Square

  • Points – $15,000 per vulnerability

Program stats

  • Vulnerabilities rewarded 412
  • Validation within 5 days 75% of submissions are accepted or rejected within 5 days
  • Average payout $1,091.66 within the last 3 months

Latest hall of famers

Recently joined this program

Block, Inc.

In 2021, Square officially changed its name to Block with Square now being one of our product lines. The Square Bug Bounty program is limited to this line of business and includes the target components outlined in the ‘Target information’ section.

Block engages with Bugcrowd to provide proactive security testing across the majority of our other product lines, however, these programs are invitation only and will remain that way for the foreseeable future. Please reach out to support@bugcrowd.com if you have any questions.

You can participate in our other product bug bounty programs as noted below:

Cash App
Square Open Source
Tidal
Afterpay

Serious about security

Our approach to security is designed to protect buyers and sellers. We monitor every transaction, continuously innovate in fraud prevention, and we protect businesses’ data like our business depends on it—because it does. We adhere to industry-leading standards to manage our network, secure our web and client applications, and set policies across our organization.


Ratings and rewards

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

We are particularly interested in problems with Square’s payment flows. Confirmed vulnerabilities that directly affect our payments flows and comply with these terms will receive a $500 minimum reward.

Access

Please sign up for an account using your @bugcrowdninja.com email address. For more info regarding @bugcrowdninja email addresses, see here.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please submit through the Bugcrowd Support Portal. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.