Mastercard (VDP Extension)

  • Partial safe harbor
  • Solo-Only

Program stats

  • Vulnerabilities rewarded 7
  • Validation within 1 day 75% of submissions are accepted or rejected within 1 day

Latest hall of famers

Recently joined this program


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

This is an extension of the greater Mastercard Vulnerability Disclosure Program, you can view that program here.

Program Information:

This program consists of both MasterCard Digital Experience Platform (DXP) and Mastercard Receipt Management.

Mastercard Digital Experience Platform (DXP) is a componentized approach to building front end applications for multiple channels using industry standard technologies. DXP provides both a development framework and a library of ready-to-use customizable components for web and mobile. It has its own CLI for web and mobile development. Also having cli for services development purpose.

At Mastercard, we consider the security of our systems to be a top priority. With that said, we recognize that no matter how much effort we put into security - there might still be vulnerabilities present. With that being said, if you discover a vulnerability, we would like to know about it so that we can take steps to address it as quickly as possible.

Program Rules:

  • Observe strict adherence to the program scope.
  • Test ONLY against your own accounts – testing must not disrupt or compromise any data or data access that is not yours. Furthermore, never run tests against users or accounts that are not yours.
  • Confidentiality: Privacy of information is very important, please do not share any program information or vulnerability information outside of this program.
  • Exploitation: Do NOT exploit discovered security issues. ALL vulnerability reports should include a Proof of Concept.
  • Scanners: Automated scanners/tools are strictly prohibited (not allowed).
  • Program Scope: Make all reasonable efforts to adhere to the defined scope of the program. Refer to the Out of Scope section for more information; Out-of-Scope submissions will not be rewarded.
  • Disclosure: Private and public disclosure of any vulnerabilities is strictly prohibited (not allowed).
  • Social Engineering: Non-technical attacks such as social engineering, phishing or unauthorized access to infrastructure is not allowed.
  • If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations, or other confidential information) while investigating an issue, please be sure to disclose this in your report.
  • Production Environment: Never perform any attack that could harm Mastercard services (E.g.: DDoS/Spam). If a researcher is found violating any of these guidelines, they will be banned from the Mastercard program.
  • By submitting the vulnerability, you affirm that you have not disclosed - and agree that you will not disclose - your finding (or the existence of your submission) other than via the MasterCard Bug Bounty Process.


This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings. Rewards will be facilitated through Payoneer ONLY (setup payment methods).


Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email We will address your issue as soon as possible.