Mastercard Public Bug Bounty

  • $50 – $5,000 per vulnerability
  • Partial safe harbor

Program stats

  • Vulnerabilities rewarded 721
  • Validation within 9 days 75% of submissions are accepted or rejected within 9 days
  • Average payout $130.95 within the last 3 months

Recently joined this program


Please note: This program or engagement does not allow disclosure. You may not release information about vulnerabilities found in this program or engagement to the public.

Program Details

Mastercard is the leading technology company in the worldwide payments industry. We run the fastest payments processing network in the world, tying together consumers, financial institutions, merchants, and governments across more than 210 nations and territories. Everyday commerce activities like buying, travelling, operating a business, and managing finances are made simpler, more secure, and more effective for everyone by Mastercard products and solutions. Mastercard is dedicated to increasing digital security as payment systems develop, which includes thorough testing for any vulnerabilities. By letting us know about any weaknesses, you can earn rewards while also assisting us in making our products and services even safer.

Eligibility for Participation

To be eligible for the Mastercard Bug Bounty Program, you must not:

  • Be a resident of, or make your submission from a country against which the United States has issued export sanctions or other trade restrictions (e.g., Russia, Iran, North Korea, and Syria)
  • Be in violation of any national, state, or local law or regulation.
  • Be employed by Mastercard or its subsidiaries.
  • Be an immediate family member of a person employed b Mastercard or its subsidiaries or affiliates.
  • Be less than 14 years of age. If you are at least 14 years old but are considered a minor in your place of residence, you must get your parent’s or legal guardian’s permission prior to participating in the program.

If Mastercard discovers that you meet any of the criteria above, you will be excluded from the Mastercard Bug Bounty program and be disqualified from receiving any Bounty payments.


For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please submit through the Bugcrowd Support Portal. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.