Square today launched a bug bounty program in conjunction with HackerOne. Rewards start at a minimum of $250 and no maximum is given. The company has outlined requirements in order to identify legitimate security research as opposed to malicious attacks against its services.
Square promises not to bring legal action against researchers who:
- Share the full details of any problem found with Square.
- Do not disclose the issue to others until Square has had “reasonable time” to address it.
- Do not intentionally harm the experience or usefulness of the service to others.
- Never attempt to view, modify, or damage data belonging to others.
- Do not attempt a denial-of-service attack.
- Do not perform any research or testing in violation of law.
The company says the scope of accepted bounties includes all of its domains and properties. That being said, as a financial services startup, it is “particularly interested” in problems with payment flow.
Square’s reasoning is much like any other tech company that wants help from the security community in protecting its own:
With so many sellers relying on Square to run and grow their business, we’ve made protecting them a priority. We monitor every transaction from swipe to payment, innovate in fraud prevention, and adhere to industry-leading standards to manage our network and secure our web and client applications. We protect our sellers like our own business depends on it — because it does.
It’s interesting Square has decided to use HackerOne for its program. Also known as The Internet Bug Bounty Program, the site was launched by Microsoft and Facebook to help secure the Internet stack by rewarding anyone and everyone who hacks it. A quick look at the list of programs shows the scope has grown significantly, which should excite any legitimate security researcher looking to make some money.
Top Image Credit: Square