• $300 – $5,000 per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

132 vulnerabilities rewarded

Validation within 12 days
75% of submissions are accepted or rejected within 12 days

$680.35 average payout (last 3 months)

Latest hall of famers

Recently joined this program


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Serious about security

Our approach to security is designed to protect buyers and sellers. We monitor every transaction, continuously innovate in fraud prevention, and we protect businesses’ data like our business depends on it—because it does. We adhere to industry-leading standards to manage our network, secure our web and client applications, and set policies across our organization.

This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.


We are particularly interested in problems with Square’s payment flows. Confirmed vulnerabilities that directly affect our payments flows will receive a $500 minimum reward.

Reward Range

Last updated
Technical severity Reward range
p1 Critical $5,000 - $5,000
p2 Severe $2,500 - $2,500
p3 Moderate $900 - $900
p4 Low $300 - $300
P5 submissions do not receive any rewards for this program.


In scope

Target name Type
*.square.com Website
*.squareup.com Other
*.cash.me Website
Cash App Mobile Application for Android Android
Cash App Mobile Application for iOS iOS
Square Point of Sale Mobile Application for Android Android
Square Point of Sale Mobile Application for iOS iOS

Out of scope

Target name Type
Any vulnerabilities found in Third-party software Website

Any domain/property of Square not listed in the targets section is out of scope. This includes any/all subdomains not listed above.

Target Information

Squareup.com - Landing page for documentation/resources: https://squareup.com/developers
Cash App for iOS: Here
Cash App for Android: Here
Square Point of Sale for iOS: Here
Square Point of Sale for Android: Here


Please sign up for an account using your @bugcrowdninja.com email address. For more info regarding @bugcrowdninja email addresses, see here.

Special CTF-style Flags!

Find the Account

We've created an account with an email address as ftwr+[32 character flag]@squareup.com. Tell us how you found it, and you'll get a $1000 bounty.

The SHA1 digest of the flag is: b9559723b3fd537e368fdc5c221eef72dc2e8adc.

Find the File

Find a file called BUGCROWD-flag.txt with the contents containing ftwr+[32 character flag]. Tell us how you found it, and you'll get a $1000 bounty.

The SHA1 digest of the flag is: 1fb27653e08cef9c6acdd520f2e9398ad3576549.

Computing the sha1

To make sure you know that you have found the right flag, we are publishing the digests of the flags by running echo [32 characters] | sha1sum. You can do the same on your terminal (you might need to install sha1sum or use an alternate method).
For example, if the value of the token were fb3f8fe63cc107c1977855c95633fb13 (it's not), then you would get:

~ echo -n fb3f8fe63cc107c1977855c95633fb13 | sha1sum
53aa4d47f93b76214834193baefb9c6e7d042c11 -


Some things to keep in mind when hunting for flags:

  • Only flags created by Square are eligible for the reward. There will be at most one reward per flag.
  • Only the first person to report a flag and methodology for discovery will be rewarded.
  • The flags are long enough that brute force won't work. You'll have to be more creative!

Program Exclusions

  • Any vulnerabilities found in Third-party software
  • Any physical attempts against Square property or data centers
  • Self-XSS
  • Logout CSRF
  • Presence of autocomplete attribute on web forms
  • Missing cookie flags on non-sensitive cookies
  • No maximum password length
  • An oracle that discloses whether a given username, email address, or phone number is associated with an actual account. (However, please do submit anything that allows you to recover usernames en masse.)
  • Using spoofed emails for phishing
  • Reports of the 2-factor token not expiring. We use TOTP codes for two factor.

Disclosure procedures

Square recognizes the important contributions the security research community can make. We encourage coordinated reporting of security issues with our services. We take the security of our services very seriously and monitor their use for indications of a malicious attack. In order to allow us to identify legitimate security research as opposed to malicious attacks against our services, we promise not to bring legal action against researchers who:

  • Share with us the full details of any problem found.
  • Do not disclose the issue to others until we’ve had a reasonable time to address it.
  • Do not intentionally harm the experience or usefulness of the service to others.
  • Never attempt to view, modify, or damage data belonging to others.
  • Do not attempt a denial-of-service attack.
  • Do not perform any research or testing in violation of the law.

Attributes of a good report

  • Detailed steps for reproducing the bug. If valuable, please include any screenshots, links you clicked on, pages visited, etc. We prefer detailed repro steps over video demos.
  • Describe the versions of all relevant components of the attack (eg browser, OS, mobile app version).
  • Describe a concrete attack scenario. How will the problem impact Square or Square buyers/sellers? Put the problem into context.
  • Please group related issues into the same report rather than submitted nearly-identical reports. For example, an authorization bypass might affect a handful of endpoints.

Multiple issues with one fix

We ask that researchers who identify the same or similar types of issues in multiple locations throughout an application combine those findings into a single submission whose description includes the locations where the issues were identified. This greatly assists us in our triage process and allows us to process your submissions faster. The combined submission will be evaluated holistically and will be rewarded corresponding to the collective findings. For example, if an application is discovered to have broken access control on a number of API endpoints, please submit a single submission that includes a list of those API endpoints. If separate submissions are made, they may be inadvertently closed as duplicates.

Regarding Cryptocurrency

Please submit any issue related to cryptocurrency to the Square program immediately. Square is eager to work with the community to make sure that every researcher finding related to cryptocurrency will be fairly rewarded given the vulnerability's impact on business and overall severity. This includes compensation that might be higher than what is advertised currently.

OpenPGP key

If you have data that you feel is particularly sensitive and would like to encrypt before sending it to our bug bounty, please use the following OpenPGP key for encryption:

Version: GnuPG v2


Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.