Square launches bug bounty program
Popular California-based financial services and mobile payments company Square has set up a bug bounty program on the HackerOne platform.
The announcement was made at a panel at the Black Hat security conference last week by security expert and well-known bug hunter Dino Dai Zovi, who has recently been hired by the Square, likely to take charge of the bug finding and fixing efforts.
“With so many sellers relying on Square to run and grow their business, we’ve made protecting them a priority. We monitor every transaction from swipe to payment, innovate in fraud prevention, and adhere to industry-leading standards to manage our network and secure our web and client applications. We protect our sellers like our own business depends on it — because it does,” Neal Harris, head of application security team at Square, explained in a blog post.
“We recognize the important contributions the security research community can make when it comes to finding bugs, and we’re asking for your help,” he concluded.
The bug bounty program includes the company’s properties squareup.com or square.com, and they are especially interested in receiving information about potential problems in the company’s payment flow. Services that the company might buy in the future are off-limits for the first 90 days after the acquisition.
The company has explained what will constitute a good and what an ineligible report, and has promised not to bring legal action against researchers who share the details of found issues with the company and not with others until the problems are solved, who don’t intentionally interfere with the usefulness of the service to other users and with their data, who don’t launch DoS attacks against the service, and don’t perform any research or testing in violation of law.
Apart from getting their names in the Hall of Fame, the researchers will be rewarded for their efforts with a minimum bounty of $250 per bug. So far, ten vulnerabilities disclosed to the company have been fixed, and rewards varied between $250 and $1,500.