Rapyd

Rapyd is focused on helping businesses create great local commerce experiences anywhere. The company develops technology designed to remove the back-end complexities of cross-border commerce while providing local payment expertise. Global eCommerce companies, technology firms, marketplaces, and financial institutions use Rapyds FinTech-as-a-service platforms to seamlessly embed localized FinTech and payment capabilities into their applications. Rapyd is also the developer of the Rapyd Global Payments Network, which enables businesses to access the worlds largest local payment network, with over 900 locally preferred payment methods, including bank transfers, eWallets, and cash in more than 100 countries.
We are looking forward to working with the security community to find vulnerabilities to keep our customers safe. Good luck, and happy hunting!

Main Guidelines, read closely!

• Every request must include the X-Bugcrowd header with Bugcrowd username for e.g: Bugcrowd-<Username>', we created a burp configuration file to include the scope targets download here.
• Must use the Bugcrowd email alias [username]@bugcrowdninja.com to self-sign up to the platform (Dashboard.rapyd.net). 
 For more info regarding @bugcrowdninja email addresses read here
• The client portal web application (dashboard.com) can be tested in two modes, sandbox mode, in which all users are admins, and production mode, in this mode users and permissions can be tested. The production mode is only available to those who sign up and select Iceland as their country. Make sure you are signing up from Iceland to have this option.
• Automations against form submissions are not allowed and can lead to a ban from the program.
• Do not degrade Rapyd's user experience, disrupt production systems, or destroy data during security testing.
• Every report must include HTTP request and response.
• Submissions not within the guidelines will be considered as not eligible.
• In most of the requests Rapyd provides the operation ID in the response, which is crucial for internal research. In certain cases, you must provide it if requested by the teams.

Additional guidelines

• When investigating a vulnerability, please only target Only your account and do not attempt to access data from anyone else’s account.
• Stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials.
• Rate limit issues - We enforce a rate limit on our entire Cloud environment (The fact that you can make 50 Requests per minute does not mean that we won't block you if you will try more so just skip this one)
• Do not access customer or employee personal information, credit card data, and Rapyd confidential information. If you accidentally access any of these, please stop testing and submit the vulnerability.
• Collect only the information necessary to demonstrate the vulnerability.
• Submit any necessary screenshots, screen captures, network requests, reproduction steps, or similar using the Bugcrowd submission form (do not use third-party file-sharing sites).
• Securely delete Rapyd information that may have been downloaded, cached, or otherwise stored on the systems used to perform the research.
• We may accept reports for out-of-scope vulnerabilities and possibly fix them, but we will not award a bounty regardless.
• Perform research only within the scope set out below.

Our top submitted vulnerabilities

At Rapyd we have a long-running bug bounty program, these are our most submitted reports so far:

• Sanitization of inputs in various locations - Email template injections
• Race condition in critical business logic activities - For example, passing multiple refunds
• Business Logic - For example, flows which change wallet balance with an incorrect amount

To encourage responsible disclosure, Rapyd will not bring a lawsuit against you or ask law enforcement to investigate you if we determine that your research and disclosure meet these requirements and guidelines. If you have questions about the responsible disclosure of results for a submission, please reach out to us via the submission page.

Rewards and Rating Guidelines

Rewards for API findings (api.rapyd.net domain)

• The reward for valid critical and high API findings could be increased depending on the impact on Rapyd.
• Please only use the sandbox environment for API testing activities.

Rewards for PCI findings

• PCI-related findings are vulnerabilities that will result in disclosing credit card data, such as full card number, CVV, etc.
• The reward for valid PCI findings could be increased depending on the impact on Rapyd and will have a minimum bonus of ($500), with the severity of the vulnerability.

Rewards for Privacy findings

• Privacy-related findings are findings that may cause breaches of privacy regulations such as GDPR in the EU or CCPA in the state of California.

Out-of-scope vulnerabilities

• DNS related attacks like: Cache poisoning, DNS flooding, DNS amplification, Fast-flux DNS, Zone Transfer, Missing DNSSEC
• UDP flood attack
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Automated scanning against any contact/submission form will not be tolerated
• Clickjacking on pages with no sensitive actions
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
• Attacks requiring MITM or physical access to a user's device.
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration.
• Any activity that could lead to the disruption of our service (DoS).
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Rate limiting or Bruteforce issues on non-authentication endpoints
• Missing best practices in Content Security Policy.
• Missing HttpOnly or Secure flags on cookies
• Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)
• Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
• Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case-by-case basis.
• Tabnabbing
• Open redirect - unless an additional security impact can be demonstrated
• Issues that require unlikely user interaction

---