Afterpay Bug Bounty Program

  • $100 – $5,000 per vulnerability
  • Safe harbor

Program stats

  • Vulnerabilities rewarded 35
  • Validation within 3 days 75% of submissions are accepted or rejected within 3 days
  • Average payout $525 within the last 3 months

Latest hall of famers

Recently joined this program

201 total


Please note: This program or engagement does not allow disclosure. You may not release information about vulnerabilities found in this program or engagement to the public.

This program is part of Block, Inc.  Please note that the scope of this program encompasses Afterpay services only. Vulnerabilities discovered in Block products or services should be reported to the relevant Block, Inc programs:
Cash App
Square Open Source

About Afterpay

Afterpay is transforming the way we pay by allowing anyone to buy products immediately and pay over time - enabling simple, transparent and responsible spending. We are on a mission to power an economy in which everyone wins.

Afterpay is offered by thousands of the world’s favourite retailers and used by millions of active global customers. Afterpay is currently available in Australia, Canada, New Zealand, the United States and the United Kingdom (where it is known as Clearpay). Afterpay is a wholly owned subsidiary of Block, Inc. (NYSE: SQ).

Getting Started

You can read about Afterpay’s integration methods and APIs at

We recommend performing testing within the Sandbox environment using the API keys provided in scope section of this program brief. You can also provision yourself a customer account in this environment.

Submission Quality 

When writing a submission, you should provide enough information that allows us to reproduce and gain an understanding of the issue, ideally without needing to ask for further clarification. The advice below should be followed to limit misunderstandings and the need for follow-up questions which slow down the triaging process:

  • Check our ‘Program Scope’ section before you begin writing your report to ensure the issue you are reporting is in-scope for the program. We make no guarantees that findings for out-of-scope targets will be rewarded
  • Provide as many details as possible for our team to assist them with reproducing the issue. Screenshots may be helpful here.
  • Please include your understanding of the security impact of the issue, even if you feel that it may be incomplete. In some cases, it may not be possible to have all of the context on the impact of a bug. If you’re unsure of the direct impact, but feel you may have found something interesting, feel free to submit a detailed report and ask.
  • Whilst adhering to security best practices is important, all submissions must demonstrate some level of security impact to be eligible for a reward. Think about the attack scenario and how the issue can be exploited (even if the full extent of the issue is uncertain).
  • A vulnerability must be verifiable and reproducible for us to be considered in-scope.

Program Scope

Any finding that is not listed as in scope is still encouraged to be reported via this program. These reports will be rewarded at the discretion of the Afterpay Security Team.

All mobile client related vulnerabilities/exploits must be proven to work in the latest version of our mobile application.

Please don't submit multiple reports for the same issue impacting both Production & Sandbox environments. Our Sandbox environment is our non-production equivalent, so we expect the same issues to exist in both environments.

Rewards for findings in third party software & services used by Afterpay will be reviewed on a case by case basis. There are no guarantees that we will reward these issues, but this will be assessed based on impact.

Disclosure Procedures

Block recognizes the important contributions the security research community can make. We do not publicly disclose vulnerabilities by default. We take the security of our services very seriously and monitor their use for indications of a malicious attack. In order to distinguish legitimate security research from malicious attacks against our services, we promise not to bring legal action against researchers who:

  • Share with us the full details of any problem found
  • Do not disclose the issue to others until we’ve had a reasonable time to address it and disclosure has been approved by us
  • Do not intentionally harm the experience or usefulness of the service to others
  • Never attempt to view, modify, access, disclose, exfiltrate, use or damage data belonging to Block, its customers, or others
  • Do not attempt a denial-of-service attack
  • Do not perform any research or testing in violation of the law

Disclosure outside of Bugcrowd

If you would like to report a security vulnerability to us outside of the Bugcrowd platform, please use the contact email found in our security.txt file. We do not offer rewards for responsible disclosure findings submitted outside of Bugcrowd.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please submit through the Bugcrowd Support Portal. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.