• $100 – $3,000 per vulnerability
  • Partial safe harbor

Program stats

  • Vulnerabilities rewarded 450
  • Validation within 4 days 75% of submissions are accepted or rejected within 4 days
  • Average payout $180 within the last 3 months

Latest hall of famers

Recently joined this program

1802 total


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Have thoughts on how this program could be improved? Please provide your feedback to Bugcrowd and Mastercard!

Mastercard is a technology company in the global payments industry. We operate the world’s fastest payments processing network, connecting consumers, financial institutions, merchants, governments and businesses in more than 210 countries and territories. Mastercard products and solutions make everyday commerce activities – such as shopping, traveling, running a business and managing finances – easier, more secure and more efficient for everyone. For nearly half a century, Mastercard has been a leader in safety and security. As payment methods continue to evolve, Mastercard is committed to advancing digital security, which includes rigorous testing for potential vulnerabilities. You can help us make our products and services even safer and earn rewards by reporting potential vulnerabilities.

A Couple Important Requirements for Mastercard:

  • When submitting a report to Mastercard, please be sure to include your IP address that you were testing from somewhere in your report. It is greatly helpful to MasterCard.
  • Due to GDPR and legal requirements. All testing must be conducted using your email ID only. If you fail to use your email ID, you run the risk of getting blocked from accessing Mastercard applications.


Rewards will be facilitated through Payoneer ONLY (Setup payment methods)

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Use of automated scanners and tools to find vulnerabilities is strictly not allowed. Mastercard requests that testers do not perform automated/scripted testing of web forms, especially "Contact Us" forms that are designed for customers to contact the Support team.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.