Cash App

  • $100 – $18,000 per vulnerability
  • Safe harbor

Program stats

  • Vulnerabilities rewarded 45
  • Validation within 5 days 75% of submissions are accepted or rejected within 5 days
  • Average payout $500 within the last 3 months

Latest hall of famers

Recently joined this program

Disclosure

Please note: This program or engagement does not allow disclosure. You may not release information about vulnerabilities found in this program or engagement to the public.

Block, Inc.

This program is part of Block, Inc. You can participate in our other bug bounty programs below:

Square
Square Open Source
Tidal
Afterpay

Serious about security

Our approach to security is designed to protect the CashApp ecosystem. We monitor every transaction, continuously innovate in fraud prevention, and we protect our customers’ data like our business depends on it - because it does. We adhere to industry-leading standards to manage our network, secure our web and client applications, and set policies across our organization.


Ratings/Rewards:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

We are particularly interested in problems with CashApp’s payment flows. Confirmed vulnerabilities that directly affect our payments flows will receive a $400 minimum reward.

A Note on Similar Submissions:
We ask that researchers who are able to identify the same or similar types of issues in multiple locations across one of our applications combine those findings into a single submission that includes a description as well as the various locations where vulnerabilities have been identified. This greatly assists us in our triage process and allows us to process your submissions faster. The combined submissions will be evaluated holistically and will receive rewards corresponding to the collective findings. For example, if an application is discovered to have broken access control on a number of API endpoints, please submit a single submission that includes a list of those API endpoints. If separate submissions are made, they may be inadvertently closed as duplicates.

Access

  • Credentials are not provided for this engagement but feel free to self register using your @bugcrowdninja.com email address.
  • Access to *.cashstaging.app is not provided, however, if you are able to hit the site and find vulnerabilities you are welcome to submit them here.
  • The flags are long enough that brute force won't work. You'll have to be more creative!

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please submit through the Bugcrowd Support Portal. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.