MasterCard VDP

  • Partial safe harbor
  • Solo-Only

We no longer offer point rewards for submissions on this program. Please refer to our blog post: How Bugcrowd sees VDPs and points for more details.

Program stats

  • Vulnerabilities accepted 203
  • Validation within 2 days 75% of submissions are accepted or rejected within 2 days

Latest hall of famers

Recently joined this program


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

MasterCard is a technology company in the global payments industry. We operate the world’s fastest payments processing network, connecting consumers, financial institutions, merchants, governments and businesses in more than 210 countries and territories. MasterCard products and solutions make everyday commerce activities – such as shopping, travelling, running a business and managing finances – easier, more secure and more efficient for everyone. For nearly half a century, MasterCard has been a leader in safety and security. As payment methods continue to evolve, MasterCard is committed to advancing digital security, which includes rigorous testing for potential vulnerabilities. You can help us make our products and services even safer and earn rewards by reporting potential vulnerabilities.

A Couple Important Requirements for MasterCard:

  • When submitting a report to MasterCard, please be sure to include your IP address that you were testing from somewhere in your report. It is greatly helpful to MasterCard.
  • Due to GDPR and legal requirements. All testing must be conducted using your email ID only. If you fail to use your email ID, you run the risk of getting blocked from accessing MasterCard applications.

Use of automated scanners and tools to find vulnerabilities is strictly not allowed. MasterCard requests that testers do not perform automated/scripted testing of web forms, especially "Contact Us" forms that are designed for customers to contact the Support team.


For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

What to expect from Mastercard

  • For all P1 & P2 valid findings, we will move them to an accepted state within 7 days
  • Pal all P3 & P4 valid findings, we will move them to an accepted state within 20 days


Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email We will address your issue as soon as possible.