[{"id":3769756,"new_policy":"Have feedback on our program? Let us know [here!](https://docs.google.com/forms/d/e/1FAIpQLSc_bAdYNvHTZCaU8J0ES0u77I8znDQpN6FqAeCUdIeZARH_Uw/viewform?usp=sf_link)\n\n#Global Payments Vulnerability Disclosure Program (“VDP”) Policy\n\nGlobal Payments is a Fortune 500 worldwide commerce ecosystem serving customers in over 100 countries! We have a team of 24,000 experts and innovators working to serve our customers—dedicated to solving complexity in commerce by providing simple, secure payments and software solutions that anticipate changing needs and carry our customers forward. We’re trusted in over 3.5 million customer locations and 1,300 financial institutions. \n\nGlobal Payments Inc. (“Global Payments”) looks forward to working with the information security community to find vulnerabilities in order to keep our businesses and customers safe. Please read this Program Policy in its entirety.\n\n\n#Eligibility for Participation\n\nYou must be 18 years old or older to submit a vulnerability for consideration as part of the Program. If you are a minor (under 18 years of age), a parent or legal guardian must submit the vulnerability.\n\nYou must be an individual security researcher participating in your own individual capacity. If you work for a security research organization, that organization must permit you to participate in your individual capacity. You are responsible for reviewing and complying with your employer’s rules for participating in the Program.\n\n#Ineligibility for Participation\n\nYou may not participate in the VDP if you are any of the following:\nA resident of, or if you have a tax form from, China or Hong Kong. \n\nA resident of any country/region that is the subject of a broad, geographically-defined United States (U.S.) sanctions program, such as Cuba, Iran, North Korea, Sudan, Syria or Crimea, or a person, or an affiliate, agent, employee, or contractor of a person, that is designated in the U.S. Department of the Treasury’s Specially Designated Nationals and Blocked Persons List or any other Office of Foreign Assets Control (“OFAC”) sanctions list.\n\nA resident of any country/region, or a person, or an affiliate, agent, employee, or contractor of a person, that has been sanctioned by the relevant authorities in the country or region from which any data you access through the Program originates, or in which any portion of the information system you access is hosted and/or deployed.\n\nA current employee of Global Payments., a Global Payments affiliate, or an immediate family member (parent, sibling, spouse, or child) or household member of such an employee.\n\nA contingent staff member, contractor, or vendor employee that is currently working with, or has worked in the past twelve (12) months with, Global Payments or a Global Payments affiliate.\n\n\n#Response Targets\n\nGlobal Payments will make a best effort to meet the following SLAs for security researchers participating\nin the program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Scope\n\nPlease refer to scoped assets to view current in-scope assets. No VPN access nor credentials will be provided for testing.\n\n#Disclosure Policy\n\n- You agree not to discuss this VDP or any vulnerabilities (even resolved ones) outside of the VDP without express consent from Global Payments.\n- Global Payments reserves the right to approve or deny any request for disclosure.\n- You agree to follow HackerOne's disclosure guidelines.\n\n#Program Guidelines\n\n- This Program is not intended to encourage any researcher to access, view, transmit, disclose, interact with, or otherwise process Personal Information, defined here to include any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. Personal Information may include, as applicable, any Payment Account Number (PAN), Cardholder Data (CHD), or Sensitive Authentication Data (SAD), as each term is defined by the Payment Card Industry Data Security Standard (PCI-DSS). Should you encounter any Personal Information during your research or in connection with the Program, you are required to: (1) minimize your access to Personal Information, including immediately halting your activity, where possible;  (2) comply with the additional data protection obligations set forth in the “Data Protection” section of these Program Terms, below; and (3) return any Personal Information you obtain during your research or in connection with the Program when you submit a report, and securely delete all copies of the Personal Information immediately following the submission of your report. \n- Keep scans to 45 requests per minute.\n- For account creation, use your HackerOne email address and only create a single user account.\n- Refer to the assets in scope for specific instructions on testing and follow those instructions.\n- Provide detailed reports with reproducible steps. If the report is not sufficiently detailed to enable reproduction of the issue, the issue may not be triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to prove impact. When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- You may only interact with accounts you own or with explicit permission of the account holder.\n- Do not engage in any activity that can potentially or actually cause harm to Global Payments, our customers, or our employees.\n- Do not engage in any activity that can potentially or actually stop or degrade Global Payments’ services or assets.\n- Do no harm and do not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.\n- Do not initiate a fraudulent financial transaction.\n\n#Out of scope vulnerabilities\n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security\nimpact of the bug. \n\nIn addition to the below, any vulnerability on the HackerOne Core Ineligible Findings list is out of scope:\n- Unexploitable vulnerabilities discovered via scanning. All submissions must have a valid proof of concept.\n- Attacks requiring man-in-the-middle (MITM) or physical access to a user's device.\n- Vulnerabilities on partner or supplier products.\n- Rate limiting or brute-force issues on non-authentication endpoints.\n\n\n#Grounds for Disqualification\n\nBecause we do not allow any actions that could negatively impact the customer experience on our websites, apps, or other Global Payments assets, attempting any of the following could result in permanent disqualification from the Program and could result in a possible criminal and/or legal investigation:\n- Violation of the Participation Requirements\n- Disruption or denial-of-service attacks (Application and Network)\n- Social engineering attacks\n- Brute-force attacks\n- Exfiltration of data\n- Code injection on live systems\n- The compromise or testing of application accounts that are not your own\n- Any threats, attempts at coercion, or extortion of Global Payments employees, other partner employees, or customers\n- Physical attacks against Global Payments, contractors, or customers\n- Any physical attempts against Global Payments property or data centers\n- Any other action that violates these Program Terms\n- Any other action that violates the law\n- Any action that endangers yourself or others\n- Aggressive vulnerability scans or automated scans on Global Payments servers (including scans using tools such as Core Impact or Nessus)\n\n\n#Additional Legal Terms\n\nBy submitting security or vulnerability information to Global Payments, you confirm that you have read, understand, and agree to these Program Terms. Further, you agree that by submitting such information to Global Payments, even if the information is not eligible for a reward, you grant Global Payments a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicensable, fully-paid and royalty-free license under any and all intellectual property rights that you own or control to use, copy, modify, or create derivative works based upon such information and otherwise exploit such information for any purpose.\n\nAny Global Payments information that you may encounter, view, acquire, or access, is owned by Global Payments or its customers, clients, or third-party providers. You have no rights, title, or ownership in any such information. Nothing in these Program Terms shall be deemed to constitute a grant of any license or other right to or in any Global Payments or third-party product, service, patent, trademark, trade secret, or other intellectual property.\n\nYou must comply with all applicable federal, state, local, and international laws, regulations, and rules in connection with your security research activities and your participation in the Program. If you violate any applicable law or any requirement established by these Program Terms, you will not be considered a security researcher, and you may become subject to criminal penalties and civil liability. In particular, by participating in the Program, you confirm your understanding: (1) that applicable United States federal laws make it a felony offense for you to intentionally access an information system that is connected to the internet without authorization, or to exceed the scope of your authorized access to such a system, and in doing so to obtain any information therefrom; and (2) that any action that you take on a Global Payments information system that exceeds the limits established by these Program Terms may therefore constitute a federal crime. Global Payments reserves all rights to pursue all available remedies, civil and criminal, against any individual or entity operating in violation or excess of the Program Terms.\n\nGlobal Payments retains the right to obtain your Personal Data (as defined in the HackerOne Privacy Policy) from HackerOne, and to process such Personal Data as necessary to accomplish the legitimate business objectives of Global Payments, including but not limited to ensuring the security and integrity of our infrastructure, data, products, and services. Global Payments may also obtain and process your Personal Data for the purpose of exercising or defending legal rights; to take precautions against liability; to protect the rights, property, or safety of Global Payments, of any other individuals, or of the general public; to protect Global Payments and our assets from fraudulent, abusive, or unlawful uses; or to investigate and defend Global Payments against third-party claims or allegations. By submitting a vulnerability report via the Global Payments Vulnerability Disclosure Program (https://hackerone.com/global-payments) you consent to HackerOne disclosing Personal Data to Global Payments, upon request, in the circumstances described in this paragraph.\n\nGlobal Payments may modify these Program Terms or terminate the Program at any time.\n\n##Data Protection\nTo the extent you access, or view, transmit, disclose, interact with, or otherwise process Personal Information in connection with the Program, you constitute a Processor and/or Service Provider, as each term is defined by Data Protection Laws. For purposes of these Program Terms, “Data Protection Laws” means all laws and regulations applicable to the processing of Personal Information in connection with the  Program, which may include, but may not be not limited to, the California Consumer Privacy Act, as modified by the California Privacy Rights Act of 2020 (“CCPA”) and the General Data Protection Regulation (EU) 2016/679 (“GDPR”). Any capitalized term not defined herein shall have the meaning given to that term in the Data Protection Laws.\n\nProcessing Instructions and Details. As a Processor/Service Provider, you shall process Personal Information: (i) only to the extent necessary for participation in the  Program; (ii) in compliance with all instructions provided by Global Payments in relation to the processing; and (iii) in accordance with these Program Terms and Data Protection Laws. The categories of Personal Information to which you gain access may include Global Payments team member and customer contact information and any other Personal Information accessed or viewed in connection with the Program. The nature of the processing is solely for the purpose of identifying and submitting a vulnerability through the Program and the duration of processing is limited to the time needed to submit the report. The business purpose and/or lawful basis of the processing is to ensure the security and integrity of our infrastructure, data, products, and services.\n\nProcessing Restrictions. You will not: (i) retain, use, disclose or otherwise process Personal Information for any purpose not contemplated by these Program Terms; (ii) retain, use, disclose, or otherwise process Personal Information outside of the direct business relationship between you and Global Payments; (iii) use, distribute, sell, rent, release, or disclose Personal Information to a third party for monetary or other valuable consideration; (iv) combine Personal Information with any other personal information that you receive from, or on behalf of, another person or persons, or collect from your own interaction with a Data Subject; or (v) share Personal Information with any third party for cross-context behavioral advertising, whether or not for monetary or other valuable compensation.\n\nCompliance with Data Protection Laws. You agree that: (i) you shall provide Personal Information with the same level of protection that Global Payments would be required to provide for it; and (ii) you understand the obligations placed upon you by Data Protection Laws. If you determine that you are no longer able to meet your compliance commitments in these Program Terms, you must immediately notify Global Payments in writing.\n\nSub-Processors. You agree that you will not use any Sub-Processors to process Personal Information without the prior written consent of Global Payments.\n\nConfidentiality and Security. You shall maintain the confidentiality of Personal Information to which you have access and limit such access to what is strictly necessary to participate in the Program. While any Personal Information is in your possession or accessible by you, you shall ensure you have reasonable and appropriate security procedures and practices in place to protect the Personal Information from unauthorized access, destruction, use, modification, or disclosure. \n\nPrivacy Incidents. You shall notify Global Payments immediately, and in no event later than within 24 hours, upon becoming aware of a Privacy Incident, and you shall provide full assistance to Global Payments in meeting Global Payments’ obligation(s) with respect to such Privacy Incident under Data Protection Laws. For purposes of these Program Terms, “Privacy Incident” means any act, omission, event or occurrence that compromises the confidentiality, integrity, or availability of Personal Information. For the avoidance of doubt, the term “Privacy Incident” includes, without limitation: (i) any incident involving the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Information; and (ii) any incident involving Personal Information that meets the definition of a “security breach,” “personal data breach,” “breach of the security of the system,” or any other similar term under the Data Protection Laws.\n\nAssistance. You shall provide full assistance to Global Payments to enable Global Payments to meet its obligations(s) to perform any assessments or respond to any requests regarding the processing of Personal Information that are required by Data Protection Laws. You shall promptly provide to Global Payments, upon request, all information necessary to demonstrate your compliance with these Program Terms and Data Protection Laws.  \n\nReturn and Deletion. You must return any Personal Information you obtain during your research or in connection with the Program when you submit a report, and securely delete all copies of the Personal Information immediately following the submission of your report.\n\nTransfers. You shall not Transfer Personal Information without the prior written consent of Global Payments. For purposes of these Program Terms, “Transfer” means the access by, transfer or delivery to, or disclosure to, a person, entity or system of Personal Information where such person, entity or system is located in a country or jurisdiction other than the country or jurisdiction from which the Personal Information originated. You and Global Payments agree that when a Transfer is subject to the GDPR, the EU Standard Contractual Clauses Module Two (Controller to Processor) or Module Three (Processor to Processor) (found in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council), which are deemed incorporated into and form part of these Program Terms, will apply as follows:\n\n- Global Payments shall be deemed to be the “data exporter” and you shall be deemed the “data importer” with respect to the processing of Personal Information.\n- Clause 7 shall not apply.\n- The audits described in Clause 8.9 shall be carried out in any manner that Global Payments deems appropriate.\n- For Clause 9, Option 1: Specific Prior Authorization shall apply, and the time period for the request for specific authorization shall be 30 days.\n- For Clause 11(a), the optional language shall not apply.\n- The Data Protection Commissioner of Ireland shall be the competent supervisory authority (Clause 13(a)).\n- The EU Standard Contractual Clauses will be governed by the laws of the Republic of Ireland (Clause 17). \n- Disputes shall be resolved before the courts of Ireland, County of Dublin (Clause 18).\n- The information included in the “Data Protection” section of these Program Terms is incorporated accordingly into Annexes I (A, B and C), II and III of the EU Standard Contractual Clauses.\n\nTransfers subject to the laws of the United Kingdom or the Swiss Confederacy shall be pursuant to the EU Standard Contractual Clauses, as incorporated above, subject to any modifications required by the applicable jurisdiction’s regulatory authority to render those clauses a suitable mechanism for papering an international transfer.\n\nFor the avoidance of doubt, nothing about your agreement to comply with the terms set forth in this Data Protection section renders you an agent, employee, or contractor of Global Payments.\n\n##Safe Harbor\nAny research activities conducted in strict accordance with these Program Guidelines, as determined by Global Payments, will be considered authorized conduct, and we will not initiate legal action against you relating to such research activities. \n\nThank you for helping keep Global Payments and our users safe!\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-02-17T12:15:23.069Z"},{"id":3769102,"new_policy":"Have feedback on our program? Let us know [here!](https://docs.google.com/forms/d/e/1FAIpQLSc_bAdYNvHTZCaU8J0ES0u77I8znDQpN6FqAeCUdIeZARH_Uw/viewform?usp=sf_link)\n\n#Global Payments Vulnerability Disclosure Program (“VDP”) Policy\n\nGlobal Payments is a Fortune 500 worldwide commerce ecosystem serving customers in over 100 countries! We have a team of 24,000 experts and innovators working to serve our customers—dedicated to solving complexity in commerce by providing simple, secure payments and software solutions that anticipate changing needs and carry our customers forward. We’re trusted in over 3.5 million customer locations and 1,300 financial institutions. \n\nGlobal Payments Inc. (“Global Payments”) looks forward to working with the information security community to find vulnerabilities in order to keep our businesses and customers safe. Please read this Program Policy in its entirety.\n\n\n#Eligibility for Participation\n\nYou must be 18 years old or older to submit a vulnerability for consideration as part of the Program. If you are a minor (under 18 years of age), a parent or legal guardian must submit the vulnerability.\n\nYou must be an individual security researcher participating in your own individual capacity. If you work for a security research organization, that organization must permit you to participate in your individual capacity. You are responsible for reviewing and complying with your employer’s rules for participating in the Program.\n\n#Ineligibility for Participation\n\nYou may not participate in the VDP if you are any of the following:\nA resident of, or if you have a tax form from, China or Hong Kong. \n\nA resident of any country/region that is the subject of a broad, geographically-defined United States (U.S.) sanctions program, such as Cuba, Iran, North Korea, Sudan, Syria or Crimea, or a person, or an affiliate, agent, employee, or contractor of a person, that is designated in the U.S. Department of the Treasury’s Specially Designated Nationals and Blocked Persons List or any other Office of Foreign Assets Control (“OFAC”) sanctions list.\n\nA resident of any country/region, or a person, or an affiliate, agent, employee, or contractor of a person, that has been sanctioned by the relevant authorities in the country or region from which any data you access through the Program originates, or in which any portion of the information system you access is hosted and/or deployed.