Worldpay

Introduction

No technology is perfect, and as the threat landscape evolves, it becomes increasingly important for organizations to secure their assets. Worldpay believes that working with skilled security researchers across the globe is an integral part in keeping our businesses and customers safe.

By researchers proactively identifying vulnerabilities in Worldpay application environments, it will aid in enhancing our overall security posture and enable us to better protect our customers and their data. We are excited for you to participate as a security researcher and help Worldpay become more secure. Good luck, and happy hunting!

 

Policy

Worldpay looks forward to working with the security community and appreciates the time and effort researchers put towards our program. Worldpay will make a best effort to respond to incoming reports within 5 business days and make a bounty determination after validating a legitimate security issue within 10 business days. We will try to keep researchers informed about our progress throughout the process.

Worldpay has defined a list of general program rules, as well as rules regarding specific circumstances. Researchers must adhere to the stated rules and are encouraged to review all the rules presented in this brief. Any rule violations could potentially deem a submission ineligible for reward.

While scope is covered in more detail in the program rules, it's worth noting that Worldpay is a large service provider. There are many applications that we provide hosting or support services for, but we don't always own those assets. Depending on the specific situation, submissions may be deemed out of scope for this reason.

Additionally, when Worldpay publicly announces we are divesting an existing business asset, we will no longer accept any Bug Bounty submissions on the asset. If you have questions regarding scope, feel free to contact Bugcrowd Support Portal to confirm asset ownership.

Our program evolves over time, so researchers are also encouraged to periodically review this program page for any rule changes. Researchers should also visit the Announcements page for program notifications.

 

Important Announcements

This section highlights key program announcements for your reference. This section will update periodically as program conditions change.

1) Targets that achieve $50,000.00 in rewards within a 30-day period are still subject to scope removal for internal evaluation. However, any valid reports submitted before scope removal will still be eligible for payout.

If you have any questions, please reach out to Bugcrowd Support Portal.

 

Program Rules

In an effort to assist in deconflicting logs and traffic, we are heavily enforcing a new rule on our program. Effective immediately, please include the following custom header in any testing activity against Worldpay assets:

X-Bug-Bounty:BugCrowd-<username>

The ability to deconflict Bug Bounty traffic will not only assist us when we are reviewing reports and activity, but will also minimize the potential for business impact. Failure to include the "X-Bug-Bounty" custom header will result in a reduced payout of 75%.

 

• See the "Application Access" section for rules on authenticated testing.
• Do not publicly disclose a bug.
• Do not perform any testing that causes degradation to Worldpay or customer assets (e.g., Denial of Service (DoS), heavy automated scanning, etc.).
• Impacting our customers or customer data without our explicit approval is strictly prohibited.
• Researchers cannot utilize valid end-user credentials for any purpose.
  • This is for legal and privacy compliance.
• No brute forcing log in credentials.
• Data exfiltration is strictly prohibited.
• Researchers cannot purchase a service or request a product demo and then utilize any provisioned credentials for testing purposes.
• We reserve the right not to pay bounties for security bugs found in sites that are not on a product, service, or piece of infrastructure owned, operated, or maintained by Worldpay or any Worldpay-acquired entity.
  • For example, assets that are 3rd party hosted, 3rd party owned, or 3rd party supported may be considered out of scope.
  • If you have questions regarding scope, please contact Bugcrowd Support Portal.
• We reserve the right not to pay bounties for security bugs in or caused by additional third-party software (e.g., binary plugins, extensions, etc.).
  • If you have questions regarding scope, please contact Bugcrowd Support Portal.
• Vulnerabilities are only eligible if they have not been previously discovered by our normal scanning tools, penetration tests, or other processes and sources.
• Vulnerabilities must be exploitable directly from the internet.
• Vulnerabilities eligible for payout must be unauthenticated or discovered with default or self-registered credentials.
• Any vulnerabilities that use credentials obtained by means other than intended self-registration will be subject to a reduced payout.
• Any proof of concepts should not include images or statements that could cause reputational damage to Worldpay or its customers (e.g., brand damage or tagging on takeover pages).
• Multiple instances of the same application and vulnerability combination are only eligible for a single payout.
• If you have identified a single vulnerability affecting multiple endpoints that can be addressed with a single fix/remediation, please submit a single finding listing all those endpoints.
  • We will individually review each endpoint and assess the eligible payout.
• In cases where there is shared code between multiple assets, bounties will only be paid for one instance of a vulnerability, as only one fix will need to be implemented in the shared code base.
• The following actions are forbidden on internal Worldpay systems:
  • Internal pivoting
  • Scanning
  • Vulnerability exploitation
• If you have identified a Remote Code Execution (RCE) or similar vulnerability, please feel free to contact Bugcrowd Support Portal and determine the best way to demonstrate a safe proof of concept.
• Social engineering (e.g., phishing, vishing, smishing, etc.) is strictly prohibited.
• Please provide detailed reports with reproducible steps.
  • Reports without sufficient details to reproduce the issue will not be eligible for a reward.
• Any potential or theoretical vulnerabilities that are mentioned without demonstration of exploitability will not be paid out.
  • Exploitations must remain within the guidelines of our scope and program rules.
• Submit one vulnerability per report, unless you can chain the vulnerabilities.
• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
  • Post-authentication vulnerabilities are much more likely to have internal duplicates and single core fixes.
• Priority and payment are based on the environment (e.g., production, UAT, development, etc.), the vulnerability, and an internal analysis of the asset and relevant data.

 

Sensitive Data

• Once sensitive data (e.g., PII, financial information, etc.) is identified, immediately halt your activity, purge related data from your system, and report the finding to Worldpay.
• If PII is discovered, indicate the type of PII in the report (e.g., Social Security Number, name, address, etc.).
• Do not submit any reports with PII.
  • Any report with PII will be closed and not paid out.

 

Note:

Please ensure that any Worldpay site you're testing actually belongs to Worldpay. Reviewing SSL certs, whois records, and DNS entries are potential ways to determine ownership. Please do not rely on Wikipedia to confirm what companies Worldpay has acquired. If you have any concerns about whether or not an asset belongs to Worldpay, please reach out to Bugcrowd Support Portal.

Worldpay provides a wide range of financial products and services, including web development, application hosting, and DNS services. As such, there will be a number of sites where Worldpay only owns a section of them. There will also be situations where we host the site and own the domain but are not contractually responsible for the security of that site.

We strive to be as transparent as possible with our bug bounty community. If a report comes in that meets this criteria, we will work with the researcher to determine the best path forward, which may include engaging the customer or client.