MasterCard is a technology company in the global payments industry. We operate the world’s fastest payments processing network, connecting consumers, financial institutions, merchants, governments and businesses in more than 210 countries and territories. MasterCard products and solutions make everyday commerce activities – such as shopping, travelling, running a business and managing finances – easier, more secure and more efficient for everyone. For nearly half a century, MasterCard has been a leader in safety and security. As payment methods continue to evolve, MasterCard is committed to advancing digital security, which includes rigorous testing for potential vulnerabilities. You can help us make our products and services even safer and earn rewards by reporting potential vulnerabilities.
A Couple Important Requirements for MasterCard:
- When submitting a report to MasterCard, please be sure to include your IP address that you were testing from somewhere in your report. It is greatly helpful to MasterCard.
- Due to GDPR and legal requirements. All testing must be conducted using your @bugcrowdninja.com email ID only. If you fail to use your @Bugcrowdninja.com email ID, you run the risk of getting blocked from accessing MasterCard applications.
Use of automated scanners and tools to find vulnerabilities is strictly not allowed. MasterCard requests that testers do not perform automated/scripted testing of web forms, especially "Contact Us" forms that are designed for customers to contact the Support team.
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
What to expect from Mastercard
- For all P1 & P2 valid findings, we will move them to an accepted state within 7 days
- Pal all P3 & P4 valid findings, we will move them to an accepted state within 20 days
Testing is only authorized on the targets listed as In-Scope. Any domain/property of Mastercard not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to email@example.com before submitting.
Priceless Cities is a core tenet of MasterCard’s world-renowned 18 year-old Priceless marketing platform that is currently available in 112 countries and 53 languages. The platform provides exclusive curated experiences and special access in over 35 cities marketed in over 52 countries.
- Accounts can be self-provisioned by using your @bugcrowdninja email
- Please use 5555 5555 5555 4444 to register and test orders on demo.priceless.com
- Note: <www.priceless.com> was earlier part of bug bounty program but now we have replaced it with test environment <demo.priceless.com> so if similar issues are reported for this, it will be marked as duplicate
- In scope target <demo.priceless.com> is guarded by HTTP authentication use below username and password for login:
Username: mastercard Password: priceLESS
For rest of the applications, no specific test data is required.
Please create an account on your own using your @bugcrowdninja.com email address. Your 'bugcrowdninja' email address is your firstname.lastname@example.org. All emails will go to the email address associated with your account.
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Insecure direct object references
- Injection Vulnerabilities
- Authentication Vulnerabilities
- Server-side Code Execution
- Privilege Escalation
- Significant Security Misconfiguration (when not caused by user)
- Subdomain takeovers (For sub-domain takeover/ broken link Hijacking add a friendly message like “We are working on it and we will be back soon”. Adding a hidden message in HTML source code to differentiate from other researcher is allowed )
- Any out of the box issues which could lead to compromise or leakage of data and directly affect the confidentiality or integrity of user data of which affects user privacy
- These are mostly production applications. Do not deface/add random content in case you find some stored injection/ RCE. Report back to us with PoC and we will test fully in a lower environment (if required)
- Do NOT conduct non-technical attacks such as social engineering, phishing or unauthorized access to infrastructure are not allowed.
- Do NOT test the physical security of MasterCard offices, employees, equipment, etc.
- Do NOT perform any attack that could harm our services (E.g.: DDoS/Spam).
- Do NOT attack, in any way, our end users, or engage in trade of stolen user credentials.
- Do NOT use automated scanners and tools to find vulnerabilities are strictly not allowed.
- Do NOT perform automated/scripted testing of web forms, especially "Contact Us" forms that are designed for customers to contact our support team.
- You may investigate or target vulnerabilities against your own or test accounts, but testing must not disrupt or compromise any data or data access that is not yours.
- Automated scanners/tools are strictly prohibited (not allowed).
- Confidentiality: If you’re testing or investigation inadvertently causes a privacy violation or disruption (such as accessing account data, service configurations, or other confidential information), please include this information in your report (or email email@example.com)
The following finding types are specifically excluded from the bounty:
- Pivoting, scanning, and vulnerability exploitation
- Exfiltration of data from MasterCard systems
- Email spoofing
- Missing or incorrect SPF/DMARC/DKIM records of any kind
- Descriptive error messages (e.g. Stack Traces, application or server errors)
- HTTP 404 codes/pages or other HTTP non-200 codes/pages
- Fingerprinting/banner disclosure on common/public services
- Disclosure of known public files or directories, (e.g. robots.txt)
- Clickjacking and issues only exploitable through clickjacking
- Login/Logout/Unauthenticated/low-impact/anonymous user CSRF
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
- Lack of Secure/HTTPOnly flags on non-sensitive Cookies
- Lack of Security Speedbump when leaving the site
- Forgot Password page brute force and account lockout not enforced
- OPTIONS HTTP method enabled
- Username / email enumeration
- via Login Page error message
- via Forgot Password error message
- Any missing HTTP security headers
- SSL Issues, e.g.
- SSL Attacks such as BEAST, BREACH, Renegotiation attack
- SSL Forward secrecy not enabled
- SSL weak/insecure cypher suites
- Vulnerabilities affecting users of outdated browsers or
- IE < 9
- Chrome < 40
- Firefox < 35
- Safari < 7
- Opera < 13