\n\nA current employee of Global Payments., a Global Payments affiliate, or an immediate family member (parent, sibling, spouse, or child) or household member of such an employee.\n\nA contingent staff member, contractor, or vendor employee that is currently working with, or has worked in the past twelve (12) months with, Global Payments or a Global Payments affiliate.\n\n\n#Response Targets\n\nGlobal Payments will make a best effort to meet the following SLAs for security researchers participating\nin the program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Scope\n\nAll assets associated with our core enterprise are considered in scope. No VPN access nor credentials will be\nprovided for testing. \n\n#Disclosure Policy\n\n- You agree not to discuss this VDP or any vulnerabilities (even resolved ones) outside of the VDP without express consent from Global Payments.\n- Global Payments reserves the right to approve or deny any request for disclosure.\n- You agree to follow HackerOne's disclosure guidelines.\n\n#Participation Requirements\n\nThis Program is not intended to encourage any researcher to access, view, transmit, disclose, interact with, or otherwise process Personal Information, defined here to include any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. Personal Information may include, as applicable, any Payment Account Number (PAN), Cardholder Data (CHD), or Sensitive Authentication Data (SAD), as each term is defined by the Payment Card Industry Data Security Standard (PCI-DSS). Should you encounter any Personal Information during your research or in connection with the Program, you are required to: (1) minimize your access to Personal Information, including immediately halting your activity, where possible;  (2) comply with the additional data protection obligations set forth in the “Data Protection” section of these Program Terms, below; and (3) return any Personal Information you obtain during your research or in connection with the Program when you submit a report, and securely delete all copies of the Personal Information immediately following the submission of your report. \n\n#Program Rules\n\n- Keep scans to 45 requests per minute.\n- For account creation, use your HackerOne email address and only create a single user account.\n- Refer to the assets in scope for specific instructions on testing and follow those instructions.\n- Provide detailed reports with reproducible steps. If the report is not sufficiently detailed to enable reproduction of the issue, the issue may not be triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to prove impact. When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- You may only interact with accounts you own or with explicit permission of the account holder.\n- Do not engage in any activity that can potentially or actually cause harm to Global Payments, our customers, or our employees.\n- Do not engage in any activity that can potentially or actually stop or degrade Global Payments’ services or assets.\n- Do no harm and do not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.\n- Do not initiate a fraudulent financial transaction.\n\n#Out of scope vulnerabilities\n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security\nimpact of the bug. \n\nIn addition to the below, any vulnerability on the HackerOne Core Ineligible Findings list is out of scope:\n- Unexploitable vulnerabilities discovered via scanning. All submissions must have a valid proof of concept.\n- Attacks requiring man-in-the-middle (MITM) or physical access to a user's device.\n- Vulnerabilities on partner or supplier products.\n- Rate limiting or brute-force issues on non-authentication endpoints.\n\n\n#Grounds for Disqualification\n\nBecause we do not allow any actions that could negatively impact the customer experience on our websites, apps, or other Global Payments assets, attempting any of the following could result in permanent disqualification from the Program and could result in a possible criminal and/or legal investigation:\n- Violation of the Participation Requirements\n- Disruption or denial-of-service attacks (Application and Network)\n- Social engineering attacks\n- Brute-force attacks\n- Exfiltration of data\n- Code injection on live systems\n- The compromise or testing of application accounts that are not your own\n- Any threats, attempts at coercion, or extortion of Global Payments employees, other partner employees, or customers\n- Physical attacks against Global Payments, contractors, or customers\n- Any physical attempts against Global Payments property or data centers\n- Any other action that violates these Program Terms\n- Any other action that violates the law\n- Any action that endangers yourself or others\n- Aggressive vulnerability scans or automated scans on Global Payments servers (including scans using tools such as Core Impact or Nessus)\n\n\n#Additional Legal Terms\n\nBy submitting security or vulnerability information to Global Payments, you confirm that you have read, understand, and agree to these Program Terms. Further, you agree that by submitting such information to Global Payments, even if the information is not eligible for a reward, you grant Global Payments a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicensable, fully-paid and royalty-free license under any and all intellectual property rights that you own or control to use, copy, modify, or create derivative works based upon such information and otherwise exploit such information for any purpose.\n\nAny Global Payments information that you may encounter, view, acquire, or access, is owned by Global Payments or its customers, clients, or third-party providers. You have no rights, title, or ownership in any such information. Nothing in these Program Terms shall be deemed to constitute a grant of any license or other right to or in any Global Payments or third-party product, service, patent, trademark, trade secret, or other intellectual property.\n\nYou must comply with all applicable federal, state, local, and international laws, regulations, and rules in connection with your security research activities and your participation in the Program. If you violate any applicable law or any requirement established by these Program Terms, you will not be considered a security researcher, and you may become subject to criminal penalties and civil liability. In particular, by participating in the Program, you confirm your understanding: (1) that applicable United States federal laws make it a felony offense for you to intentionally access an information system that is connected to the internet without authorization, or to exceed the scope of your authorized access to such a system, and in doing so to obtain any information therefrom; and (2) that any action that you take on a Global Payments information system that exceeds the limits established by these Program Terms may therefore constitute a federal crime. Global Payments reserves all rights to pursue all available remedies, civil and criminal, against any individual or entity operating in violation or excess of the Program Terms.\n\nGlobal Payments retains the right to obtain your Personal Data (as defined in the HackerOne Privacy Policy) from HackerOne, and to process such Personal Data as necessary to accomplish the legitimate business objectives of Global Payments, including but not limited to ensuring the security and integrity of our infrastructure, data, products, and services. Global Payments may also obtain and process your Personal Data for the purpose of exercising or defending legal rights; to take precautions against liability; to protect the rights, property, or safety of Global Payments, of any other individuals, or of the general public; to protect Global Payments and our assets from fraudulent, abusive, or unlawful uses; or to investigate and defend Global Payments against third-party claims or allegations. By submitting a vulnerability report via the Global Payments Vulnerability Disclosure Program (https://hackerone.com/global-payments) you consent to HackerOne disclosing Personal Data to Global Payments, upon request, in the circumstances described in this paragraph.\n\nGlobal Payments may modify these Program Terms or terminate the Program at any time.\n\n##Data Protection\nTo the extent you access, or view, transmit, disclose, interact with, or otherwise process Personal Information in connection with the Program, you constitute a Processor and/or Service Provider, as each term is defined by Data Protection Laws. For purposes of these Program Terms, “Data Protection Laws” means all laws and regulations applicable to the processing of Personal Information in connection with the  Program, which may include, but may not be not limited to, the California Consumer Privacy Act, as modified by the California Privacy Rights Act of 2020 (“CCPA”) and the General Data Protection Regulation (EU) 2016/679 (“GDPR”). Any capitalized term not defined herein shall have the meaning given to that term in the Data Protection Laws.\n\nProcessing Instructions and Details. As a Processor/Service Provider, you shall process Personal Information: (i) only to the extent necessary for participation in the  Program; (ii) in compliance with all instructions provided by Global Payments in relation to the processing; and (iii) in accordance with these Program Terms and Data Protection Laws. The categories of Personal Information to which you gain access may include Global Payments team member and customer contact information and any other Personal Information accessed or viewed in connection with the Program. The nature of the processing is solely for the purpose of identifying and submitting a vulnerability through the Program and the duration of processing is limited to the time needed to submit the report. The business purpose and/or lawful basis of the processing is to ensure the security and integrity of our infrastructure, data, products, and services.\n\nProcessing Restrictions. You will not: (i) retain, use, disclose or otherwise process Personal Information for any purpose not contemplated by these Program Terms; (ii) retain, use, disclose, or otherwise process Personal Information outside of the direct business relationship between you and Global Payments; (iii) use, distribute, sell, rent, release, or disclose Personal Information to a third party for monetary or other valuable consideration; (iv) combine Personal Information with any other personal information that you receive from, or on behalf of, another person or persons, or collect from your own interaction with a Data Subject; or (v) share Personal Information with any third party for cross-context behavioral advertising, whether or not for monetary or other valuable compensation.\n\nCompliance with Data Protection Laws. You agree that: (i) you shall provide Personal Information with the same level of protection that Global Payments would be required to provide for it; and (ii) you understand the obligations placed upon you by Data Protection Laws. If you determine that you are no longer able to meet your compliance commitments in these Program Terms, you must immediately notify Global Payments in writing.\n\nSub-Processors. You agree that you will not use any Sub-Processors to process Personal Information without the prior written consent of Global Payments.\n\nConfidentiality and Security. You shall maintain the confidentiality of Personal Information to which you have access and limit such access to what is strictly necessary to participate in the Program. While any Personal Information is in your possession or accessible by you, you shall ensure you have reasonable and appropriate security procedures and practices in place to protect the Personal Information from unauthorized access, destruction, use, modification, or disclosure. \n\nPrivacy Incidents. You shall notify Global Payments immediately, and in no event later than within 24 hours, upon becoming aware of a Privacy Incident, and you shall provide full assistance to Global Payments in meeting Global Payments’ obligation(s) with respect to such Privacy Incident under Data Protection Laws. For purposes of these Program Terms, “Privacy Incident” means any act, omission, event or occurrence that compromises the confidentiality, integrity, or availability of Personal Information. For the avoidance of doubt, the term “Privacy Incident” includes, without limitation: (i) any incident involving the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Information; and (ii) any incident involving Personal Information that meets the definition of a “security breach,” “personal data breach,” “breach of the security of the system,” or any other similar term under the Data Protection Laws.\n\nAssistance. You shall provide full assistance to Global Payments to enable Global Payments to meet its obligations(s) to perform any assessments or respond to any requests regarding the processing of Personal Information that are required by Data Protection Laws. You shall promptly provide to Global Payments, upon request, all information necessary to demonstrate your compliance with these Program Terms and Data Protection Laws.  \n\nReturn and Deletion. You must return any Personal Information you obtain during your research or in connection with the Program when you submit a report, and securely delete all copies of the Personal Information immediately following the submission of your report.\n\nTransfers. You shall not Transfer Personal Information without the prior written consent of Global Payments. For purposes of these Program Terms, “Transfer” means the access by, transfer or delivery to, or disclosure to, a person, entity or system of Personal Information where such person, entity or system is located in a country or jurisdiction other than the country or jurisdiction from which the Personal Information originated. You and Global Payments agree that when a Transfer is subject to the GDPR, the EU Standard Contractual Clauses Module Two (Controller to Processor) or Module Three (Processor to Processor) (found in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council), which are deemed incorporated into and form part of these Program Terms, will apply as follows:\n\n- Global Payments shall be deemed to be the “data exporter” and you shall be deemed the “data importer” with respect to the processing of Personal Information.\n- Clause 7 shall not apply.\n- The audits described in Clause 8.9 shall be carried out in any manner that Global Payments deems appropriate.\n- For Clause 9, Option 1: Specific Prior Authorization shall apply, and the time period for the request for specific authorization shall be 30 days.\n- For Clause 11(a), the optional language shall not apply.\n- The Data Protection Commissioner of Ireland shall be the competent supervisory authority (Clause 13(a)).\n- The EU Standard Contractual Clauses will be governed by the laws of the Republic of Ireland (Clause 17). \n- Disputes shall be resolved before the courts of Ireland, County of Dublin (Clause 18).\n- The information included in the “Data Protection” section of these Program Terms is incorporated accordingly into Annexes I (A, B and C), II and III of the EU Standard Contractual Clauses.\n\nTransfers subject to the laws of the United Kingdom or the Swiss Confederacy shall be pursuant to the EU Standard Contractual Clauses, as incorporated above, subject to any modifications required by the applicable jurisdiction’s regulatory authority to render those clauses a suitable mechanism for papering an international transfer.\n\nFor the avoidance of doubt, nothing about your agreement to comply with the terms set forth in this Data Protection section renders you an agent, employee, or contractor of Global Payments.\n\n##Safe Harbor\nAny research activities conducted in strict accordance with these Program Guidelines, as determined by Global Payments, will be considered authorized conduct, and we will not initiate legal action against you relating to such research activities. \n\nThank you for helping keep Global Payments and our users safe!\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-02-02T10:40:20.876Z"},{"id":3756787,"new_policy":"Have feedback on our program? Let us know [here!](https://docs.google.com/forms/d/e/1FAIpQLSc_bAdYNvHTZCaU8J0ES0u77I8znDQpN6FqAeCUdIeZARH_Uw/viewform?usp=sf_link)\n\n#Global Payments Vulnerability Disclosure Program (“VDP”) Policy\n\nGlobal Payments is a Fortune 500 worldwide commerce ecosystem serving customers in over 100 countries! We have a team of 24,000 experts and innovators working to serve our customers—dedicated to solving complexity in commerce by providing simple, secure payments and software solutions that anticipate changing needs and carry our customers forward. We’re trusted in over 3.5 million customer locations and 1,300 financial institutions. \n\nGlobal Payments Inc. (“Global Payments”) looks forward to working with the information security community to find vulnerabilities in order to keep our businesses and customers safe. Please read this Program Policy in its entirety.\n\n\n#Eligibility for Participation\n\nYou must be 18 years old or older to submit a vulnerability for consideration as part of the Program. If you are a minor (under 18 years of age), a parent or legal guardian must submit the vulnerability.\n\nYou must be an individual security researcher participating in your own individual capacity. If you work for a security research organization, that organization must permit you to participate in your individual capacity. You are responsible for reviewing and complying with your employer’s rules for participating in the Program.\n\n#Ineligibility for Participation\n\nYou may not participate in the VDP if you are any of the following:\nA resident of, or if you have a tax form from, China or Hong Kong. \n\nA resident of any country/region that is the subject of a broad, geographically-defined United States (U.S.) sanctions program, such as Cuba, Iran, North Korea, Sudan, Syria or Crimea, or a person, or an affiliate, agent, employee, or contractor of a person, that is designated in the U.S. Department of the Treasury’s Specially Designated Nationals and Blocked Persons List or any other Office of Foreign Assets Control (“OFAC”) sanctions list.\n\nA resident of any country/region, or a person, or an affiliate, agent, employee, or contractor of a person, that has been sanctioned by the relevant authorities in the country or region from which any data you access through the Program originates, or in which any portion of the information system you access is hosted and/or deployed.\n\nA current employee of Global Payments., a Global Payments affiliate, or an immediate family member (parent, sibling, spouse, or child) or household member of such an employee.\n\nA contingent staff member, contractor, or vendor employee that is currently working with, or has worked in the past twelve (12) months with, Global Payments or a Global Payments affiliate.\n\n\n#Response Targets\n\nGlobal Payments will make a best effort to meet the following SLAs for security researchers participating\nin the program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Scope\n\nAll assets associated with our core enterprise are considered in scope. No VPN access nor credentials will be\nprovided for testing. \n\n#Disclosure Policy\n\n- You agree not to discuss this VDP or any vulnerabilities (even resolved ones) outside of the VDP without express consent from Global Payments.\n- Global Payments reserves the right to approve or deny any request for disclosure.\n- You agree to follow HackerOne's disclosure guidelines.\n\n#Participation Requirements\n\nThis Program is not intended to encourage any researcher to access, view, transmit, disclose, interact with, or otherwise process Personal Information, defined here to include any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. Personal Information may include, as applicable, any Payment Account Number (PAN), Cardholder Data (CHD), or Sensitive Authentication Data (SAD), as each term is defined by the Payment Card Industry Data Security Standard (PCI-DSS). Should you encounter any Personal Information during your research or in connection with the Program, you are required to: (1) minimize your access to Personal Information, including immediately halting your activity, where possible;  (2) comply with the additional data protection obligations set forth in the “Data Protection” section of these Program Terms, below; and (3) return any Personal Information you obtain during your research or in connection with the Program when you submit a report, and securely delete all copies of the Personal Information immediately following the submission of your report. \n\n#Program Rules\n\n- Keep scans to 45 requests per minute.