mastercard

  • $100 – $3,000 per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

364 vulnerabilities rewarded

Validation within 2 days
75% of submissions are accepted or rejected within 2 days

$950 average payout (last 3 months)

Latest hall of famers

Recently joined this program

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Have thoughts on how this program could be improved? Please provide your feedback to Bugcrowd and Mastercard!

mastercard is a technology company in the global payments industry. We operate the world’s fastest payments processing network, connecting consumers, financial institutions, merchants, governments and businesses in more than 210 countries and territories. Mastercard products and solutions make everyday commerce activities – such as shopping, traveling, running a business and managing finances – easier, more secure and more efficient for everyone. For nearly half a century, MasterCard has been a leader in safety and security. As payment methods continue to evolve, MasterCard is committed to advancing digital security, which includes rigorous testing for potential vulnerabilities. You can help us make our products and services even safer and earn rewards by reporting potential vulnerabilities.

A Couple Important Requirements for Mastercard:

  • When submitting a report to Mastercard, please be sure to include your IP address that you were testing from somewhere in your report. It is greatly helpful to MasterCard.
  • Due to GDPR and legal requirements. All testing must be conducted using your @bugcrowdninja.com email ID only. If you fail to use your @Bugcrowdninja.com email ID, you run the risk of getting blocked from accessing MasterCard applications.

Rewards

Rewards will be facilitated through Payoneer ONLY (Setup payment methods)

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Use of automated scanners and tools to find vulnerabilities is strictly not allowed. MasterCard requests that testers do not perform automated/scripted testing of web forms, especially "Contact Us" forms that are designed for customers to contact the Support team.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.