCE) Submission Guidelines

Remote Code Execution (RCE) vulnerabilities involve executing code on the web server, either via a direct command injection or through uploading an executable file. In order for RCE submissions to be considered for this program, they must adhere to these conditions:

Required Information:

  1. Source IP address
  2. Timestamp, including time zone
  3. Full server request and responses
  4. Filenames of any uploaded files, which must include “bugbounty” and the timestamp
  5. Callback IP and port, if applicable
  6. Any data that was accessed, either deliberately or inadvertently

Allowed Actions:

  1. Directly injecting benign commands via the web application or interface (e.g. whoami, hostname, ifconfig)
  2. Uploading a file that outputs the result of a hard-coded benign command

Prohibited Actions:

  1. Uploading files that allow arbitrary commands (i.e. a webshell)
  2. Modifying any files or data, including permissions
  3. Deleting any files or data
  4. Interrupting normal operations (e.g. triggering a reboot)
  5. Creating and maintaining a persistent connection to the server
  6. Intentionally viewing any files or data beyond what is needed to prove the vulnerability
  7. Failing to disclose any actions taken or applicable required information

Failure to meet the above conditions and requirements could result in a forfeiture of any potential Bounty Payment.

Bounty Payments

You may be eligible to receive a monetary reward (“Bounty Payment”) if: (i) you are the first person to submit a site or product vulnerability; (ii) that vulnerability is determined to by a valid security issue by PayPal’s security team; and (iii) you have complied with all Program Terms.

Bounty Payments, if any, will be determined by PayPal, in PayPal’s sole discretion. In no event shall PayPal be obligated to pay you a bounty for any Submission. All Bounty Payments shall be considered gratuitous.

In the event PayPal elects to pay you a bounty, PayPal may make a partial Bounty Payment when the vulnerability is first verified by PayPal and then an additional Bounty Payment once the vulnerability has been fixed. The format and timing of all Bounty Payments shall be determined in PayPal’s sole discretion, subject to the requirements of the Program Terms.

All Bounty Payments must be made to a verified PayPal Account in good standing. If you do not have a verified PayPal Account in good standing at the time of payment, you will not be eligible to receive a bounty (except in extraordinary circumstances agreed to by PayPal, in it’s sole discretion, via email from the Bug Bounty Program team).

All Bounty Payments will be made in United States dollars (USD). You will be responsible for any tax implications related to Bounty Payments you receive, as determined by the laws of your jurisdiction of residence or citizenship.

PayPal will determine all Bounty Payments based on the risk and impact of the vulnerability. The minimum bounty amount for a validated bug submission is $50 USD and the maximum bounty for a validated bug submission is $30,000 USD.

The PayPal Bug Bounty Team retains the right to determine if the bug submitted to the Bug Bounty Program is eligible. All determinations as to the amount of a bounty made by the PayPal Bug Bounty Team are final. Bounty Payment ranges are based on the classification and sensitivity of the data impacted, ease of exploit and overall risk to PayPal customers, PayPal brand and determined to be a valid security issue by PayPal’s security engineers.

Ownership of Submissions

As a condition of participation in the PayPal Bug Bounty Program, you hereby grant PayPal, its subsidiaries, affiliates and customers a perpetual, irrevocable, worldwide, royalty-free, transferrable, sublicensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work from, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to PayPal in connection therewith, for any purpose. You should not send us any Submission that you do not wish to license to us.

You hereby represent and warrant that the Submission is original to you and you own all right, title and interest in and to the Submission. Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure of the Submission to PayPal. In no event shall PayPal be precluded from discussing, reviewing, developing for itself, having developed, or developing for third parties, materials which are competitive with those set forth in the Submission irrespective of their similarity to the information in the Submission, so long as PayPal complies with the terms of participation stated herein.

Termination

In the event (i) you breach any of these Program Terms or the terms and conditions of the PayPal Agreements; or (ii) PayPal determines, in its sole discretion that your continued participation in the Bug Bounty Program could adversely impact PayPal (including, but not limited to, presenting any threat to PayPal’s systems, security, finances and/or reputation) PayPal may immediately terminate your participation in the Bug Bounty Program and disqualify you from receiving any Bounty Payments. Please see our recommendations on the proper procedures for testing our applications.

Confidentiality

Any information you receive or collect about PayPal or any PayPal user through the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching the PayPal sites, without PayPal’s prior written consent.

Indemnification

In addition to any indemnification obligations you may have under the PayPal Agreements, you agree to defend, indemnify and hold PayPal, its subsidiaries, affiliates and the officers, directors, agents, joint ventures, employees and suppliers of PayPal, its subsidiaries, or our affiliates, harmless from any claim or demand (including attorneys’ fees) made or incurred by any third party due to or arising out of your Submissions, your breach of these Program Terms and/or your improper use of the Bug Bounty Program.

Changes to Program Terms

The Bug Bounty Program, including its policies, is subject to change or cancellation by PayPal at any time, without notice. As such, PayPal may amend these Program Terms and/or its policies at any time by posting a revised version on our website. By continuing to participate in the Bug Bounty Program after PayPal posts any such changes, you accept the Program Terms, as modified.

Frequently Asked Questions

We are a participant of the Google Play Security Reward Program. Certain PayPal Android applications may be eligible for the Google Play program. All vulnerabilities must first be directly reported to the PayPal Bug Bounty Program via the HackerOne portal and be resolved prior to submitting a bonus bounty through the Google Play program. PayPal has no control over the Google Play Security Rewards Program and that program may be discontinued at any time. Any determinations regarding awards under the Google Play Security Rewards Program are the sole discretion of Google. For the full terms of the Google Play Security Reward Program and the list of eligible applications, please visit https://hackerone.com/googleplay.
If you have PayPal account issues, please contact customer service. The PayPal Bug Bounty Team does not have visibility into your PayPal account and therefore cannot assist with such issues.