\n- For account creation, use your HackerOne email address and only create a single user account.\n- Refer to the assets in scope for specific instructions on testing and follow those instructions.\n- Provide detailed reports with reproducible steps. If the report is not sufficiently detailed to enable reproduction of the issue, the issue may not be triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to prove impact. When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- You may only interact with accounts you own or with explicit permission of the account holder.\n- Do not engage in any activity that can potentially or actually cause harm to Global Payments, our customers, or our employees.\n- Do not engage in any activity that can potentially or actually stop or degrade Global Payments’ services or assets.\n- Do no harm and do not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.\n- Do not initiate a fraudulent financial transaction.\n\n#Out of scope vulnerabilities\n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security\nimpact of the bug. \n\nIn addition to the below, any vulnerability on the HackerOne Core Ineligible Findings list is out of scope:\n- Unexploitable vulnerabilities discovered via scanning. All submissions must have a valid proof of concept.\n- Attacks requiring man-in-the-middle (MITM) or physical access to a user's device.\n- Vulnerabilities on partner or supplier products.\n- Rate limiting or brute-force issues on non-authentication endpoints.\n\n\n#Grounds for Disqualification\n\nBecause we do not allow any actions that could negatively impact the customer experience on our websites, apps, or other Global Payments assets, attempting any of the following could result in permanent disqualification from the Program and could result in a possible criminal and/or legal investigation:\n- Violation of the Participation Requirements\n- Disruption or denial-of-service attacks (Application and Network)\n- Social engineering attacks\n- Brute-force attacks\n- Exfiltration of data\n- Code injection on live systems\n- The compromise or testing of application accounts that are not your own\n- Any threats, attempts at coercion, or extortion of Global Payments employees, other partner employees, or customers\n- Physical attacks against Global Payments, contractors, or customers\n- Any physical attempts against Global Payments property or data centers\n- Any other action that violates these Program Terms\n- Any other action that violates the law\n- Any action that endangers yourself or others\n- Aggressive vulnerability scans or automated scans on Global Payments servers (including scans using tools such as Core Impact or Nessus)\n\n\n#Additional Legal Terms\n\nBy submitting security or vulnerability information to Global Payments, you confirm that you have read, understand, and agree to these Program Terms. Further, you agree that by submitting such information to Global Payments, even if the information is not eligible for a reward, you grant Global Payments a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicensable, fully-paid and royalty-free license under any and all intellectual property rights that you own or control to use, copy, modify, or create derivative works based upon such information and otherwise exploit such information for any purpose.\n\nAny Global Payments information that you may encounter, view, acquire, or access, is owned by Global Payments or its customers, clients, or third-party providers. You have no rights, title, or ownership in any such information. Nothing in these Program Terms shall be deemed to constitute a grant of any license or other right to or in any Global Payments or third-party product, service, patent, trademark, trade secret, or other intellectual property.\n\nYou must comply with all applicable federal, state, local, and international laws, regulations, and rules in connection with your security research activities and your participation in the Program. If you violate any applicable law or any requirement established by these Program Terms, you will not be considered a security researcher, and you may become subject to criminal penalties and civil liability. In particular, by participating in the Program, you confirm your understanding: (1) that applicable United States federal laws make it a felony offense for you to intentionally access an information system that is connected to the internet without authorization, or to exceed the scope of your authorized access to such a system, and in doing so to obtain any information therefrom; and (2) that any action that you take on a Global Payments information system that exceeds the limits established by these Program Terms may therefore constitute a federal crime. Global Payments reserves all rights to pursue all available remedies, civil and criminal, against any individual or entity operating in violation or excess of the Program Terms.\n\nGlobal Payments retains the right to obtain your Personal Data (as defined in the HackerOne Privacy Policy) from HackerOne, and to process such Personal Data as necessary to accomplish the legitimate business objectives of Global Payments, including but not limited to ensuring the security and integrity of our infrastructure, data, products, and services. Global Payments may also obtain and process your Personal Data for the purpose of exercising or defending legal rights; to take precautions against liability; to protect the rights, property, or safety of Global Payments, of any other individuals, or of the general public; to protect Global Payments and our assets from fraudulent, abusive, or unlawful uses; or to investigate and defend Global Payments against third-party claims or allegations. By submitting a vulnerability report via the Global Payments Vulnerability Disclosure Program (https://hackerone.com/global-payments) you consent to HackerOne disclosing Personal Data to Global Payments, upon request, in the circumstances described in this paragraph.\n\nGlobal Payments may modify these Program Terms or terminate the Program at any time.\n\n##Data Protection\nTo the extent you access, or view, transmit, disclose, interact with, or otherwise process Personal Information in connection with the Program, you constitute a Processor and/or Service Provider, as each term is defined by Data Protection Laws. For purposes of these Program Terms, “Data Protection Laws” means all laws and regulations applicable to the processing of Personal Information in connection with the  Program, which may include, but may not be not limited to, the California Consumer Privacy Act, as modified by the California Privacy Rights Act of 2020 (“CCPA”) and the General Data Protection Regulation (EU) 2016/679 (“GDPR”). Any capitalized term not defined herein shall have the meaning given to that term in the Data Protection Laws.\n\nProcessing Instructions and Details. As a Processor/Service Provider, you shall process Personal Information: (i) only to the extent necessary for participation in the  Program; (ii) in compliance with all instructions provided by Global Payments in relation to the processing; and (iii) in accordance with these Program Terms and Data Protection Laws. The categories of Personal Information to which you gain access may include Global Payments team member and customer contact information and any other Personal Information accessed or viewed in connection with the Program. The nature of the processing is solely for the purpose of identifying and submitting a vulnerability through the Program and the duration of processing is limited to the time needed to submit the report. The business purpose and/or lawful basis of the processing is to ensure the security and integrity of our infrastructure, data, products, and services.\n\nProcessing Restrictions. You will not: (i) retain, use, disclose or otherwise process Personal Information for any purpose not contemplated by these Program Terms; (ii) retain, use, disclose, or otherwise process Personal Information outside of the direct business relationship between you and Global Payments; (iii) use, distribute, sell, rent, release, or disclose Personal Information to a third party for monetary or other valuable consideration; (iv) combine Personal Information with any other personal information that you receive from, or on behalf of, another person or persons, or collect from your own interaction with a Data Subject; or (v) share Personal Information with any third party for cross-context behavioral advertising, whether or not for monetary or other valuable compensation.\n\nCompliance with Data Protection Laws. You agree that: (i) you shall provide Personal Information with the same level of protection that Global Payments would be required to provide for it; and (ii) you understand the obligations placed upon you by Data Protection Laws. If you determine that you are no longer able to meet your compliance commitments in these Program Terms, you must immediately notify Global Payments in writing.\n\nSub-Processors. You agree that you will not use any Sub-Processors to process Personal Information without the prior written consent of Global Payments.\n\nConfidentiality and Security. You shall maintain the confidentiality of Personal Information to which you have access and limit such access to what is strictly necessary to participate in the Program. While any Personal Information is in your possession or accessible by you, you shall ensure you have reasonable and appropriate security procedures and practices in place to protect the Personal Information from unauthorized access, destruction, use, modification, or disclosure. \n\nPrivacy Incidents. You shall notify Global Payments immediately, and in no event later than within 24 hours, upon becoming aware of a Privacy Incident, and you shall provide full assistance to Global Payments in meeting Global Payments’ obligation(s) with respect to such Privacy Incident under Data Protection Laws. For purposes of these Program Terms, “Privacy Incident” means any act, omission, event or occurrence that compromises the confidentiality, integrity, or availability of Personal Information. For the avoidance of doubt, the term “Privacy Incident” includes, without limitation: (i) any incident involving the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Information; and (ii) any incident involving Personal Information that meets the definition of a “security breach,” “personal data breach,” “breach of the security of the system,” or any other similar term under the Data Protection Laws.\n\nAssistance. You shall provide full assistance to Global Payments to enable Global Payments to meet its obligations(s) to perform any assessments or respond to any requests regarding the processing of Personal Information that are required by Data Protection Laws. You shall promptly provide to Global Payments, upon request, all information necessary to demonstrate your compliance with these Program Terms and Data Protection Laws.  \n\nReturn and Deletion. You must return any Personal Information you obtain during your research or in connection with the Program when you submit a report, and securely delete all copies of the Personal Information immediately following the submission of your report.\n\nTransfers. You shall not Transfer Personal Information without the prior written consent of Global Payments. For purposes of these Program Terms, “Transfer” means the access by, transfer or delivery to, or disclosure to, a person, entity or system of Personal Information where such person, entity or system is located in a country or jurisdiction other than the country or jurisdiction from which the Personal Information originated. You and Global Payments agree that when a Transfer is subject to the GDPR, the EU Standard Contractual Clauses Module Two (Controller to Processor) or Module Three (Processor to Processor) (found in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council), which are deemed incorporated into and form part of these Program Terms, will apply as follows:\n\n- Global Payments shall be deemed to be the “data exporter” and you shall be deemed the “data importer” with respect to the processing of Personal Information.\n- Clause 7 shall not apply.\n- The audits described in Clause 8.9 shall be carried out in any manner that Global Payments deems appropriate.\n- For Clause 9, Option 1: Specific Prior Authorization shall apply, and the time period for the request for specific authorization shall be 30 days.\n- For Clause 11(a), the optional language shall not apply.\n- The Data Protection Commissioner of Ireland shall be the competent supervisory authority (Clause 13(a)).\n- The EU Standard Contractual Clauses will be governed by the laws of the Republic of Ireland (Clause 17). \n- Disputes shall be resolved before the courts of Ireland, County of Dublin (Clause 18).\n- The information included in the “Data Protection” section of these Program Terms is incorporated accordingly into Annexes I (A, B and C), II and III of the EU Standard Contractual Clauses.\n\nTransfers subject to the laws of the United Kingdom or the Swiss Confederacy shall be pursuant to the EU Standard Contractual Clauses, as incorporated above, subject to any modifications required by the applicable jurisdiction’s regulatory authority to render those clauses a suitable mechanism for papering an international transfer.\n\nFor the avoidance of doubt, nothing about your agreement to comply with the terms set forth in this Data Protection section renders you an agent, employee, or contractor of Global Payments.\n\n##Safe Harbor\nAny research activities conducted in strict accordance with these Program Guidelines, as determined by Global Payments, will be considered authorized conduct, and we will not initiate legal action against you relating to such research activities. \n\nThank you for helping keep Global Payments and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-06-03T13:45:30.942Z"},{"id":3756786,"new_policy":"Have feedback on our program? Let us know [here!](https://docs.google.com/forms/d/e/1FAIpQLSc_bAdYNvHTZCaU8J0ES0u77I8znDQpN6FqAeCUdIeZARH_Uw/viewform?usp=sf_link)\n\n#Global Payments Vulnerability Disclosure Program (“VDP”) Policy\n\nGlobal Payments is a Fortune 500 worldwide commerce ecosystem serving customers in over 100 countries! We have a team of 24,000 experts and innovators working to serve our customers—dedicated to solving complexity in commerce by providing simple, secure payments and software solutions that anticipate changing needs and carry our customers forward. We’re trusted in over 3.5 million customer locations and 1,300 financial institutions. \n\nGlobal Payments Inc. (“Global Payments”) looks forward to working with the information security community to find vulnerabilities in order to keep our businesses and customers safe. Please read this Program Policy in its entirety.\n\n\n#Eligibility for Participation\n\nYou must be 18 years old or older to submit a vulnerability for consideration as part of the Program. If you are a minor (under 18 years of age), a parent or legal guardian must submit the vulnerability.\n\nYou must be an individual security researcher participating in your own individual capacity. If you work for a security research organization, that organization must permit you to participate in your individual capacity. You are responsible for reviewing and complying with your employer’s rules for participating in the Program.\n\n#Ineligibility for Participation\n\nYou may not participate in the VDP if you are any of the following:\nA resident of, or if you have a tax form from, China or Hong Kong. \n\nA resident of any country/region that is the subject of a broad, geographically-defined United States (U.S.) sanctions program, such as Cuba, Iran, North Korea, Sudan, Syria or Crimea, or a person, or an affiliate, agent, employee, or contractor of a person, that is designated in the U.S. Department of the Treasury’s Specially Designated Nationals and Blocked Persons List or any other Office of Foreign Assets Control (“OFAC”) sanctions list.\n\nA resident of any country/region, or a person, or an affiliate, agent, employee, or contractor of a person, that has been sanctioned by the relevant authorities in the country or region from which any data you access through the Program originates, or in which any portion of the information system you access is hosted and/or deployed.\n\nA current employee of Global Payments., a Global Payments affiliate, or an immediate family member (parent, sibling, spouse, or child) or household member of such an employee.\n\nA contingent staff member, contractor, or vendor employee that is currently working with, or has worked in the past twelve (12) months with, Global Payments or a Global Payments affiliate.\n\n\n#Response Targets\n\nGlobal Payments will make a best effort to meet the following SLAs for security researchers participating\nin the program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Scope\n\nAll assets associated with our core enterprise are considered in scope. No VPN access nor credentials will be\nprovided for testing. \n\n#Disclosure Policy\n\n- You agree not to discuss this VDP or any vulnerabilities (even resolved ones) outside of the VDP without express consent from Global Payments.\n- Global Payments reserves the right to approve or deny any request for disclosure.\n- You agree to follow HackerOne's disclosure guidelines.\n\n#Participation Requirements\n\nThis Program is not intended to encourage any researcher to access, view, transmit, disclose, interact with, or otherwise process Personal Information, defined here to include any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. Personal Information may include, as applicable, any Payment Account Number (PAN), Cardholder Data (CHD), or Sensitive Authentication Data (SAD), as each term is defined by the Payment Card Industry Data Security Standard (PCI-DSS). Should you encounter any Personal Information during your research or in connection with the Program, you are required to: (1) minimize your access to Personal Information, including immediately halting your activity, where possible;  (2) comply with the additional data protection obligations set forth in the “Data Protection” section of these Program Terms, below; and (3) return any Personal Information you obtain during your research or in connection with the Program when you submit a report, and securely delete all copies of the Personal Information immediately following the submission of your report. \n\n#Program Rules\n\n- Keep scans to 45 requests per minute.\n- For account creation, use your HackerOne email address and only create a single user account.\n- Refer to the assets in scope for specific instructions on testing and follow those instructions.\n- Provide detailed reports with reproducible steps. If the report is not sufficiently detailed to enable reproduction of the issue, the issue may not be triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to prove impact. When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- You may only interact with accounts you own or with explicit permission of the account holder.\n- Do not engage in any activity that can potentially or actually cause harm to Global Payments, our customers, or our employees.\n- Do not engage in any activity that can potentially or actually stop or degrade Global Payments’ services or assets.\n- Do no harm and do not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.\n- Do not initiate a fraudulent financial transaction.\n\n#Out of scope vulnerabilities\n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security\nimpact of the bug. \n\nIn addition to the below, any vulnerability on the HackerOne Core Ineligible Findings list is out of scope:\n- Unexploitable vulnerabilities discovered via scanning. All submissions must have a valid proof of concept.\n- Attacks requiring man-in-the-middle (MITM) or physical access to a user's device.\n- Vulnerabilities on partner or supplier products.\n- Rate limiting or brute-force issues on non-authentication endpoints.