This program is part of Block, Inc. You can participate in our other bug bounty programs below:
Rewarding security bugs in our open source projects
Square recognizes the important contributions the security research community can make. Part of keeping Square's customers safe is making sure that we find and fix any security issues in our open source projects. If you find any vulnerabilities in any of our participating open source projects, send us a report. Even better, send us a fix!
Note that this program is to report issues in our open source projects. If you believe you have discovered a security vulnerability in one of Square's domains (squareup.com, square.com, or cash.me) or mobile applications (Square Point of Sale, Square Cash App), please report them to our other Square bug bounty program.
Attributes of a good report
- Detailed explanation & proof-of-concept for the bug
- Include specific source code references for the issue from our GitHub
- Include repository, release version, branch and other information
- Describe the real-world impact/exploitability of the bug
- Issues related to software not under our control (such as external dependencies) are not eligible for a reward.
- Most of our open source development is publicly visible. Reports related to an issue being fixed in a branch or being tracked in a public way will therefore not be eligible for a bounty.
- Reports of issues without a proof-of-concept or clear path to exploitation. You may still report these, but will not be eligible for a monetary reward.
- Issues which can only be reproduced on specific combinations of hardware or software not used by Square.
How to send a fix
Please do not open a pull request or GitHub ticket to fix an issue you're reporting. This would unnecessarily reveal any potential vulnerabilities. Instead, if you'd like to send us a fix, attach a patch file to the issue you open. You'll need to sign our Individual Contributor License Agreement before any patches can be accepted.
Rewards range from $100 to $10,000 depending on the type of issue and impact. We prioritize and reward issues based on the real-world impact to our software and systems as operated by Square. The values below represent upper bounds and rewards may vary in practice.
Scope and rewards
This program follows Bugcrowd’s standard disclosure terms.
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email email@example.com. We will address your issue as soon as possible.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.