Rewarding security bugs in our open source projects
Square recognizes the important contributions the security research community can make. Part of keeping Square's customers safe is making sure that we find and fix any security issues in our open source projects. If you find any vulnerabilities in any of our participating open source projects, send us a report. Even better, send us a fix!
Note that this program is to report issues in our open source projects. If you believe you have discovered a security vulnerability in one of Square's domains (squareup.com, square.com, or cash.me) or mobile applications (Square Point of Sale, Square Cash App), please report them to our other Square bug bounty program.
Attributes of a good report
- Detailed explanation & proof-of-concept for the bug
- Include specific source code references for the issue from our GitHub
- Include repository, release version, branch and other information
- Describe the real-world impact/exploitability of the bug
- Issues related to software not under our control (such as external dependencies) are not eligible for a reward.
- Most of our open source development is publicly visible. Reports related to an issue being fixed in a branch or being tracked in a public way will therefore not be eligible for a bounty.
- Reports of issues without a proof-of-concept or clear path to exploitation. You may still report these, but will not be eligible for a monetary reward.
- Issues which can only be reproduced on specific combinations of hardware or software not used by Square.
How to send a fix
Please do not open a pull request or GitHub ticket to fix an issue you're reporting. This would unnecessarily reveal any potential vulnerabilities. Instead, if you'd like to send us a fix, attach a patch file to the issue you open. You'll need to sign our Individual Contributor License Agreement before any patches can be accepted.
Rewards range from $100 to $10,000 depending on the type of issue and impact. We prioritize and reward issues based on the real-world impact to our software and systems as operated by Square. The values below represent upper bounds and rewards may vary in practice.
|P1||up to $10,000|
|P2||up to $5,000|
|P3||up to $2,500|
|P4||up to $1,000|
Projects which are hosted in Square's GitHub organization and which contain a
BUG-BOUNTY.md file in the root directory are in scope. Note that we only reward issues found in the latest master branch or release of a project. Outdated releases, development branches, pull requests, or similar are excluded from the bounty.
Currently, the projects in scope are:
- git-fastclone: It's git clone --recursive on steroids
- Go-JOSE: Go library to encrypt/decrypt data in JOSE formats
- Keywhiz: A system for distributing and managing secrets
- KeywhizFs: A FUSE module/filesystem for Keywhiz
- KeySync: Keysync periodically downloads secrets from Keywhiz
- OkHttp: An HTTP+HTTP/2 client for Android and Java applications
- Okio: A modern I/O API for Java
- pam_krb_cache: PAM module for ksu style Kerberos authentication in sudo