\n\n\n#Grounds for Disqualification\n\nBecause we do not allow any actions that could negatively impact the customer experience on our websites, apps, or other Global Payments assets, attempting any of the following could result in permanent disqualification from the Program and could result in a possible criminal and/or legal investigation:\n- Violation of the Participation Requirements\n- Disruption or denial-of-service attacks (Application and Network)\n- Social engineering attacks\n- Brute-force attacks\n- Exfiltration of data\n- Code injection on live systems\n- The compromise or testing of application accounts that are not your own\n- Any threats, attempts at coercion, or extortion of Global Payments employees, other partner employees, or customers\n- Physical attacks against Global Payments, contractors, or customers\n- Any physical attempts against Global Payments property or data centers\n- Any other action that violates these Program Terms\n- Any other action that violates the law\n- Any action that endangers yourself or others\n- Aggressive vulnerability scans or automated scans on Global Payments servers (including scans using tools such as Core Impact or Nessus)\n\n\n#Additional Legal Terms\n\nBy submitting security or vulnerability information to Global Payments, you confirm that you have read, understand, and agree to these Program Terms. Further, you agree that by submitting such information to Global Payments, even if the information is not eligible for a reward, you grant Global Payments a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicensable, fully-paid and royalty-free license under any and all intellectual property rights that you own or control to use, copy, modify, or create derivative works based upon such information and otherwise exploit such information for any purpose.\n\nAny Global Payments information that you may encounter, view, acquire, or access, is owned by Global Payments or its customers, clients, or third-party providers. You have no rights, title, or ownership in any such information. Nothing in these Program Terms shall be deemed to constitute a grant of any license or other right to or in any Global Payments or third-party product, service, patent, trademark, trade secret, or other intellectual property.\n\nYou must comply with all applicable federal, state, local, and international laws, regulations, and rules in connection with your security research activities and your participation in the Program. If you violate any applicable law or any requirement established by these Program Terms, you will not be considered a security researcher, and you may become subject to criminal penalties and civil liability. In particular, by participating in the Program, you confirm your understanding: (1) that applicable United States federal laws make it a felony offense for you to intentionally access an information system that is connected to the internet without authorization, or to exceed the scope of your authorized access to such a system, and in doing so to obtain any information therefrom; and (2) that any action that you take on a Global Payments information system that exceeds the limits established by these Program Terms may therefore constitute a federal crime. Global Payments reserves all rights to pursue all available remedies, civil and criminal, against any individual or entity operating in violation or excess of the Program Terms.\n\nGlobal Payments retains the right to obtain your Personal Data (as defined in the HackerOne Privacy Policy) from HackerOne, and to process such Personal Data as necessary to accomplish the legitimate business objectives of Global Payments, including but not limited to ensuring the security and integrity of our infrastructure, data, products, and services. Global Payments may also obtain and process your Personal Data for the purpose of exercising or defending legal rights; to take precautions against liability; to protect the rights, property, or safety of Global Payments, of any other individuals, or of the general public; to protect Global Payments and our assets from fraudulent, abusive, or unlawful uses; or to investigate and defend Global Payments against third-party claims or allegations. By submitting a vulnerability report via the Global Payments Vulnerability Disclosure Program (https://hackerone.com/global-payments) you consent to HackerOne disclosing Personal Data to Global Payments, upon request, in the circumstances described in this paragraph.\n\nGlobal Payments may modify these Program Terms or terminate the Program at any time.\n\n##Data Protection\nTo the extent you access, or view, transmit, disclose, interact with, or otherwise process Personal Information in connection with the Bug Bounty Program, you constitute a Processor and/or Service Provider, as each term is defined by Data Protection Laws. For purposes of these Program Terms, “Data Protection Laws” means all laws and regulations applicable to the processing of Personal Information in connection with the Bug Bounty Program, which may include, but may not be not limited to, the California Consumer Privacy Act, as modified by the California Privacy Rights Act of 2020 (“CCPA”) and the General Data Protection Regulation (EU) 2016/679 (“GDPR”). Any capitalized term not defined herein shall have the meaning given to that term in the Data Protection Laws.\n\nProcessing Instructions and Details. As a Processor/Service Provider, you shall process Personal Information: (i) only to the extent necessary for participation in the Bug Bounty Program; (ii) in compliance with all instructions provided by Global Payments in relation to the processing; and (iii) in accordance with these Program Terms and Data Protection Laws. The categories of Personal Information to which you gain access may include Global Payments team member and customer contact information and any other Personal Information accessed or viewed in connection with the Bug Bounty Program. The nature of the processing is solely for the purpose of identifying and submitting a vulnerability through the Bug Bounty Program and the duration of processing is limited to the time needed to submit the report. The business purpose and/or lawful basis of the processing is to ensure the security and integrity of our infrastructure, data, products, and services.\n\nProcessing Restrictions. You will not: (i) retain, use, disclose or otherwise process Personal Information for any purpose not contemplated by these Program Terms; (ii) retain, use, disclose, or otherwise process Personal Information outside of the direct business relationship between you and Global Payments; (iii) use, distribute, sell, rent, release, or disclose Personal Information to a third party for monetary or other valuable consideration; (iv) combine Personal Information with any other personal information that you receive from, or on behalf of, another person or persons, or collect from your own interaction with a Data Subject; or (v) share Personal Information with any third party for cross-context behavioral advertising, whether or not for monetary or other valuable compensation.\n\nCompliance with Data Protection Laws. You agree that: (i) you shall provide Personal Information with the same level of protection that Global Payments would be required to provide for it; and (ii) you understand the obligations placed upon you by Data Protection Laws. If you determine that you are no longer able to meet your compliance commitments in these Program Terms, you must immediately notify Global Payments in writing.\n\nSub-Processors. You agree that you will not use any Sub-Processors to process Personal Information without the prior written consent of Global Payments.\n\nConfidentiality and Security. You shall maintain the confidentiality of Personal Information to which you have access and limit such access to what is strictly necessary to participate in the Bug Bounty Program. While any Personal Information is in your possession or accessible by you, you shall ensure you have reasonable and appropriate security procedures and practices in place to protect the Personal Information from unauthorized access, destruction, use, modification, or disclosure. \n\nPrivacy Incidents. You shall notify Global Payments immediately, and in no event later than within 24 hours, upon becoming aware of a Privacy Incident, and you shall provide full assistance to Global Payments in meeting Global Payments’ obligation(s) with respect to such Privacy Incident under Data Protection Laws. For purposes of these Program Terms, “Privacy Incident” means any act, omission, event or occurrence that compromises the confidentiality, integrity, or availability of Personal Information. For the avoidance of doubt, the term “Privacy Incident” includes, without limitation: (i) any incident involving the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Information; and (ii) any incident involving Personal Information that meets the definition of a “security breach,” “personal data breach,” “breach of the security of the system,” or any other similar term under the Data Protection Laws.\n\nAssistance. You shall provide full assistance to Global Payments to enable Global Payments to meet its obligations(s) to perform any assessments or respond to any requests regarding the processing of Personal Information that are required by Data Protection Laws. You shall promptly provide to Global Payments, upon request, all information necessary to demonstrate your compliance with these Program Terms and Data Protection Laws.  \n\nReturn and Deletion. You must return any Personal Information you obtain during your research or in connection with the Bug Bounty Program when you submit a report, and securely delete all copies of the Personal Information immediately following the submission of your report.\n\nTransfers. You shall not Transfer Personal Information without the prior written consent of Global Payments. For purposes of these Program Terms, “Transfer” means the access by, transfer or delivery to, or disclosure to, a person, entity or system of Personal Information where such person, entity or system is located in a country or jurisdiction other than the country or jurisdiction from which the Personal Information originated. You and Global Payments agree that when a Transfer is subject to the GDPR, the EU Standard Contractual Clauses Module Two (Controller to Processor) or Module Three (Processor to Processor) (found in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council), which are deemed incorporated into and form part of these Program Terms, will apply as follows:\n\n- Global Payments shall be deemed to be the “data exporter” and you shall be deemed the “data importer” with respect to the processing of Personal Information.\n- Clause 7 shall not apply.\n- The audits described in Clause 8.9 shall be carried out in any manner that Global Payments deems appropriate.\n- For Clause 9, Option 1: Specific Prior Authorization shall apply, and the time period for the request for specific authorization shall be 30 days.\n- For Clause 11(a), the optional language shall not apply.\n- The Data Protection Commissioner of Ireland shall be the competent supervisory authority (Clause 13(a)).\n- The EU Standard Contractual Clauses will be governed by the laws of the Republic of Ireland (Clause 17). \n- Disputes shall be resolved before the courts of Ireland, County of Dublin (Clause 18).\n- The information included in the “Data Protection” section of these Program Terms is incorporated accordingly into Annexes I (A, B and C), II and III of the EU Standard Contractual Clauses.\n\nTransfers subject to the laws of the United Kingdom or the Swiss Confederacy shall be pursuant to the EU Standard Contractual Clauses, as incorporated above, subject to any modifications required by the applicable jurisdiction’s regulatory authority to render those clauses a suitable mechanism for papering an international transfer.\n\nFor the avoidance of doubt, nothing about your agreement to comply with the terms set forth in this Data Protection section renders you an agent, employee, or contractor of Global Payments.\n\n##Safe Harbor\nAny research activities conducted in strict accordance with these Program Guidelines, as determined by Global Payments, will be considered authorized conduct, and we will not initiate legal action against you relating to such research activities. \n\nThank you for helping keep Global Payments and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-06-03T13:44:49.714Z"},{"id":3747870,"new_policy":"Have feedback on our program? Let us know [here!](https://docs.google.com/forms/d/e/1FAIpQLSc_bAdYNvHTZCaU8J0ES0u77I8znDQpN6FqAeCUdIeZARH_Uw/viewform?usp=sf_link)\n\n#Global Payments Vulnerability Research Program (“VRP”) Policy\n\nGlobal Payments is a Fortune 500 worldwide commerce ecosystem serving customers in over 100 countries! We have a team of 24,000 experts and innovators working to serve our customers—dedicated to solving complexity in commerce by providing simple, secure payments and software solutions that anticipate changing needs and carry our customers forward. We’re trusted in over 3.5 million customer locations and 1,300 financial institutions. \n\nGlobal Payments Inc. (“Global Payments”) looks forward to working with the information security\ncommunity to find vulnerabilities in order to keep our businesses and customers safe. Please read this\nProgram Policy in its entirety.\n\n#Global Payments Information Security\n\nThe information security team at Global Payments is devoted to being a trusted security and assurance\npartner across the enterprise.\n\nPart of our vision is to develop and enable the organization to proactively identify and mitigate\ninformation security risk to our assets and to evolve our core information security foundation. The VRP\nwill be a key element in achieving these goals.\n\n#Ineligibility for Participation\n\nYou may not participate in the VRP if you are any of the following:\n\nA resident or have a tax form from China or Hong Kong. A resident of any country/region that is under United States sanctions, such as Cuba, Iran, North Korea, Sudan, and Syria or Crimea, or a person designated in the U.S. Department of the Treasury’s Specially Designated Nationals List.\n\nA current employee of Global Payments Inc., a Global Payments affiliate, or an immediate family member (parent, sibling, spouse, or child) or household member of such an employee.\n\nA contingent staff member, contractor, or vendor employee that is currently working with, or has worked in the past twelve (12) months with, Global Payments Inc. or a Global Payments affiliate.\n\n#Response Targets\n\nGlobal Payments will make a best effort to meet the following SLAs for security researchers participating\nin the VRP:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Scope\n\nAll assets associated with our core enterprise are considered in scope. No VPN access nor credentials will be\nprovided for testing. \n\n#Disclosure Policy\n\n- You agree not to discuss this VRP or any vulnerabilities (even\nresolved ones) outside of the VRP without express consent from Global Payments.\n- Global Payments reserves the right to approve or deny any request for disclosure.\n- You agree to follow HackerOne's disclosure guidelines.\n\n#Program Rules\n\nThis VRP program is not intended to encourage any researcher to access or view any of the following sensitive forms of data, each of which is subject to stringent legal protections: (1) Personal Information, defined here to include any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household; or (2) any Payment Account Number (PAN), Cardholder Data (CHD), or Sensitive Authentication Data (SAD), as each term is defined by the Payment Card Industry Data Security Standard (PCI-DSS).  Should you encounter any such information during your research, you must immediately halt your activity and contact Global Payments, and you must purge any such data from your system(s) following the submission of your report. Adhering to these requirements protects both Global Payments and you.\nPlease provide detailed reports with reproducible steps. If the report is not sufficiently detailed to enable reproduction of the issue, the issue may not be triaged.\nSubmit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\nWhen duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).\nMultiple vulnerabilities caused by one underlying issue will be treated as one valid report.\nSocial engineering (e.g. phishing, vishing, smishing) is prohibited.\nOnly interact with accounts you own or with explicit permission of the account holder.\nDo not engage in any activity that can potentially or actually cause harm to Global Payments, our customers, or our employees.\nDo not engage in any activity that can potentially or actually stop or degrade Global Payments’ services or assets.\nDo no harm and do not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.\nDo not initiate a fraudulent financial transaction.\n\n\n##Keep scans to 45 requests per minute\n* **Should you encounter any PII or PAN data during your research, it is required that you do not upload screenshots showing this data to your report.**\n- Please provide detailed reports with reproducible steps. If the report is not sufficiently\ndetailed to enable reproduction of the issue, the issue may not be triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide\nimpact.\n- When duplicates occur, we only triage the first report that was received (provided that it can\nbe fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Only interact with accounts you own or with explicit permission of the account holder.\n- Do not engage in any activity that can potentially or actually cause harm to Global Payments,\nour customers, or our employees.\n- Do not engage in any activity that can potentially or actually stop or degrade Global\nPayments’ services or assets.\n- Do no harm and do not exploit any vulnerability beyond the minimal amount of testing\nrequired to prove that a vulnerability exists or to identify an indicator related to a\nvulnerability.\n- Do not store, share, compromise or destroy Global Payments or our customer data. If\nPersonally Identifiable Information (PII) is encountered, you should immediately halt your\nactivity, purge related data from your system, and contact Global Payments. This step\nprotects any potentially vulnerable data, and you.\n- Do not initiate a fraudulent financial transaction.\n\n#Out of scope vulnerabilities\n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security\nimpact of the bug. The following issues are considered out of scope:\n\nIn addition to the below any vulnerability on the HackerOne Core Ineligible Findings list is out of scope:\nUnexploitable vulnerabilities discovered via scanning. All submissions must have a valid proof of concept\nAttacks requiring MITM or physical access to a user's device\nVulnerabilities on partner or supplier products\nRate limiting or bruteforce issues on non-authentication endpoints\n\n\n#Grounds for Disqualification\n\nBecause we do not allow any actions that could negatively impact the customer experience on our websites, apps, or other Global Payments assets, attempting any of the following could result in permanent disqualification from the VRP Program and could result in a possible criminal and/or legal investigation:\n\nDisruption or denial-of-service attacks (Application and Network)\nSocial engineering attacks\nBrute-force attacks\nExfiltration of data\nCode injection on live systems\nThe compromise or testing of application accounts that are not your own\nAny threats, attempts at coercion, or extortion of Global Payments employees, other partner employees, or customers\nPhysical attacks against Global Payments, contractors, or customers\nAny physical attempts against Global Payments property or data centers\nAny other action that violates these Program Guidelines\nAny other action that violates the law\nAny action that endangers yourself or others\nAggressive vulnerability scans or automated scans on Global Payments servers (including scans using tools such as Core Impact or Nessus)\n\n\n#Legal\n\nBy submitting security or vulnerability information to Global Payments, you confirm that you have read, understand, and agree to these Program Guidelines. Further, you agree that by submitting such information to Global Payments, even if the information is not eligible for a reward, you grant Global Payments a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicensable, fully-paid and royalty-free license under any and all intellectual property rights that you own or control to use, copy, modify, or create derivative works based upon such information and otherwise exploit such information for any purpose.\n\nAny Global Payments information that you may encounter, view, acquire, or access, is owned by Global Payments or its customers, clients, or third-party providers. You have no rights, title, or ownership in any such information. Nothing in these Program Guidelines shall be deemed to constitute a grant of any license or other right to or in any Global Payments or third-party product, service, patent, trademark, trade secret, or other intellectual property.