Chargify is the premier SaaS provider of recurring credit card billing and business management. We store and process payment information for thousands of merchants and millions of customers. We take our security very seriously and welcome any responsible disclosure of potential gaps in our systems.

This is a points-only program and is managed by the Chargify team.

Targets

In scope

  • app.chargify.com

Before you begin, please read and understand the Standard Disclosure Terms. All items listed in the Standard Disclosure Terms (including "Common Low Impact Submission Types") are not in-scope and will not be rewarded. In-scope for this bounty:

  • app.chargify.com
  • [your-subdomain].chargify.com

Focus areas:

  • Leakage of payment/credit card information
  • Incorrect permissions
  • Sensitive data disclosures
  • Cross-account access

Excluded from scope:

  • chargify.com / www.chargify.com
  • Any ancillary sites not directly hosted by Chargify (such as docs.chargify.com, status.chargify.com, help.chargify.com. Zendesk, Tumblr, etc)

Rules

This bounty follows Bugcrowd’s standard disclosure terms.

Program Specific Rules:


  • You may create a test account with the following limits: TWO accounts each with no more than TWO sites and TWO users.

  • Your account company name must begin with [BugCrowd] to help us know you're a security researcher.

  • All other data object creation is limited to a maximum of 50 objects per type

  • No automated off-the-shelf scanners (like Acunetix or the Burp Suite Scanner). We’ve had these run hundreds of times already

  • Scripted / API tests must be rate limited to 1 request per second

  • Absolutely NO attacks or exploits against accounts not created by you. You may only attempt cross-account access between two accounts controlled by YOU

  • No DOS/DDOS tests

This bounty requires explicit permission to disclose the results of a submission.