- ghostunnel: Simple SSL/TLS proxy with mutual authentication for securing non-TLS services
- rails-auth: Modular resource-based authentication and authorization for Rails/Rack
- Retrofit: Type-safe HTTP client for Android and Java
- Squalor: Go SQL utility library
- Valet: Securely store data in the iOS, tvOS, or macOS Keychain
- Wire: Clean, lightweight protocol buffers for Android and Java
If you have data that you feel is particularly sensitive and would like to encrypt before sending it to our bug bounty, please use the following OpenPGP key for encryption:
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2 mQENBFQKLngBCADIGP81CNlJK9AvC2aZI0fQU8Zq6i48Gj1KsV1HtSlvfTs1HDzD VxOWSKAuof/K3fKAYzIUYis8l39gCnwIB1ozlseZz3cPkjnvlMc0wRTZ4fohyIxP d4hs6atxAImUiQHErM1OI9UmXA1DX2lH3hz3w3wD0qBY/1c+qp/Tju0BZHLonion C9n7AHv78Z3Fg1F/4xLAn0V7JMS7BSK0fp5s/hTHa3ZHYBsL/To7mZ9lmqx5XEiW GXBMbqHQoBwK2ETywQMreuDIqn+HowkLJhMcW3ir+iKZfE3Z3HwP+v/RcyZvND0c eKadqm0rd2INpH02nZeAC68Ac1o4D+GWaDoxABEBAAG0JVNxdWFyZSBJbmZvc2Vj IDxpbmZvc2VjQHNxdWFyZXVwLmNvbT6JAT0EEwEIACcFAlQKLngCGwMFCRLMAwAF CwkIBwMFFQoJCAsFFgMCAQACHgECF4AACgkQrhC6tawqxoqj0gf9EpM2UtkT6Vwa /R7XzF6kn5LWKRUCY2Cqq2pKdC4aEsgE1TJfEWaz4VM2QuladYbdywRde8cauD2g cABvebngzL70M8OeLkIRxNcmQUvuUY08dNjJcKAaAiIdVtVHat9u5fxo2vl+NbYM 09G04+8lfg8SoB+1P6Jb7Ia8OSW5o6SCtp2MJ7nXaqEOdEvXPRCHqhiifeOqq94j pVe1DlTxHLZT+alhemB8Ax9NlyV7FU5i06890ZIaBBWUfKF5ZUAqUy9Juh/35U4a bVqNy8jAS3OPkGEZjHcJj9dQAlgXrvxe+sqsSyUvJgByOSjV0dhHbO6Xgobc/EPB xWKl7ECIrrkBDQRUCi54AQgAqI4ImtjxoCdM9RwCkHaoUjZPtVmVQah6/8W/DAm9 Gi3TFuQVWahq5FRMahGZ4HfhjJyY9X0STS04jRNjcRZVgD98wvoRyBfnuognRaS7 /vIwYRPwnJ5ipWkC9La0uivn+wmQYO1p3Lq5ZoH9RaxgGIpytZ7hTMK9zfXqJ899 HUXYhF7zOUdcMzHMukpybR7yiZTRpsbl8JoQtZ8aB8JQ0ML4ca0/7syqoH8F3aVV MvYEnlGY1iy8npLzVUCDStLJxQ7290kSED8t0v0YNhOtkg7/bZEdNcB56bVJ6uTu 3j/ETuLwJN62dRInDSYfhGAewvg3QfrirGJfesYYuKBn4QARAQABiQElBBgBCAAP BQJUCi54AhsgBQkSzAMAAAoJEK4QurWsKsaKnFUH/jMnMIEfuen/NQa3cVyburgj Xai9KTyqjIQeXS2tnYWqNE5WfR/CSkJ4dJ6A4vsd4xacbQRw+feJkOOUUqUR6ZjM CuUMN4k4DwAom7NKobLs+35Iam6ODgJIhQG/5zCvrtIbuKvoEVHfxY59LqIFB4tI bclvS7mKQKkAGa7aVm6/ZqtSU5oV/ZqM2kawtE4vA3Yy0Woax9sqe9U3kD4mFUY+ f/GNmvtiUR/wddpUuTGY5gxitsYZB68zIlTd9UDmX3q2jqgF1ZdhacTKo95Aluy3 49+SyjPZcvCZyJhgiHBhWN2VbHuKDJYhmiaVN7Iyswzj6WWf/jUVrM1u0gJVY2C5 AQ0EVAoueAEIALWhKlYA3CZXnbgnI9CA2qZ5wq3wo5SeokHUpoJ1SF3wKXkhfrrK Qg+3/CIcc6d0nVoiMEdB51XH5Ahse647bA93urz0IWMagR24JzYx7sXToBZ2jrdX 4/0Stp+GbhMRCRuK8ml2m46Vi+vhs3YkDmP+qpruyo5XLSRlTYYJKOVCqi75a84h b9dZM7BGjPuyuuDS9wq1uq+G8mwfg5G5fIilVPxOuXJmsZqANfYZdatL4pCkudBn EtHeJGVqcQLoeUCSyb7O5BEXvMp43P6N1Y9Q5tQlaXUwoF8R2Ni30/Rl4gzSDgzg VB4MSZdDZLWn6ymDJOt+Mv+BVkyfa2QqGP8AEQEAAYkBJQQYAQgADwUCVAoueAIb DAUJEswDAAAKCRCuELq1rCrGilqBCADD9T/5g3eQKSHHSbhbIjvACSqnIshc+EYS o5U6DXEbdoqE9tad8enEJiuR2N+8X3DwvGLr+quX+tqHX7/FPnqp3kEU793uH4q6 7gdyqa4/RGMM3IjBktRrvW+UHHkXZf0VqBalsfDcC+bXxWljUzByDScOw5hsJuRM 3dRZdWHHrl2wIIAid+97Om73sLn1tm/2oq03aSbRmhRfOLjXF/QEErRipzFqI/kG GzYX1BpwDCPDVIzjTN+eFUcsv/OwBy2EYayOzVmG/WjoO5EGt83eG+/JeLn6+GRy 6Lv8d1oHPpOq5dv9M80nhQ2s9C5o17WMcbUcZMKx95txnN/r09yb =ptIx -----END PGP PUBLIC KEY BLOCK-----