Security Bounty Program

Security is always excessive until it's not enough

At Payment21®, we take security seriously. We encourage independent security researchers to contact us in order to privately report security vulnerabilities or issues. The information on this page is intended for those security researchers that are interested in reporting security vulnerabilities directly to the Payment21 security team.

Disclosure Guidelines

  • Disclosure reports that you submit to Payment21® must include enough details, descriptions, and/or examples so that the issue can be re-created by Payment21 staff.

  • All vulnerabilities must be disclosed in a way that minimizes harm to Payment21’s users, partners, and systems. This requires strict confidentiality until the vulnerability is mitigated.

  • Details about the vulnerability must not be disclosed publicly until Payment21® has confirmed to you in writing that its users and infrastructure are protected from harm.

  • All details about your research, testing, and methodology for discovery should be disclosed honestly and professionally to Payment21 staff without reservation, even the facts you feel may be cast in a negative light.

  • You must comply with all applicable federal, regional, and local laws in connection with your security research activities, or other participation in this Security Bounty Program.

  • You must communicate and work with Payment21 staff to assist Payment21® in mitigating the vulnerability and testing the mitigation.

  • Disclosures that do not fully comply with this program will not be eligible for any bounties, or any of the other assurances discussed below.

Our Response 

If you adhere to the disclosure guidelines above, Payment21® promises the following:

  • Payment21® will calculate a bounty that is commensurate with the impact and exploitability of the vulnerability, as well as the manner in which the vulnerability was disclosed to us.

  • Payment21® retains the exclusive right in its sole and unfettered discretion to assign bounties to disclosed vulnerabilities.

  • To receive a bounty, you must reside in a country not on sanctions lists (e.g., North Korea, Syria etc).

  • Payment21® will work with you to ensure responsible disclosure of the vulnerability to the public. Depending on your wishes and the circumstances, this may include the publication of blog posts on our blog, hyperlinking to articles or blog posts on your website, mentions in social media, and/or public recognition of your responsible disclosure on this web page.

  • Payment21® will not pursue any legal action against you or your company for unlawful access of computer systems, accessing confidential information, or damages to Payment21 systems as a result of the vulnerability that was disclosed in accordance with Payment21’s Security Bounty Program.

Exclusions

There are some types of issues that Payment21® does not consider vulnerabilities. These issues, which are not covered by this program, are listed below:

  • Denial of Service (DDoS) Attacks that leverage high volumes of traffic

  • Spamming / Phishing

  • Non-critical findings from automated vulnerability scanners

  • Social Engineering of Payment21 personnel

  • Physical attacks on Payment21 offices and assets

  • Third party applications and websites that are used by Payment21® (i.e. Drupal etc.)

How to Report Security Vulnerabilities

If you would like to disclose a vulnerability to Payment21®, we encourage you to contact us by email. Please insert the phrase "Bounty Program Vulnerability" in the subject line.

Please include the following information in your email:

  • Physical attacks on Payment21 offices and assets

  • Third party applications and websites that are used by Payment21® (i.e. Drupal etc.)

  • Your name, nickname, handle, or what you’d like to be called while we communicate with you

  • The date/time you first identified the vulnerability

  • How you identified the vulnerability

  • As much detail about the vulnerability as you can

  • How many times you leveraged the vulnerability during your testing (and if applicable, a list of each test you performed)

  • Any additional information you feel may be pertinen

If you would like to encrypt your vulnerability report, you can use a GPG key. Please contact us for more details.

Begin accepting digital payments in 5 easy steps