\n\nYou must comply with all applicable federal, state, local, and international laws, regulations, and rules in connection with your security research activities. If you violate any applicable law or any requirement established by these Program Guidelines, you will not be considered a security researcher, and you may become subject to criminal penalties and civil liability. In particular, by participating in the Program, you confirm your understanding: (1) that applicable federal laws make it a felony offense for you to intentionally access an information system that is connected to the internet without authorization, or to exceed the scope of your authorized access to such a system, and in doing so to obtain any information therefrom; and (2) that any action that you take on a Global Payments information system that exceeds the limits established by these Program Guidelines may therefore constitute a federal crime. Global Payments reserves all rights to pursue all available remedies, civil and criminal, against any individual or entity operating in excess of the Program Guidelines.\n\nGlobal Payments retains the right to obtain your Personal Data (as defined in the HackerOne Privacy Policy) from HackerOne, and to process such Personal Data, as necessary to accomplish the legitimate business objectives of Global Payments, including but not limited to ensuring the security and integrity of our infrastructure, data, products, and services. Global Payments may also obtain and process your Personal Data for the purpose of exercising or defending legal rights; to take precautions against liability; to protect the rights, property, or safety of Global Payments, of any other individuals, or of the general public; to protect Global Payments and our assets from fraudulent, abusive, or unlawful uses; or to investigate and defend Global Payments against third-party claims or allegations. By submitting a vulnerability report via the Global Payments VDP (https://hackerone.com/global-payments) you consent to HackerOne sharing Personal Data with Global Payments, upon request, in the circumstances described in this paragraph.\n\nGlobal Payments may modify these terms and conditions or terminate the VRP at any time.\n\n\n##Safe Harbor\nAny research activities conducted in strict accordance with these Program Guidelines, as determined by Global Payments, will be considered authorized conduct, and we will not initiate legal action against you relating to such research activities. \n\nThank you for helping keep Global Payments and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-01-13T08:57:28.338Z"},{"id":3710137,"new_policy":"Have feedback on our program? Let us know [here!](https://docs.google.com/forms/d/e/1FAIpQLSc_bAdYNvHTZCaU8J0ES0u77I8znDQpN6FqAeCUdIeZARH_Uw/viewform?usp=sf_link)\n\n#Global Payments Vulnerability Research Program (“VRP”) Policy\n\nGlobal Payments is a Fortune 500 worldwide commerce ecosystem serving customers in over 100 countries! We have a team of 24,000 experts and innovators working to serve our customers—dedicated to solving complexity in commerce by providing simple, secure payments and software solutions that anticipate changing needs and carry our customers forward. We’re trusted in over 3.5 million customer locations and 1,300 financial institutions. \n\nGlobal Payments Inc. (“Global Payments”) looks forward to working with the information security\ncommunity to find vulnerabilities in order to keep our businesses and customers safe. Please read this\nProgram Policy in its entirety.\n\n#Global Payments Information Security\n\nThe information security team at Global Payments is devoted to being a trusted security and assurance\npartner across the enterprise.\n\nPart of our vision is to develop and enable the organization to proactively identify and mitigate\ninformation security risk to our assets and to evolve our core information security foundation. The VRP\nwill be a key element in achieving these goals.\n\n#Ineligibility for Participation\n\nYou may not participate in the VRP if you are any of the following:\n\n- A resident of any country/region that is under United States sanctions, such as Cuba, Iran,\nNorth Korea, Sudan, and Syria or Crimea, or a person designated in the U.S. Department of\nthe Treasury’s Specially Designated Nationals List.\n- A current employee of Global Payments Inc., a Global Payments affiliate, or an immediate\nfamily member (parent, sibling, spouse, or child) or household member of such an employee.\n- A contingent staff member, contractor, or vendor employee that is currently working with, or\nhas worked in the past twelve (12) months with, Global Payments Inc. or a Global Payments\naffiliate.\n\n#Response Targets\n\nGlobal Payments will make a best effort to meet the following SLAs for security researchers participating\nin the VRP:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Scope\n\nAll assets associated with our core enterprise are considered in scope. No VPN access nor credentials will be\nprovided for testing. \n\n#Disclosure Policy\n\n- You agree not to discuss this VRP or any vulnerabilities (even\nresolved ones) outside of the VRP without express consent from Global Payments.\n- Global Payments reserves the right to approve or deny any request for disclosure.\n- You agree to follow HackerOne's disclosure guidelines.\n\n#Program Rules\n##Keep scans to 45 requests per minute\n* **Should you encounter any PII or PAN data during your research, it is required that you do not upload screenshots showing this data to your report.**\n- Please provide detailed reports with reproducible steps. If the report is not sufficiently\ndetailed to enable reproduction of the issue, the issue may not be triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide\nimpact.\n- When duplicates occur, we only triage the first report that was received (provided that it can\nbe fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Only interact with accounts you own or with explicit permission of the account holder.\n- Do not engage in any activity that can potentially or actually cause harm to Global Payments,\nour customers, or our employees.\n- Do not engage in any activity that can potentially or actually stop or degrade Global\nPayments’ services or assets.\n- Do no harm and do not exploit any vulnerability beyond the minimal amount of testing\nrequired to prove that a vulnerability exists or to identify an indicator related to a\nvulnerability.\n- Do not store, share, compromise or destroy Global Payments or our customer data. If\nPersonally Identifiable Information (PII) is encountered, you should immediately halt your\nactivity, purge related data from your system, and contact Global Payments. This step\nprotects any potentially vulnerable data, and you.\n- Do not initiate a fraudulent financial transaction.\n\n#Out of scope vulnerabilities\n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security\nimpact of the bug. The following issues are considered out of scope:\n\n - Unexploitable vulnerabilities discovered via scanning. All submissions must have a valid proof\nof concept\n- Any activity that could lead to the disruption of our service (DoS/DDOS).\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive\nactions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Content spoofing and text injection issues without showing an attack vector/without being\nable to modify HTML/CSS\n- Rate limiting or bruteforce issues on non-authentication endpoints\n- Missing best practices in Content Security Policy\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable\nversions behind the latest released stable version)\n- Software version disclosure / Banner identification issues / Descriptive error messages or\nheaders (e.g. stack traces, application or server errors).\n- Tabnabbing\n- Open redirect - unless an additional security impact can be demonstrated\n- Issues that require unlikely user interaction\n\n#Grounds for Disqualification\n\nAttempting any of the following could result in permanent disqualification from the VRP and possible\ncriminal and/or legal investigation. We do not allow any actions that could negatively impact the\nexperience on our websites, apps, or other assets for other Global Payments customers.\n\n- Disruption or denial-of-service attacks (Application and Network)\n- Social engineering attacks\n- Brute-force attacks\n- Exfiltration of data\n- Code injection on live systems\n- The compromise or testing of application accounts that are not your own\n- Any threats, attempts at coercion, or extortion of Global Payments employees, other partner\nemployees, or customers\n- Physical attacks against Global Payments, contractors, or customers\n- Any physical attempts against Global Payments property or data centers\n- Access the personal information of any other person without consent\n- Any other action that violates the law\n- Any action that endangers yourself or others\n- Aggressive vulnerability scans or automated scans on Global Payments servers (including\nscans using tools such as Core Impact or Nessus)\n\n#Legal\n\nYou must otherwise comply with all applicable Federal, State, and local laws, regulations, and rules in connection with your security research activities. You may not engage in any security research or vulnerability disclosure activity that is inconsistent with terms and conditions of the VRP or the law. If you engage in any activities that are inconsistent with the terms and conditions of the VRP or the law, you will not be considered a security researcher and may be subject to criminal penalties and civil liability. Global Payments reserves all rights against any illegal use of the reported vulnerability information.\n\nAny Global Payments information that you may encounter, view, acquire, or access, is owned by Global Payments or its customers, clients, or third-party providers. You have no rights, title, or ownership in any such information. Nothing in this Program Policy shall be deemed to constitute the grant to you of any license or other right to or in respect of any Global Payments or third-party product, service, patent, trademark, trade secret, or other intellectual property.\n\nYou have no obligation to provide Global Payments with the abovementioned security and vulnerability information. By submitting such information to Global Payments, you are indicating that you have read, understand, and agree to the terms and conditions of this Program Policy. Further, you agree that by submitting such information to Global Payments, even if the information is not eligible for a reward, you grant Global Payments a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicensable, fully-paid and royalty-free license under any and all intellectual property rights that you own or control to use, copy, modify, create derivative works based upon and otherwise exploit such information for any purpose.\n\nGlobal Payments retains the right to obtain Personal Information (as defined in the HackerOne Privacy Policy)from HackerOne in the case of a significant security threat or incident to identify and resolve the security threat or incident. A 'significant security threat or incident' shall be defined by Global Payments in its sole discretion. \n\nAdditionally, Global Payments retains the right to obtain Personal Information from HackerOne, in Global\nPayments’ sole discretion, to exercise or defend legal rights; to take precautions against liability; to protect the rights, property, or safety of Global Payments, of any other individuals, or of the general public; to maintain and protect the security and integrity of Global Payments’ assets or infrastructure; to protect Global Payments and our assets from fraudulent, abusive, or unlawful uses; or to investigate and defend Global Payments against third-party claims or allegations. By submitting a vulnerability report via the [Global Payments VDP (https://hackerone.com/global-payments) you consent to HackerOne sharing Personal Information with Global Payments, upon request, in the circumstances described in this paragraph.\n\nExcept where prohibited by law, this Policy, including all revisions and amendments thereto, is governed by the laws of the United States, State of Georgia, without regard to its conflict or choice of law principles which would require application of the laws of another jurisdiction.\n\nGlobal Payments may modify the terms and conditions or terminate the VRP at any time.\n\n##Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Global Payments and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-01-03T12:39:24.938Z"},{"id":3707248,"new_policy":"\n**Program pausing from November 19th through Jan 2nd, 2024 due to an organizational code freeze. Please hold off on all research during this time.** \n\n\nHave feedback on our program? Let us know [here!](https://docs.google.com/forms/d/e/1FAIpQLSc_bAdYNvHTZCaU8J0ES0u77I8znDQpN6FqAeCUdIeZARH_Uw/viewform?usp=sf_link)\n\n#Global Payments Vulnerability Research Program (“VRP”) Policy\n\nGlobal Payments is a Fortune 500 worldwide commerce ecosystem serving customers in over 100 countries! We have a team of 24,000 experts and innovators working to serve our customers—dedicated to solving complexity in commerce by providing simple, secure payments and software solutions that anticipate changing needs and carry our customers forward. We’re trusted in over 3.5 million customer locations and 1,300 financial institutions. \n\nGlobal Payments Inc. (“Global Payments”) looks forward to working with the information security\ncommunity to find vulnerabilities in order to keep our businesses and customers safe. Please read this\nProgram Policy in its entirety.\n\n#Global Payments Information Security\n\nThe information security team at Global Payments is devoted to being a trusted security and assurance\npartner across the enterprise.\n\nPart of our vision is to develop and enable the organization to proactively identify and mitigate\ninformation security risk to our assets and to evolve our core information security foundation. The VRP\nwill be a key element in achieving these goals.\n\n#Ineligibility for Participation\n\nYou may not participate in the VRP if you are any of the following:\n\n- A resident of any country/region that is under United States sanctions, such as Cuba, Iran,\nNorth Korea, Sudan, and Syria or Crimea, or a person designated in the U.S. Department of\nthe Treasury’s Specially Designated Nationals List.\n- A current employee of Global Payments Inc., a Global Payments affiliate, or an immediate\nfamily member (parent, sibling, spouse, or child) or household member of such an employee.\n- A contingent staff member, contractor, or vendor employee that is currently working with, or\nhas worked in the past twelve (12) months with, Global Payments Inc. or a Global Payments\naffiliate.\n\n#Response Targets\n\nGlobal Payments will make a best effort to meet the following SLAs for security researchers participating\nin the VRP:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Scope\n\nAll assets associated with our core enterprise are considered in scope. No VPN access nor credentials will be\nprovided for testing. \n\n#Disclosure Policy\n\n- You agree not to discuss this VRP or any vulnerabilities (even\nresolved ones) outside of the VRP without express consent from Global Payments.\n- Global Payments reserves the right to approve or deny any request for disclosure.\n- You agree to follow HackerOne's disclosure guidelines.\n\n#Program Rules\n##Keep scans to 45 requests per minute\n* **Should you encounter any PII or PAN data during your research, it is required that you do not upload screenshots showing this data to your report.**\n- Please provide detailed reports with reproducible steps. If the report is not sufficiently\ndetailed to enable reproduction of the issue, the issue may not be triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide\nimpact.\n- When duplicates occur, we only triage the first report that was received (provided that it can\nbe fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Only interact with accounts you own or with explicit permission of the account holder.\n- Do not engage in any activity that can potentially or actually cause harm to Global Payments,\nour customers, or our employees.\n- Do not engage in any activity that can potentially or actually stop or degrade Global\nPayments’ services or assets.\n- Do no harm and do not exploit any vulnerability beyond the minimal amount of testing\nrequired to prove that a vulnerability exists or to identify an indicator related to a\nvulnerability.\n- Do not store, share, compromise or destroy Global Payments or our customer data. If\nPersonally Identifiable Information (PII) is encountered, you should immediately halt your\nactivity, purge related data from your system, and contact Global Payments. This step\nprotects any potentially vulnerable data, and you.\n- Do not initiate a fraudulent financial transaction.\n\n#Out of scope vulnerabilities\n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security\nimpact of the bug. The following issues are considered out of scope:\n\n - Unexploitable vulnerabilities discovered via scanning. All submissions must have a valid proof\nof concept\n- Any activity that could lead to the disruption of our service (DoS/DDOS).\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive\nactions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Content spoofing and text injection issues without showing an attack vector/without being\nable to modify HTML/CSS\n- Rate limiting or bruteforce issues on non-authentication endpoints\n- Missing best practices in Content Security Policy\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable\nversions behind the latest released stable version)\n- Software version disclosure / Banner identification issues / Descriptive error messages or\nheaders (e.g. stack traces, application or server errors).\n- Tabnabbing\n- Open redirect - unless an additional security impact can be demonstrated\n- Issues that require unlikely user interaction\n\n#Grounds for Disqualification\n\nAttempting any of the following could result in permanent disqualification from the VRP and possible\ncriminal and/or legal investigation. We do not allow any actions that could negatively impact the\nexperience on our websites, apps, or other assets for other Global Payments customers.\n\n- Disruption or denial-of-service attacks (Application and Network)\n- Social engineering attacks\n- Brute-force attacks\n- Exfiltration of data\n- Code injection on live systems\n- The compromise or testing of application accounts that are not your own\n- Any threats, attempts at coercion, or extortion of Global Payments employees, other partner\nemployees, or customers\n- Physical attacks against Global Payments, contractors, or customers\n- Any physical attempts against Global Payments property or data centers\n- Access the personal information of any other person without consent\n- Any other action that violates the law\n- Any action that endangers yourself or others\n- Aggressive vulnerability scans or automated scans on Global Payments servers (including\nscans using tools such as Core Impact or Nessus)\n\n#Legal\n\nYou must otherwise comply with all applicable Federal, State, and local laws, regulations, and rules in connection with your security research activities. You may not engage in any security research or vulnerability disclosure activity that is inconsistent with terms and conditions of the VRP or the law. If you engage in any activities that are inconsistent with the terms and conditions of the VRP or the law, you will not be considered a security researcher and may be subject to criminal penalties and civil liability. Global Payments reserves all rights against any illegal use of the reported vulnerability information.\n\nAny Global Payments information that you may encounter, view, acquire, or access, is owned by Global Payments or its customers, clients, or third-party providers. You have no rights, title, or ownership in any such information. Nothing in this Program Policy shall be deemed to constitute the grant to you of any license or other right to or in respect of any Global Payments or third-party product, service, patent, trademark, trade secret, or other intellectual property.\n\nYou have no obligation to provide Global Payments with the abovementioned security and vulnerability information. By submitting such information to Global Payments, you are indicating that you have read, understand, and agree to the terms and conditions of this Program Policy. Further, you agree that by submitting such information to Global Payments, even if the information is not eligible for a reward, you grant Global Payments a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicensable, fully-paid and royalty-free license under any and all intellectual property rights that you own or control to use, copy, modify, create derivative works based upon and otherwise exploit such information for any purpose.