- $100 – $7,500 per vulnerability
================================ PROMOTION May 17th - May 25th ================================
📢 Bug Bounty Promotion Announcement! Earn $500 Bonus for Finding Race Condition Vulnerabilities in Our API and Application 🏆
Dear Valued Community,
We are thrilled to announce a highly focused Bug Bounty Promotion that gives you a unique opportunity to showcase your expertise, contribute to the robustness of our systems, and earn a generous bonus of $500! We believe in the power of collaboration and want to work closely with our talented community members to eliminate race condition vulnerabilities within our API and Verify applications.
What are we looking for? In this promotion, we are specifically interested in identifying and resolving race condition vulnerabilities. A race condition occurs when multiple processes or threads access shared resources concurrently, potentially leading to unpredictable behavior or security risks. By discovering and reporting these vulnerabilities, you will play a crucial role in enhancing the security and reliability of our systems.
verify.rapyd.net - https://docs.rapyd.net/build-with-rapyd/reference/rapyd-verify-1
api.rapyd.net - https://docs.rapyd.net/build-with-rapyd/reference/api-reference
This promotion only applies to Valid Race Condition reports.
=================================== PROMOTION ===========================================
Rapyd is focused on helping businesses create great local commerce experiences anywhere. The company develops technology designed to remove the back-end complexities of cross-border commerce while providing local payment expertise. Global eCommerce companies, technology firms, marketplaces, and financial institutions use Rapyds FinTech-as-a-service platforms to seamlessly embed localized FinTech and payment capabilities into their applications. Rapyd is also the developer of the Rapyd Global Payments Network, which enables businesses to access the worlds largest local payment network, with over 900 locally preferred payment methods, including bank transfers, eWallets, and cash in more than 100 countries.
We are looking forward to working with the security community to find vulnerabilities to keep our customers safe. Good luck, and happy hunting!
Main Guidelines, read closely!
- Every request must include the X-Bugcrowd header with Bugcrowd username for e.g: Bugcrowd-<Username>' , we created a burp configuration file to include the scope targets download here
- Must use the Bugcrowd email alias [username]@bugcrowdninja.com to self-sign up to the platform (Dashboard.rapyd.net). For more info regarding @bugcrowdninja email addresses read here
- Automations against form submissions are not allowed and can lead to a ban from the program.
- Do not degrade Rapyd's user experience, disrupt production systems, or destroy data during security testing.
- Every report must include HTTP request and response.
- Submissions not within the guidelines will be considered as not eligible.
- In most of the request Rapyd provides the operation ID in the response, which is crucial for internal research. In certain cases, you must provide it if requested by the teams.” sounds fine?
- When investigating a vulnerability, please only target Only your account and do not attempt to access data from anyone else’s account.
- Stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials.
- Rate limit issues - We enforce a rate limit on our entire Cloud environment (The fact that you can make 50 Requests per minute does not mean that we won't block you if you will try more so just skip this one)
- Do not access customer or employee personal information, credit card data, and Rapyd confidential information. If you accidentally access any of these, please stop testing and submit the vulnerability.
- Collect only the information necessary to demonstrate the vulnerability.
- Submit any necessary screenshots, screen captures, network requests, reproduction steps, or similar using the Bugcrowd submission form (do not use third-party file-sharing sites).
- Securely delete Rapyd information that may have been downloaded, cached, or otherwise stored on the systems used to perform the research.
- We may accept reports for out-of-scope vulnerabilities and possibly fix them, but we will not award a bounty regardless.
- Perform research only within the scope set out below.
Our top submitted vulnerabilities
At Rapyd we have a long running bug bounty program, these are our most submitted reports so far:
- Sanitization of inputs in various locations - Email template injections
- Race condition in critical business logic activities - For example, passing multiple refunds
- Business Logic - For example, flows which changes wallet balance with an incorrect amount
To encourage responsible disclosure, Rapyd will not bring a lawsuit against you or ask law enforcement to investigate you if we determine that your research and disclosure meet these requirements and guidelines. If you have questions about the responsible disclosure of results for a submission, please reach out to us via the submission page.
Rewards and Rating Guidelines
Rewards for API findings (api.rapyd.net domain)
- The reward for valid critical and high API findings could be increased depending on the impact on Rapyd.
- Please only use the sandbox environment for API testing activities.
Rewards for PCI findings
- PCI-related findings are vulnerabilities that will result in disclosing credit card data, such as full card number, CVV, etc.
- The reward for valid PCI findings could be increased depending on the impact on Rapyd and will have a minimum bonus of ($500), with the severity of the vulnerability.
Rewards for Privacy findings
- Privacy-related findings are findings that may cause breaches of privacy regulations such as GDPR in the EU or CCPA in the state of California.
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- Automated scanning against any contact/submission form will not be tolerated
- Clickjacking on pages with no sensitive actions
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
- Attacks requiring MITM or physical access to a user's device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Rate limiting or Bruteforce issues on non-authentication endpoints
- Missing best practices in Content Security Policy.
- Missing HttpOnly or Secure flags on cookies
- Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)
- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case-by-case basis.
- Open redirect - unless an additional security impact can be demonstrated
- Issues that require unlikely user interaction
Scope and rewards
This program follows Bugcrowd’s standard disclosure terms.
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email email@example.com. We will address your issue as soon as possible.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.