Afterpay Bug Bounty Program

This program is part of Block, Inc.  Please note that the scope of this program encompasses Afterpay services only. Vulnerabilities discovered in Block products or services should be reported to the relevant Block, Inc programs:
Cash App
Square
Square Open Source
Tidal

About Afterpay

Afterpay is transforming the way we pay by allowing anyone to buy products immediately and pay over time - enabling simple, transparent and responsible spending. We are on a mission to power an economy in which everyone wins.

Afterpay is offered by thousands of the world’s favourite retailers and used by millions of active global customers. Afterpay is currently available in Australia, Canada, New Zealand, the United States and the United Kingdom (where it is known as Clearpay). Afterpay is a wholly owned subsidiary of Block, Inc. (NYSE: SQ).

Getting Started

• Limit your testing to avoid accessing, destroying or otherwise negatively impacting Afterpay customers and merchants data.

• Ensure you understand the targets, scopes and exclusions below

• Afterpay functionality is accessible through our mobile apps, or website: 

  • https://play.google.com/store/apps/details?id=com.afterpaymobile
  • https://apps.apple.com/au/app/afterpay-shop-now-pay-later/id1230286588
  • https://www.afterpay.com/en-US
  • https://portal.afterpay.com

You can read about Afterpay’s integration methods and APIs at https://developers.afterpay.com/.

We recommend performing testing within the Sandbox environment using the API keys provided in scope section of this program brief. You can also provision yourself a customer account in this environment.

Submission Quality 

When writing a submission, you should provide enough information that allows us to reproduce and gain an understanding of the issue, ideally without needing to ask for further clarification. The advice below should be followed to limit misunderstandings and the need for follow-up questions which slow down the triaging process:

• Check our ‘Program Scope’ section before you begin writing your report to ensure the issue you are reporting is in-scope for the program. We make no guarantees that findings for out-of-scope targets will be rewarded
• Provide as many details as possible for our team to assist them with reproducing the issue. Screenshots may be helpful here.
• Please include your understanding of the security impact of the issue, even if you feel that it may be incomplete. In some cases, it may not be possible to have all of the context on the impact of a bug. If you’re unsure of the direct impact, but feel you may have found something interesting, feel free to submit a detailed report and ask.
• Whilst adhering to security best practices is important, all submissions must demonstrate some level of security impact to be eligible for a reward. Think about the attack scenario and how the issue can be exploited (even if the full extent of the issue is uncertain).
• A vulnerability must be verifiable and reproducible for us to be considered in-scope.

Program Scope

Any finding that is not listed as in scope is still encouraged to be reported via this program. These reports will be rewarded at the discretion of the Afterpay Security Team.

All mobile client related vulnerabilities/exploits must be proven to work in the latest version of our mobile application.

Please don't submit multiple reports for the same issue impacting both Production & Sandbox environments. Our Sandbox environment is our non-production equivalent, so we expect the same issues to exist in both environments.

Rewards for findings in third party software & services used by Afterpay will be reviewed on a case by case basis. There are no guarantees that we will reward these issues, but this will be assessed based on impact.

Public Disclosure

If you are planning to disclose outside of the bug bounty, we ask that you give us reasonable notice and allow us to address the vulnerability prior to publishing your disclosure.

Disclosure outside of Bugcrowd

If you would like to report a security vulnerability to us outside of the Bugcrowd platform, please use the contact email found in our security.txt file. We do not offer rewards for responsible disclosure findings submitted outside of Bugcrowd.