\n\nGlobal Payments retains the right to obtain Personal Information (as defined in the HackerOne Privacy Policy)from HackerOne in the case of a significant security threat or incident to identify and resolve the security threat or incident. A 'significant security threat or incident' shall be defined by Global Payments in its sole discretion. \n\nAdditionally, Global Payments retains the right to obtain Personal Information from HackerOne, in Global\nPayments’ sole discretion, to exercise or defend legal rights; to take precautions against liability; to protect the rights, property, or safety of Global Payments, of any other individuals, or of the general public; to maintain and protect the security and integrity of Global Payments’ assets or infrastructure; to protect Global Payments and our assets from fraudulent, abusive, or unlawful uses; or to investigate and defend Global Payments against third-party claims or allegations. By submitting a vulnerability report via the [Global Payments VDP (https://hackerone.com/global-payments) you consent to HackerOne sharing Personal Information with Global Payments, upon request, in the circumstances described in this paragraph.\n\nExcept where prohibited by law, this Policy, including all revisions and amendments thereto, is governed by the laws of the United States, State of Georgia, without regard to its conflict or choice of law principles which would require application of the laws of another jurisdiction.\n\nGlobal Payments may modify the terms and conditions or terminate the VRP at any time.\n\n##Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Global Payments and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-11-17T19:30:15.567Z"},{"id":3689196,"new_policy":"\nHave feedback on our program? Let us know [here!](https://docs.google.com/forms/d/e/1FAIpQLSc_bAdYNvHTZCaU8J0ES0u77I8znDQpN6FqAeCUdIeZARH_Uw/viewform?usp=sf_link)\n\n#Global Payments Vulnerability Research Program (“VRP”) Policy\n\nGlobal Payments is a Fortune 500 worldwide commerce ecosystem serving customers in over 100 countries! We have a team of 24,000 experts and innovators working to serve our customers—dedicated to solving complexity in commerce by providing simple, secure payments and software solutions that anticipate changing needs and carry our customers forward. We’re trusted in over 3.5 million customer locations and 1,300 financial institutions. \n\nGlobal Payments Inc. (“Global Payments”) looks forward to working with the information security\ncommunity to find vulnerabilities in order to keep our businesses and customers safe. Please read this\nProgram Policy in its entirety.\n\n#Global Payments Information Security\n\nThe information security team at Global Payments is devoted to being a trusted security and assurance\npartner across the enterprise.\n\nPart of our vision is to develop and enable the organization to proactively identify and mitigate\ninformation security risk to our assets and to evolve our core information security foundation. The VRP\nwill be a key element in achieving these goals.\n\n#Ineligibility for Participation\n\nYou may not participate in the VRP if you are any of the following:\n\n- A resident of any country/region that is under United States sanctions, such as Cuba, Iran,\nNorth Korea, Sudan, and Syria or Crimea, or a person designated in the U.S. Department of\nthe Treasury’s Specially Designated Nationals List.\n- A current employee of Global Payments Inc., a Global Payments affiliate, or an immediate\nfamily member (parent, sibling, spouse, or child) or household member of such an employee.\n- A contingent staff member, contractor, or vendor employee that is currently working with, or\nhas worked in the past twelve (12) months with, Global Payments Inc. or a Global Payments\naffiliate.\n\n#Response Targets\n\nGlobal Payments will make a best effort to meet the following SLAs for security researchers participating\nin the VRP:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Scope\n\nAll assets associated with our core enterprise are considered in scope. No VPN access nor credentials will be\nprovided for testing. \n\n#Disclosure Policy\n\n- You agree not to discuss this VRP or any vulnerabilities (even\nresolved ones) outside of the VRP without express consent from Global Payments.\n- Global Payments reserves the right to approve or deny any request for disclosure.\n- You agree to follow HackerOne's disclosure guidelines.\n\n#Program Rules\n##Keep scans to 45 requests per minute\n* **Should you encounter any PII or PAN data during your research, it is required that you do not upload screenshots showing this data to your report.**\n- Please provide detailed reports with reproducible steps. If the report is not sufficiently\ndetailed to enable reproduction of the issue, the issue may not be triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide\nimpact.\n- When duplicates occur, we only triage the first report that was received (provided that it can\nbe fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Only interact with accounts you own or with explicit permission of the account holder.\n- Do not engage in any activity that can potentially or actually cause harm to Global Payments,\nour customers, or our employees.\n- Do not engage in any activity that can potentially or actually stop or degrade Global\nPayments’ services or assets.\n- Do no harm and do not exploit any vulnerability beyond the minimal amount of testing\nrequired to prove that a vulnerability exists or to identify an indicator related to a\nvulnerability.\n- Do not store, share, compromise or destroy Global Payments or our customer data. If\nPersonally Identifiable Information (PII) is encountered, you should immediately halt your\nactivity, purge related data from your system, and contact Global Payments. This step\nprotects any potentially vulnerable data, and you.\n- Do not initiate a fraudulent financial transaction.\n\n#Out of scope vulnerabilities\n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security\nimpact of the bug. The following issues are considered out of scope:\n\n - Unexploitable vulnerabilities discovered via scanning. All submissions must have a valid proof\nof concept\n- Any activity that could lead to the disruption of our service (DoS/DDOS).\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive\nactions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Content spoofing and text injection issues without showing an attack vector/without being\nable to modify HTML/CSS\n- Rate limiting or bruteforce issues on non-authentication endpoints\n- Missing best practices in Content Security Policy\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable\nversions behind the latest released stable version)\n- Software version disclosure / Banner identification issues / Descriptive error messages or\nheaders (e.g. stack traces, application or server errors).\n- Tabnabbing\n- Open redirect - unless an additional security impact can be demonstrated\n- Issues that require unlikely user interaction\n\n#Grounds for Disqualification\n\nAttempting any of the following could result in permanent disqualification from the VRP and possible\ncriminal and/or legal investigation. We do not allow any actions that could negatively impact the\nexperience on our websites, apps, or other assets for other Global Payments customers.\n\n- Disruption or denial-of-service attacks (Application and Network)\n- Social engineering attacks\n- Brute-force attacks\n- Exfiltration of data\n- Code injection on live systems\n- The compromise or testing of application accounts that are not your own\n- Any threats, attempts at coercion, or extortion of Global Payments employees, other partner\nemployees, or customers\n- Physical attacks against Global Payments, contractors, or customers\n- Any physical attempts against Global Payments property or data centers\n- Access the personal information of any other person without consent\n- Any other action that violates the law\n- Any action that endangers yourself or others\n- Aggressive vulnerability scans or automated scans on Global Payments servers (including\nscans using tools such as Core Impact or Nessus)\n\n#Legal\n\nYou must otherwise comply with all applicable Federal, State, and local laws, regulations, and rules in connection with your security research activities. You may not engage in any security research or vulnerability disclosure activity that is inconsistent with terms and conditions of the VRP or the law. If you engage in any activities that are inconsistent with the terms and conditions of the VRP or the law, you will not be considered a security researcher and may be subject to criminal penalties and civil liability. Global Payments reserves all rights against any illegal use of the reported vulnerability information.\n\nAny Global Payments information that you may encounter, view, acquire, or access, is owned by Global Payments or its customers, clients, or third-party providers. You have no rights, title, or ownership in any such information. Nothing in this Program Policy shall be deemed to constitute the grant to you of any license or other right to or in respect of any Global Payments or third-party product, service, patent, trademark, trade secret, or other intellectual property.\n\nYou have no obligation to provide Global Payments with the abovementioned security and vulnerability information. By submitting such information to Global Payments, you are indicating that you have read, understand, and agree to the terms and conditions of this Program Policy. Further, you agree that by submitting such information to Global Payments, even if the information is not eligible for a reward, you grant Global Payments a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicensable, fully-paid and royalty-free license under any and all intellectual property rights that you own or control to use, copy, modify, create derivative works based upon and otherwise exploit such information for any purpose.\n\nGlobal Payments retains the right to obtain Personal Information (as defined in the HackerOne Privacy Policy)from HackerOne in the case of a significant security threat or incident to identify and resolve the security threat or incident. A 'significant security threat or incident' shall be defined by Global Payments in its sole discretion. \n\nAdditionally, Global Payments retains the right to obtain Personal Information from HackerOne, in Global\nPayments’ sole discretion, to exercise or defend legal rights; to take precautions against liability; to protect the rights, property, or safety of Global Payments, of any other individuals, or of the general public; to maintain and protect the security and integrity of Global Payments’ assets or infrastructure; to protect Global Payments and our assets from fraudulent, abusive, or unlawful uses; or to investigate and defend Global Payments against third-party claims or allegations. By submitting a vulnerability report via the [Global Payments VDP (https://hackerone.com/global-payments) you consent to HackerOne sharing Personal Information with Global Payments, upon request, in the circumstances described in this paragraph.\n\nExcept where prohibited by law, this Policy, including all revisions and amendments thereto, is governed by the laws of the United States, State of Georgia, without regard to its conflict or choice of law principles which would require application of the laws of another jurisdiction.\n\nGlobal Payments may modify the terms and conditions or terminate the VRP at any time.\n\n##Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Global Payments and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-06-12T13:44:37.677Z"},{"id":3689130,"new_policy":"**Please note that we will be pausing our program for the holidays between:**\n\n ==November 22, 2022 to January 4, 2023==\n\n**We look forward to working with you again soon!**\n\n___________________________________________________________________________________________\n\nHave feedback on our program? Let us know [here!](https://docs.google.com/forms/d/e/1FAIpQLSc_bAdYNvHTZCaU8J0ES0u77I8znDQpN6FqAeCUdIeZARH_Uw/viewform?usp=sf_link)\n\n#Global Payments Vulnerability Research Program (“VRP”) Policy\n\nGlobal Payments is a Fortune 500 worldwide commerce ecosystem serving customers in over 100 countries! We have a team of 24,000 experts and innovators working to serve our customers—dedicated to solving complexity in commerce by providing simple, secure payments and software solutions that anticipate changing needs and carry our customers forward. We’re trusted in over 3.5 million customer locations and 1,300 financial institutions. \n\nGlobal Payments Inc. (“Global Payments”) looks forward to working with the information security\ncommunity to find vulnerabilities in order to keep our businesses and customers safe. Please read this\nProgram Policy in its entirety.\n\n#Global Payments Information Security\n\nThe information security team at Global Payments is devoted to being a trusted security and assurance\npartner across the enterprise.\n\nPart of our vision is to develop and enable the organization to proactively identify and mitigate\ninformation security risk to our assets and to evolve our core information security foundation. The VRP\nwill be a key element in achieving these goals.\n\n#Ineligibility for Participation\n\nYou may not participate in the VRP if you are any of the following:\n\n- A resident of any country/region that is under United States sanctions, such as Cuba, Iran,\nNorth Korea, Sudan, and Syria or Crimea, or a person designated in the U.S. Department of\nthe Treasury’s Specially Designated Nationals List.\n- A current employee of Global Payments Inc., a Global Payments affiliate, or an immediate\nfamily member (parent, sibling, spouse, or child) or household member of such an employee.\n- A contingent staff member, contractor, or vendor employee that is currently working with, or\nhas worked in the past twelve (12) months with, Global Payments Inc. or a Global Payments\naffiliate.\n\n#Response Targets\n\nGlobal Payments will make a best effort to meet the following SLAs for security researchers participating\nin the VRP:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Scope\n\nAll assets associated with our core enterprise are considered in scope. No VPN access nor credentials will be\nprovided for testing. \n\n#Disclosure Policy\n\n- You agree not to discuss this VRP or any vulnerabilities (even\nresolved ones) outside of the VRP without express consent from Global Payments.\n- Global Payments reserves the right to approve or deny any request for disclosure.\n- You agree to follow HackerOne's disclosure guidelines.\n\n#Program Rules\n##Keep scans to 45 requests per minute\n* **Should you encounter any PII or PAN data during your research, it is required that you do not upload screenshots showing this data to your report.**\n- Please provide detailed reports with reproducible steps. If the report is not sufficiently\ndetailed to enable reproduction of the issue, the issue may not be triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide\nimpact.\n- When duplicates occur, we only triage the first report that was received (provided that it can\nbe fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Only interact with accounts you own or with explicit permission of the account holder.\n- Do not engage in any activity that can potentially or actually cause harm to Global Payments,\nour customers, or our employees.\n- Do not engage in any activity that can potentially or actually stop or degrade Global\nPayments’ services or assets.\n- Do no harm and do not exploit any vulnerability beyond the minimal amount of testing\nrequired to prove that a vulnerability exists or to identify an indicator related to a\nvulnerability.\n- Do not store, share, compromise or destroy Global Payments or our customer data. If\nPersonally Identifiable Information (PII) is encountered, you should immediately halt your\nactivity, purge related data from your system, and contact Global Payments. This step\nprotects any potentially vulnerable data, and you.\n- Do not initiate a fraudulent financial transaction.\n\n#Out of scope vulnerabilities\n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security\nimpact of the bug. The following issues are considered out of scope:\n\n - Unexploitable vulnerabilities discovered via scanning. All submissions must have a valid proof\nof concept\n- Any activity that could lead to the disruption of our service (DoS/DDOS).\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive\nactions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Content spoofing and text injection issues without showing an attack vector/without being\nable to modify HTML/CSS\n- Rate limiting or bruteforce issues on non-authentication endpoints\n- Missing best practices in Content Security Policy\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable\nversions behind the latest released stable version)\n- Software version disclosure / Banner identification issues / Descriptive error messages or\nheaders (e.g. stack traces, application or server errors).\n- Tabnabbing\n- Open redirect - unless an additional security impact can be demonstrated\n- Issues that require unlikely user interaction\n\n#Grounds for Disqualification\n\nAttempting any of the following could result in permanent disqualification from the VRP and possible\ncriminal and/or legal investigation. We do not allow any actions that could negatively impact the\nexperience on our websites, apps, or other assets for other Global Payments customers.\n\n- Disruption or denial-of-service attacks (Application and Network)\n- Social engineering attacks\n- Brute-force attacks\n- Exfiltration of data\n- Code injection on live systems\n- The compromise or testing of application accounts that are not your own\n- Any threats, attempts at coercion, or extortion of Global Payments employees, other partner\nemployees, or customers\n- Physical attacks against Global Payments, contractors, or customers\n- Any physical attempts against Global Payments property or data centers\n- Access the personal information of any other person without consent\n- Any other action that violates the law\n- Any action that endangers yourself or others\n- Aggressive vulnerability scans or automated scans on Global Payments servers (including\nscans using tools such as Core Impact or Nessus)\n\n#Legal\n\nYou must otherwise comply with all applicable Federal, State, and local laws, regulations, and rules in connection with your security research activities. You may not engage in any security research or vulnerability disclosure activity that is inconsistent with terms and conditions of the VRP or the law. If you engage in any activities that are inconsistent with the terms and conditions of the VRP or the law, you will not be considered a security researcher and may be subject to criminal penalties and civil liability. Global Payments reserves all rights against any illegal use of the reported vulnerability information.\n\nAny Global Payments information that you may encounter, view, acquire, or access, is owned by Global Payments or its customers, clients, or third-party providers. You have no rights, title, or ownership in any such information. Nothing in this Program Policy shall be deemed to constitute the grant to you of any license or other right to or in respect of any Global Payments or third-party product, service, patent, trademark, trade secret, or other intellectual property.\n\nYou have no obligation to provide Global Payments with the abovementioned security and vulnerability information. By submitting such information to Global Payments, you are indicating that you have read, understand, and agree to the terms and conditions of this Program Policy. Further, you agree that by submitting such information to Global Payments, even if the information is not eligible for a reward, you grant Global Payments a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicensable, fully-paid and royalty-free license under any and all intellectual property rights that you own or control to use, copy, modify, create derivative works based upon and otherwise exploit such information for any purpose.\n\nGlobal Payments retains the right to obtain Personal Information (as defined in the HackerOne Privacy Policy)from HackerOne in the case of a significant security threat or incident to identify and resolve the security threat or incident. A 'significant security threat or incident' shall be defined by Global Payments in its sole discretion. \n\nAdditionally, Global Payments retains the right to obtain Personal Information from HackerOne, in Global\nPayments’ sole discretion, to exercise or defend legal rights; to take precautions against liability; to protect the rights, property, or safety of Global Payments, of any other individuals, or of the general public; to maintain and protect the security and integrity of Global Payments’ assets or infrastructure; to protect Global Payments and our assets from fraudulent, abusive, or unlawful uses; or to investigate and defend Global Payments against third-party claims or allegations. By submitting a vulnerability report via the [Global Payments VDP (https://hackerone.com/global-payments) you consent to HackerOne sharing Personal Information with Global Payments, upon request, in the circumstances described in this paragraph.