Program stats

23 vulnerabilities rewarded

12 days average response time

Latest hall of famers

Recently joined this program

Chargify is the premier SaaS provider of recurring credit card billing and business management. We store and process payment information for thousands of merchants and millions of customers. We take our security very seriously and welcome any responsible disclosure of potential gaps in our systems.

This is a points-only program and is managed by the Chargify team.

Targets

Before you begin, please read and understand the Standard Disclosure Terms. All items listed in the Standard Disclosure Terms (including "Common Low Impact Submission Types") are not in-scope and will not be rewarded. In-scope for this bounty:

  • app.chargify.com
  • [your-subdomain].chargify.com

Focus areas:

  • Leakage of payment/credit card information
  • Incorrect permissions
  • Sensitive data disclosures
  • Cross-account access

Excluded from scope:

  • chargify.com / www.chargify.com
  • Any ancillary sites not directly hosted by Chargify (such as docs.chargify.com, status.chargify.com, help.chargify.com. Zendesk, Tumblr, etc)

Rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for Informational (P5) findings. Learn more about Bugcrowd’s VRT.

Program Specific Rules:


  • You may create a test account with the following limits: TWO accounts each with no more than TWO sites and TWO users.

  • Your account company name must begin with [BugCrowd] to help us know you're a security researcher.

  • All other data object creation is limited to a maximum of 50 objects per type

  • No automated off-the-shelf scanners (like Acunetix or the Burp Suite Scanner). We’ve had these run hundreds of times already

  • Scripted / API tests must be rate limited to 1 request per second

  • Absolutely NO attacks or exploits against accounts not created by you. You may only attempt cross-account access between two accounts controlled by YOU

  • No DOS/DDOS tests

This bounty requires explicit permission to disclose the results of a submission.