Please observe that your participation in the Bug Bounty Program is voluntary and is a problem with the terms and conditions set out on this web page (“Program Terms”). PayPal, Inc. By filing a Site or Product Vulnerability to (“PayPal”) you will know that you have examined and agreed to those Program Terms.
These Program Terms are supplemented by using the PayPal User Agreement, the PayPal Acceptable Use Policy, and any other agreements you have entered into with PayPal (collectively the “PayPal Agreement”). The terms of those PayPal agreements will observe your use and participation in the Bug Bounty Program as set forth herein in full. If any inconsistency exists among the terms of the PayPal Agreements and those Program Terms, these Program Terms shall govern, however, best when it comes to the Bug Bounty Program.
See also:
Click on this queryplex.com
In order to encourage responsible disclosure, PayPal commits that, if we conclude, in our sole discretion, that a disclosure respects and meets all tips of these Program Terms and the PayPal Agreement, PayPal will not hold any private fees towards you. Shall no longer take motion or refer any be counted. Public inquiry.
As part of your research, do now not alter any documents or facts, along with permissions, and do now not intentionally view or access any information past what’s required to prove the vulnerability.
Table of Contents
The Following Paypal Brands Are In Scope:
PayPal
Venmo
zoom
Braintree charge
Swift Financial / LoanBuilder
hyperwallet
Brands and acquisitions not indexed above are not inside the scope.
PayPal will do its satisfactory to adhere to the following reaction dreams:
Response Type Business Days
Resolution time depends on severity and complexity
You should know more about the disadvantages of paypal
Eligibility Necessities
To be eligible for the Bug Bounty application, you need to know not:
be a resident of, or post to, a country towards which the United States has issued export sanctions or different exchange sanctions (eg, Cuba, Iran, North Korea, Sudan, and Syria);
Violate any countrywide, state, or local law or law;
PayPal, Inc. Or are hired with the aid of its subsidiaries;
PayPal, Inc. Or come to be an immediate family member of the individual hired through his subsidiaries or associates; either
be under 14 years of age. If you are at least 14 years of age but are considered a minor at your location of residence, you have to gain the permission of your discern or felony mother or father earlier than you could take part within the software.
If PayPal determines that you meet any of the standards above, PayPal will put off you from the Bug Bounty Program and disqualify you from receiving any bounty bills.
Disclosure Guidelines
By presenting a Submission or agreeing to the Program Terms, you compromise that you could now not publicly reveal your findings or the content material of your Submission to any 1/3 birthday party in any way without PayPal’s previous written approval.
Failure to comply with the phrases of the program will bring about instant disqualification from the Bug Bounty Program and ineligibility to get hold of any bounty payments.
Scope for net packages
in-scope vulnerabilities
Admitted, in-scope vulnerabilities consist of, however, are not limited to:
log4shell
Log4Shell RCEs, Data Exfil, and WAF Bypass will be considered high or essential depending on the severity
Ping-again in which you may mission the surroundings, hostname, IP cope with, or date or time is assigned a medium popularity
The record might be closed as informative if a reproducible proof of idea is not covered.
Disclosure of touchy or individually identifiable records
Cross-Site Scripting (XSS)
Cross-web page request forgery (CSRF) for sensitive features in a privileged context
Server-side or Remote Code Execution (RCE)
Authentication or authorization faults, including insecure direct object references and authentication bypass
Injection vulnerabilities, inclusive of SQL and XML injection
directory traversal
Critical protection misconfiguration with verifiable vulnerability
Exposed credentials disclosed by using PayPal or its personnel that pose a valid threat to property inside a scope
Out-Of-Scope Vulnerabilities
Some vulnerabilities are considered outside the scope of the computer virus bounty program. Vulnerabilities out of doors those scope consist of, however, aren’t restricted to:
Any physical assault in opposition to PayPal property or data centers
Reports that involve a secondary consumer account wherein a current business courting is being leveraged and the impact is restrained to the parent account only
Username enumeration on clients dealing with systems (ie the use of server responses to decide if an account exists)
Scanner output or scanner-generated reviews, inclusive of any automated or lively take advantage of tools
Attacks regarding fee fraud, robbery, or malicious merchant debts
man-in-the-middle attack
Vulnerabilities regarding stolen credentials or bodily get admission to to the device
Social engineering assaults, such as the ones focused on or impersonating internal employees in any way (which include customer service chat functions, social media, non-public domain names, and many others.)
Vulnerabilities for which existing, documented controls exist (eg https://developer.P