\n\nExcept where prohibited by law, this Policy, including all revisions and amendments thereto, is governed by the laws of the United States, State of Georgia, without regard to its conflict or choice of law principles which would require application of the laws of another jurisdiction.\n\nGlobal Payments may modify the terms and conditions or terminate the VRP at any time.\n\n##Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Global Payments and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-06-09T21:23:55.759Z"},{"id":3680234,"new_policy":"**Please note that we will be pausing our program for the holidays between:**\n\n ==November 22, 2022 to January 4, 2023==\n\n**We look forward to working with you again soon!**\n\n___________________________________________________________________________________________\n\nHave feedback on our program? Let us know [here!](https://docs.google.com/forms/d/e/1FAIpQLSc_bAdYNvHTZCaU8J0ES0u77I8znDQpN6FqAeCUdIeZARH_Uw/viewform?usp=sf_link)\n\n#Global Payments Vulnerability Research Program (“VRP”) Policy\n\nGlobal Payments is a Fortune 500 worldwide commerce ecosystem serving customers in over 100 countries! We have a team of 24,000 experts and innovators working to serve our customers—dedicated to solving complexity in commerce by providing simple, secure payments and software solutions that anticipate changing needs and carry our customers forward. We’re trusted in over 3.5 million customer locations and 1,300 financial institutions. \n\nGlobal Payments Inc. (“Global Payments”) looks forward to working with the information security\ncommunity to find vulnerabilities in order to keep our businesses and customers safe. Please read this\nProgram Policy in its entirety.\n\n#Global Payments Information Security\n\nThe information security team at Global Payments is devoted to being a trusted security and assurance\npartner across the enterprise.\n\nPart of our vision is to develop and enable the organization to proactively identify and mitigate\ninformation security risk to our assets and to evolve our core information security foundation. The VRP\nwill be a key element in achieving these goals.\n\n#Ineligibility for Participation\n\nYou may not participate in the VRP if you are any of the following:\n\n- A resident of any country/region that is under United States sanctions, such as Cuba, Iran,\nNorth Korea, Sudan, and Syria or Crimea, or a person designated in the U.S. Department of\nthe Treasury’s Specially Designated Nationals List.\n- A current employee of Global Payments Inc., a Global Payments affiliate, or an immediate\nfamily member (parent, sibling, spouse, or child) or household member of such an employee.\n- A contingent staff member, contractor, or vendor employee that is currently working with, or\nhas worked in the past twelve (12) months with, Global Payments Inc. or a Global Payments\naffiliate.\n\n#Response Targets\n\nGlobal Payments will make a best effort to meet the following SLAs for security researchers participating\nin the VRP:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Scope\n\nAll assets associated with our core enterprise are considered in scope. No VPN access nor credentials will be\nprovided for testing. \n\n#Disclosure Policy\n\n- You agree not to discuss this VRP or any vulnerabilities (even\nresolved ones) outside of the VRP without express consent from Global Payments.\n- Global Payments reserves the right to approve or deny any request for disclosure.\n- You agree to follow HackerOne's disclosure guidelines.\n\n#Program Rules\n##Keep scans to 45 requests per minute\n- Please provide detailed reports with reproducible steps. If the report is not sufficiently\ndetailed to enable reproduction of the issue, the issue may not be triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide\nimpact.\n- When duplicates occur, we only triage the first report that was received (provided that it can\nbe fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Only interact with accounts you own or with explicit permission of the account holder.\n- Do not engage in any activity that can potentially or actually cause harm to Global Payments,\nour customers, or our employees.\n- Do not engage in any activity that can potentially or actually stop or degrade Global\nPayments’ services or assets.\n- Do no harm and do not exploit any vulnerability beyond the minimal amount of testing\nrequired to prove that a vulnerability exists or to identify an indicator related to a\nvulnerability.\n- Do not store, share, compromise or destroy Global Payments or our customer data. If\nPersonally Identifiable Information (PII) is encountered, you should immediately halt your\nactivity, purge related data from your system, and contact Global Payments. This step\nprotects any potentially vulnerable data, and you.\n- Do not initiate a fraudulent financial transaction.\n\n#Out of scope vulnerabilities\n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security\nimpact of the bug. The following issues are considered out of scope:\n\n - Unexploitable vulnerabilities discovered via scanning. All submissions must have a valid proof\nof concept\n- Any activity that could lead to the disruption of our service (DoS/DDOS).\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive\nactions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Content spoofing and text injection issues without showing an attack vector/without being\nable to modify HTML/CSS\n- Rate limiting or bruteforce issues on non-authentication endpoints\n- Missing best practices in Content Security Policy\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable\nversions behind the latest released stable version)\n- Software version disclosure / Banner identification issues / Descriptive error messages or\nheaders (e.g. stack traces, application or server errors).\n- Tabnabbing\n- Open redirect - unless an additional security impact can be demonstrated\n- Issues that require unlikely user interaction\n\n#Grounds for Disqualification\n\nAttempting any of the following could result in permanent disqualification from the VRP and possible\ncriminal and/or legal investigation. We do not allow any actions that could negatively impact the\nexperience on our websites, apps, or other assets for other Global Payments customers.\n\n- Disruption or denial-of-service attacks (Application and Network)\n- Social engineering attacks\n- Brute-force attacks\n- Exfiltration of data\n- Code injection on live systems\n- The compromise or testing of application accounts that are not your own\n- Any threats, attempts at coercion, or extortion of Global Payments employees, other partner\nemployees, or customers\n- Physical attacks against Global Payments, contractors, or customers\n- Any physical attempts against Global Payments property or data centers\n- Access the personal information of any other person without consent\n- Any other action that violates the law\n- Any action that endangers yourself or others\n- Aggressive vulnerability scans or automated scans on Global Payments servers (including\nscans using tools such as Core Impact or Nessus)\n\n#Legal\n\nYou must otherwise comply with all applicable Federal, State, and local laws, regulations, and rules in connection with your security research activities. You may not engage in any security research or vulnerability disclosure activity that is inconsistent with terms and conditions of the VRP or the law. If you engage in any activities that are inconsistent with the terms and conditions of the VRP or the law, you will not be considered a security researcher and may be subject to criminal penalties and civil liability. Global Payments reserves all rights against any illegal use of the reported vulnerability information.\n\nAny Global Payments information that you may encounter, view, acquire, or access, is owned by Global Payments or its customers, clients, or third-party providers. You have no rights, title, or ownership in any such information. Nothing in this Program Policy shall be deemed to constitute the grant to you of any license or other right to or in respect of any Global Payments or third-party product, service, patent, trademark, trade secret, or other intellectual property.\n\nYou have no obligation to provide Global Payments with the abovementioned security and vulnerability information. By submitting such information to Global Payments, you are indicating that you have read, understand, and agree to the terms and conditions of this Program Policy. Further, you agree that by submitting such information to Global Payments, even if the information is not eligible for a reward, you grant Global Payments a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicensable, fully-paid and royalty-free license under any and all intellectual property rights that you own or control to use, copy, modify, create derivative works based upon and otherwise exploit such information for any purpose.\n\nGlobal Payments retains the right to obtain Personal Information (as defined in the HackerOne Privacy Policy)from HackerOne in the case of a significant security threat or incident to identify and resolve the security threat or incident. A 'significant security threat or incident' shall be defined by Global Payments in its sole discretion. \n\nAdditionally, Global Payments retains the right to obtain Personal Information from HackerOne, in Global\nPayments’ sole discretion, to exercise or defend legal rights; to take precautions against liability; to protect the rights, property, or safety of Global Payments, of any other individuals, or of the general public; to maintain and protect the security and integrity of Global Payments’ assets or infrastructure; to protect Global Payments and our assets from fraudulent, abusive, or unlawful uses; or to investigate and defend Global Payments against third-party claims or allegations. By submitting a vulnerability report via the [Global Payments VDP (https://hackerone.com/global-payments) you consent to HackerOne sharing Personal Information with Global Payments, upon request, in the circumstances described in this paragraph.\n\nExcept where prohibited by law, this Policy, including all revisions and amendments thereto, is governed by the laws of the United States, State of Georgia, without regard to its conflict or choice of law principles which would require application of the laws of another jurisdiction.\n\nGlobal Payments may modify the terms and conditions or terminate the VRP at any time.\n\n##Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Global Payments and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-11-22T20:59:09.888Z"},{"id":3673605,"new_policy":"\nHave feedback on our program? Let us know [here!](https://docs.google.com/forms/d/e/1FAIpQLSc_bAdYNvHTZCaU8J0ES0u77I8znDQpN6FqAeCUdIeZARH_Uw/viewform?usp=sf_link)\n\n#Global Payments Vulnerability Research Program (“VRP”) Policy\n\nGlobal Payments is a Fortune 500 worldwide commerce ecosystem serving customers in over 100 countries! We have a team of 24,000 experts and innovators working to serve our customers—dedicated to solving complexity in commerce by providing simple, secure payments and software solutions that anticipate changing needs and carry our customers forward. We’re trusted in over 3.5 million customer locations and 1,300 financial institutions. \n\nGlobal Payments Inc. (“Global Payments”) looks forward to working with the information security\ncommunity to find vulnerabilities in order to keep our businesses and customers safe. Please read this\nProgram Policy in its entirety.\n\n#Global Payments Information Security\n\nThe information security team at Global Payments is devoted to being a trusted security and assurance\npartner across the enterprise.\n\nPart of our vision is to develop and enable the organization to proactively identify and mitigate\ninformation security risk to our assets and to evolve our core information security foundation. The VRP\nwill be a key element in achieving these goals.\n\n#Ineligibility for Participation\n\nYou may not participate in the VRP if you are any of the following:\n\n- A resident of any country/region that is under United States sanctions, such as Cuba, Iran,\nNorth Korea, Sudan, and Syria or Crimea, or a person designated in the U.S. Department of\nthe Treasury’s Specially Designated Nationals List.\n- A current employee of Global Payments Inc., a Global Payments affiliate, or an immediate\nfamily member (parent, sibling, spouse, or child) or household member of such an employee.\n- A contingent staff member, contractor, or vendor employee that is currently working with, or\nhas worked in the past twelve (12) months with, Global Payments Inc. or a Global Payments\naffiliate.\n\n#Response Targets\n\nGlobal Payments will make a best effort to meet the following SLAs for security researchers participating\nin the VRP:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Scope\n\nAll assets associated with our core enterprise are considered in scope. No VPN access nor credentials will be\nprovided for testing. \n\n#Disclosure Policy\n\n- You agree not to discuss this VRP or any vulnerabilities (even\nresolved ones) outside of the VRP without express consent from Global Payments.\n- Global Payments reserves the right to approve or deny any request for disclosure.\n- You agree to follow HackerOne's disclosure guidelines.\n\n#Program Rules\n##Keep scans to 45 requests per minute\n- Please provide detailed reports with reproducible steps. If the report is not sufficiently\ndetailed to enable reproduction of the issue, the issue may not be triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide\nimpact.\n- When duplicates occur, we only triage the first report that was received (provided that it can\nbe fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Only interact with accounts you own or with explicit permission of the account holder.\n- Do not engage in any activity that can potentially or actually cause harm to Global Payments,\nour customers, or our employees.\n- Do not engage in any activity that can potentially or actually stop or degrade Global\nPayments’ services or assets.\n- Do no harm and do not exploit any vulnerability beyond the minimal amount of testing\nrequired to prove that a vulnerability exists or to identify an indicator related to a\nvulnerability.\n- Do not store, share, compromise or destroy Global Payments or our customer data. If\nPersonally Identifiable Information (PII) is encountered, you should immediately halt your\nactivity, purge related data from your system, and contact Global Payments. This step\nprotects any potentially vulnerable data, and you.\n- Do not initiate a fraudulent financial transaction.\n\n#Out of scope vulnerabilities\n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security\nimpact of the bug. The following issues are considered out of scope:\n\n - Unexploitable vulnerabilities discovered via scanning. All submissions must have a valid proof\nof concept\n- Any activity that could lead to the disruption of our service (DoS/DDOS).\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive\nactions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Content spoofing and text injection issues without showing an attack vector/without being\nable to modify HTML/CSS\n- Rate limiting or bruteforce issues on non-authentication endpoints\n- Missing best practices in Content Security Policy\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable\nversions behind the latest released stable version)\n- Software version disclosure / Banner identification issues / Descriptive error messages or\nheaders (e.g. stack traces, application or server errors).\n- Tabnabbing\n- Open redirect - unless an additional security impact can be demonstrated\n- Issues that require unlikely user interaction\n\n#Grounds for Disqualification\n\nAttempting any of the following could result in permanent disqualification from the VRP and possible\ncriminal and/or legal investigation. We do not allow any actions that could negatively impact the\nexperience on our websites, apps, or other assets for other Global Payments customers.\n\n- Disruption or denial-of-service attacks (Application and Network)\n- Social engineering attacks\n- Brute-force attacks\n- Exfiltration of data\n- Code injection on live systems\n- The compromise or testing of application accounts that are not your own\n- Any threats, attempts at coercion, or extortion of Global Payments employees, other partner\nemployees, or customers\n- Physical attacks against Global Payments, contractors, or customers\n- Any physical attempts against Global Payments property or data centers\n- Access the personal information of any other person without consent\n- Any other action that violates the law\n- Any action that endangers yourself or others\n- Aggressive vulnerability scans or automated scans on Global Payments servers (including\nscans using tools such as Core Impact or Nessus)\n\n#Legal\n\nYou must otherwise comply with all applicable Federal, State, and local laws, regulations, and rules in connection with your security research activities. You may not engage in any security research or vulnerability disclosure activity that is inconsistent with terms and conditions of the VRP or the law. If you engage in any activities that are inconsistent with the terms and conditions of the VRP or the law, you will not be considered a security researcher and may be subject to criminal penalties and civil liability. Global Payments reserves all rights against any illegal use of the reported vulnerability information.\n\nAny Global Payments information that you may encounter, view, acquire, or access, is owned by Global Payments or its customers, clients, or third-party providers. You have no rights, title, or ownership in any such information. Nothing in this Program Policy shall be deemed to constitute the grant to you of any license or other right to or in respect of any Global Payments or third-party product, service, patent, trademark, trade secret, or other intellectual property.\n\nYou have no obligation to provide Global Payments with the abovementioned security and vulnerability information. By submitting such information to Global Payments, you are indicating that you have read, understand, and agree to the terms and conditions of this Program Policy. Further, you agree that by submitting such information to Global Payments, even if the information is not eligible for a reward, you grant Global Payments a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicensable, fully-paid and royalty-free license under any and all intellectual property rights that you own or control to use, copy, modify, create derivative works based upon and otherwise exploit such information for any purpose.\n\nGlobal Payments retains the right to obtain Personal Information (as defined in the HackerOne Privacy Policy)from HackerOne in the case of a significant security threat or incident to identify and resolve the security threat or incident. A 'significant security threat or incident' shall be defined by Global Payments in its sole discretion. \n\nAdditionally, Global Payments retains the right to obtain Personal Information from HackerOne, in Global\nPayments’ sole discretion, to exercise or defend legal rights; to take precautions against liability; to protect the rights, property, or safety of Global Payments, of any other individuals, or of the general public; to maintain and protect the security and integrity of Global Payments’ assets or infrastructure; to protect Global Payments and our assets from fraudulent, abusive, or unlawful uses; or to investigate and defend Global Payments against third-party claims or allegations. By submitting a vulnerability report via the [Global Payments VDP (https://hackerone.com/global-payments) you consent to HackerOne sharing Personal Information with Global Payments, upon request, in the circumstances described in this paragraph.\n\nExcept where prohibited by law, this Policy, including all revisions and amendments thereto, is governed by the laws of the United States, State of Georgia, without regard to its conflict or choice of law principles which would require application of the laws of another jurisdiction.\n\nGlobal Payments may modify the terms and conditions or terminate the VRP at any time.\n\n##Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Global Payments and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-06-29T16:58:21.616Z"},{"id":3663770,"new_policy":"\nHave feedback on our program? Let us know [here!](https://docs.google.com/forms/d/e/1FAIpQLSc_bAdYNvHTZCaU8J0ES0u77I8znDQpN6FqAeCUdIeZARH_Uw/viewform?usp=sf_link)\n\n#Global Payments Vulnerability Research Program (“VRP”) Policy\n\nGlobal Payments is a Fortune 500 worldwide commerce ecosystem serving customers in over 100 countries! We have a team of 24,000 experts and innovators working to serve our customers—dedicated to solving complexity in commerce by providing simple, secure payments and software solutions that anticipate changing needs and carry our customers forward. We’re trusted in over 3.5 million customer locations and 1,300 financial institutions. \n\nGlobal Payments Inc. (“Global Payments”) looks forward to working with the information security\ncommunity to find vulnerabilities in order to keep our businesses and customers safe. Please read this\nProgram Policy in its entirety.\n\n#Global Payments Information Security\n\nThe information security team at Global Payments is devoted to being a trusted security and assurance\npartner across the enterprise.\n\nPart of our vision is to develop and enable the organization to proactively identify and mitigate\ninformation security risk to our assets and to evolve our core information security foundation. The VRP\nwill be a key element in achieving these goals.\n\n#Ineligibility for Participation\n\nYou may not participate in the VRP if you are any of the following:\n\n- A resident of any country/region that is under United States sanctions, such as Cuba, Iran,\nNorth Korea, Sudan, and Syria or Crimea, or a person designated in the U.S. Department of\nthe Treasury’s Specially Designated Nationals List.\n- A current employee of Global Payments Inc., a Global Payments affiliate, or an immediate\nfamily member (parent, sibling, spouse, or child) or household member of such an employee.\n- A contingent staff member, contractor, or vendor employee that is currently working with, or\nhas worked in the past twelve (12) months with, Global Payments Inc. or a Global Payments\naffiliate.\n\n#Response Targets\n\nGlobal Payments will make a best effort to meet the following SLAs for security researchers participating\nin the VRP:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Scope\n\nAll assets associated with our core enterprise are considered in scope. No VPN access nor credentials will be\nprovided for testing. \n\n#Disclosure Policy\n\n- You agree not to discuss this VRP or any vulnerabilities (even\nresolved ones) outside of the VRP without express consent from Global Payments.\n- Global Payments reserves the right to approve or deny any request for disclosure.\n- You agree to follow HackerOne's disclosure guidelines.\n\n#Program Rules\n##Keep scans to 45 requests per minute\n- Please provide detailed reports with reproducible steps. If the report is not sufficiently\ndetailed to enable reproduction of the issue, the issue may not be triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide\nimpact.\n- When duplicates occur, we only triage the first report that was received (provided that it can\nbe fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Only interact with accounts you own or with explicit permission of the account holder.\n- Do not engage in any activity that can potentially or actually cause harm to Global Payments,\nour customers, or our employees.\n- Do not engage in any activity that can potentially or actually stop or degrade Global\nPayments’ services or assets.\n- Do no harm and do not exploit any vulnerability beyond the minimal amount of testing\nrequired to prove that a vulnerability exists or to identify an indicator related to a\nvulnerability.\n- Do not store, share, compromise or destroy Global Payments or our customer data. If\nPersonally Identifiable Information (PII) is encountered, you should immediately halt your\nactivity, purge related data from your system, and contact Global Payments. This step\nprotects any potentially vulnerable data, and you.\n- Do not initiate a fraudulent financial transaction.\n\n#Out of scope vulnerabilities\n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security\nimpact of the bug. The following issues are considered out of scope:\n\n - Unexploitable vulnerabilities discovered via scanning. All submissions must have a valid proof\nof concept\n- Any activity that could lead to the disruption of our service (DoS/DDOS).\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive\nactions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Content spoofing and text injection issues without showing an attack vector/without being\nable to modify HTML/CSS\n- Rate limiting or bruteforce issues on non-authentication endpoints\n- Missing best practices in Content Security Policy\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable\nversions behind the latest released stable version)\n- Software version disclosure / Banner identification issues / Descriptive error messages or\nheaders (e.g. stack traces, application or server errors).\n- Tabnabbing\n- Open redirect - unless an additional security impact can be demonstrated\n- Issues that require unlikely user interaction\n\n#Grounds for Disqualification\n\nAttempting any of the following could result in permanent disqualification from the VRP and possible\ncriminal and/or legal investigation. We do not allow any actions that could negatively impact the\nexperience on our websites, apps, or other assets for other Global Payments customers.\n\n- Disruption or denial-of-service attacks (Application and Network)\n- Social engineering attacks\n- Brute-force attacks\n- Exfiltration of data\n- Code injection on live systems\n- The compromise or testing of application accounts that are not your own\n- Any threats, attempts at coercion, or extortion of Global Payments employees, other partner\nemployees, or customers\n- Physical attacks against Global Payments, contractors, or customers\n- Any physical attempts against Global Payments property or data centers\n- Access the personal information of any other person without consent\n- Any other action that violates the law\n- Any action that endangers yourself or others\n- Aggressive vulnerability scans or automated scans on Global Payments servers (including\nscans using tools such as Core Impact or Nessus)\n\n#Legal\n\nYou must otherwise comply with all applicable Federal, State, and local laws, regulations, and rules in connection with your security research activities. You may not engage in any security research or vulnerability disclosure activity that is inconsistent with terms and conditions of the VRP or the law. If you engage in any activities that are inconsistent with the terms and conditions of the VRP or the law, you will not be considered a security researcher and may be subject to criminal penalties and civil liability. Global Payments reserves all rights against any illegal use of the reported vulnerability information.\n\nAny Global Payments information that you may encounter, view, acquire, or access, is owned by Global Payments or its customers, clients, or third-party providers. You have no rights, title, or ownership in any such information. Nothing in this Program Policy shall be deemed to constitute the grant to you of any license or other right to or in respect of any Global Payments or third-party product, service, patent, trademark, trade secret, or other intellectual property.\n\nYou have no obligation to provide Global Payments with the abovementioned security and vulnerability information. By submitting such information to Global Payments, you are indicating that you have read, understand, and agree to the terms and conditions of this Program Policy. Further, you agree that by submitting such information to Global Payments, even if the information is not eligible for a reward, you grant Global Payments a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicensable, fully-paid and royalty-free license under any and all intellectual property rights that you own or control to use, copy, modify, create derivative works based upon and otherwise exploit such information for any purpose.\n\nGlobal Payments retains the right to obtain Personal Information (as defined in the HackerOne Privacy Policy)from HackerOne in the case of a significant security threat or incident to identify and resolve the security threat or incident. A 'significant security threat or incident' shall be defined by Global Payments in its sole discretion. \n\nAdditionally, Global Payments retains the right to obtain Personal Information from HackerOne, in Global\nPayments’ sole discretion, to exercise or defend legal rights; to take precautions against liability; to protect the rights, property, or safety of Global Payments, of any other individuals, or of the general public; to maintain and protect the security and integrity of Global Payments’ assets or infrastructure; to protect Global Payments and our assets from fraudulent, abusive, or unlawful uses; or to investigate and defend Global Payments against third-party claims or allegations. By submitting a vulnerability report via the [Global Payments VDP (https://hackerone.com/global-payments) you consent to HackerOne sharing Personal Information with Global Payments, upon request, in the circumstances described in this paragraph.\n\nGlobal Payments may modify the terms and conditions or terminate the VRP at any time.\n\n##Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Global Payments and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-01-04T21:20:07.730Z"},{"id":3663007,"new_policy":"**Please note that we will be pausing our program for the holidays between:**\n\n- **November 21, 2021 to November 30, 2021**\n**and**\n- **December 14, 2021 to January 3, 2022**\n\n**We look forward to working with you again soon!**\n___________________________________________________________________________________________\n\nHave feedback on our program? Let us know [here!](https://docs.google.com/forms/d/e/1FAIpQLSc_bAdYNvHTZCaU8J0ES0u77I8znDQpN6FqAeCUdIeZARH_Uw/viewform?usp=sf_link)\n\n#Global Payments Vulnerability Research Program (“VRP”) Policy\n\nGlobal Payments is a Fortune 500 worldwide commerce ecosystem serving customers in over 100 countries! We have a team of 24,000 experts and innovators working to serve our customers—dedicated to solving complexity in commerce by providing simple, secure payments and software solutions that anticipate changing needs and carry our customers forward. We’re trusted in over 3.5 million customer locations and 1,300 financial institutions. \n\nGlobal Payments Inc. (“Global Payments”) looks forward to working with the information security\ncommunity to find vulnerabilities in order to keep our businesses and customers safe. Please read this\nProgram Policy in its entirety.\n\n#Global Payments Information Security\n\nThe information security team at Global Payments is devoted to being a trusted security and assurance\npartner across the enterprise.\n\nPart of our vision is to develop and enable the organization to proactively identify and mitigate\ninformation security risk to our assets and to evolve our core information security foundation. The VRP\nwill be a key element in achieving these goals.\n\n#Ineligibility for Participation\n\nYou may not participate in the VRP if you are any of the following:\n\n- A resident of any country/region that is under United States sanctions, such as Cuba, Iran,\nNorth Korea, Sudan, and Syria or Crimea, or a person designated in the U.S. Department of\nthe Treasury’s Specially Designated Nationals List.\n- A current employee of Global Payments Inc., a Global Payments affiliate, or an immediate\nfamily member (parent, sibling, spouse, or child) or household member of such an employee.\n- A contingent staff member, contractor, or vendor employee that is currently working with, or\nhas worked in the past twelve (12) months with, Global Payments Inc. or a Global Payments\naffiliate.\n\n#Response Targets\n\nGlobal Payments will make a best effort to meet the following SLAs for security researchers participating\nin the VRP:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Scope\n\nAll assets associated with our core enterprise are considered in scope. No VPN access nor credentials will be\nprovided for testing. \n\n#Disclosure Policy\n\n- You agree not to discuss this VRP or any vulnerabilities (even\nresolved ones) outside of the VRP without express consent from Global Payments.\n- Global Payments reserves the right to approve or deny any request for disclosure.\n- You agree to follow HackerOne's disclosure guidelines.\n\n#Program Rules\n##Keep scans to 45 requests per minute\n- Please provide detailed reports with reproducible steps. If the report is not sufficiently\ndetailed to enable reproduction of the issue, the issue may not be triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide\nimpact.\n- When duplicates occur, we only triage the first report that was received (provided that it can\nbe fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Only interact with accounts you own or with explicit permission of the account holder.\n- Do not engage in any activity that can potentially or actually cause harm to Global Payments,\nour customers, or our employees.\n- Do not engage in any activity that can potentially or actually stop or degrade Global\nPayments’ services or assets.\n- Do no harm and do not exploit any vulnerability beyond the minimal amount of testing\nrequired to prove that a vulnerability exists or to identify an indicator related to a\nvulnerability.\n- Do not store, share, compromise or destroy Global Payments or our customer data. If\nPersonally Identifiable Information (PII) is encountered, you should immediately halt your\nactivity, purge related data from your system, and contact Global Payments. This step\nprotects any potentially vulnerable data, and you.\n- Do not initiate a fraudulent financial transaction.\n\n#Out of scope vulnerabilities\n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security\nimpact of the bug. The following issues are considered out of scope:\n\n - Unexploitable vulnerabilities discovered via scanning. All submissions must have a valid proof\nof concept\n- Any activity that could lead to the disruption of our service (DoS/DDOS).\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive\nactions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Content spoofing and text injection issues without showing an attack vector/without being\nable to modify HTML/CSS\n- Rate limiting or bruteforce issues on non-authentication endpoints\n- Missing best practices in Content Security Policy\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable\nversions behind the latest released stable version)\n- Software version disclosure / Banner identification issues / Descriptive error messages or\nheaders (e.g. stack traces, application or server errors).\n- Tabnabbing\n- Open redirect - unless an additional security impact can be demonstrated\n- Issues that require unlikely user interaction\n\n#Grounds for Disqualification\n\nAttempting any of the following could result in permanent disqualification from the VRP and possible\ncriminal and/or legal investigation. We do not allow any actions that could negatively impact the\nexperience on our websites, apps, or other assets for other Global Payments customers.\n\n- Disruption or denial-of-service attacks (Application and Network)\n- Social engineering attacks\n- Brute-force attacks\n- Exfiltration of data\n- Code injection on live systems\n- The compromise or testing of application accounts that are not your own\n- Any threats, attempts at coercion, or extortion of Global Payments employees, other partner\nemployees, or customers\n- Physical attacks against Global Payments, contractors, or customers\n- Any physical attempts against Global Payments property or data centers\n- Access the personal information of any other person without consent\n- Any other action that violates the law\n- Any action that endangers yourself or others\n- Aggressive vulnerability scans or automated scans on Global Payments servers (including\nscans using tools such as Core Impact or Nessus)\n\n#Legal\n\nYou must otherwise comply with all applicable Federal, State, and local laws, regulations, and rules in connection with your security research activities. You may not engage in any security research or vulnerability disclosure activity that is inconsistent with terms and conditions of the VRP or the law. If you engage in any activities that are inconsistent with the terms and conditions of the VRP or the law, you will not be considered a security researcher and may be subject to criminal penalties and civil liability. Global Payments reserves all rights against any illegal use of the reported vulnerability information.\n\nAny Global Payments information that you may encounter, view, acquire, or access, is owned by Global Payments or its customers, clients, or third-party providers. You have no rights, title, or ownership in any such information. Nothing in this Program Policy shall be deemed to constitute the grant to you of any license or other right to or in respect of any Global Payments or third-party product, service, patent, trademark, trade secret, or other intellectual property.\n\nYou have no obligation to provide Global Payments with the abovementioned security and vulnerability information. By submitting such information to Global Payments, you are indicating that you have read, understand, and agree to the terms and conditions of this Program Policy. Further, you agree that by submitting such information to Global Payments, even if the information is not eligible for a reward, you grant Global Payments a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicensable, fully-paid and royalty-free license under any and all intellectual property rights that you own or control to use, copy, modify, create derivative works based upon and otherwise exploit such information for any purpose.\n\nGlobal Payments retains the right to obtain Personal Information (as defined in the HackerOne Privacy Policy)from HackerOne in the case of a significant security threat or incident to identify and resolve the security threat or incident. A 'significant security threat or incident' shall be defined by Global Payments in its sole discretion. \n\nAdditionally, Global Payments retains the right to obtain Personal Information from HackerOne, in Global\nPayments’ sole discretion, to exercise or defend legal rights; to take precautions against liability; to protect the rights, property, or safety of Global Payments, of any other individuals, or of the general public; to maintain and protect the security and integrity of Global Payments’ assets or infrastructure; to protect Global Payments and our assets from fraudulent, abusive, or unlawful uses; or to investigate and defend Global Payments against third-party claims or allegations. By submitting a vulnerability report via the [Global Payments VDP (https://hackerone.com/global-payments) you consent to HackerOne sharing Personal Information with Global Payments, upon request, in the circumstances described in this paragraph.\n\nGlobal Payments may modify the terms and conditions or terminate the VRP at any time.\n\n##Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Global Payments and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-12-14T15:36:26.904Z"},{"id":3662153,"new_policy":"**Please note that we will be pausing our program for the holidays between:**\n\n- **November 21, 2021 to November 30, 2021**\n**and**\n- **December 19, 2021 to January 3, 2022**\n\n**We look forward to working with you again soon!**\n___________________________________________________________________________________________\n\nHave feedback on our program? Let us know [here!](https://docs.google.com/forms/d/e/1FAIpQLSc_bAdYNvHTZCaU8J0ES0u77I8znDQpN6FqAeCUdIeZARH_Uw/viewform?usp=sf_link)\n\n#Global Payments Vulnerability Research Program (“VRP”) Policy\n\nGlobal Payments is a Fortune 500 worldwide commerce ecosystem serving customers in over 100 countries! We have a team of 24,000 experts and innovators working to serve our customers—dedicated to solving complexity in commerce by providing simple, secure payments and software solutions that anticipate changing needs and carry our customers forward. We’re trusted in over 3.5 million customer locations and 1,300 financial institutions. \n\nGlobal Payments Inc. (“Global Payments”) looks forward to working with the information security\ncommunity to find vulnerabilities in order to keep our businesses and customers safe. Please read this\nProgram Policy in its entirety.\n\n#Global Payments Information Security\n\nThe information security team at Global Payments is devoted to being a trusted security and assurance\npartner across the enterprise.\n\nPart of our vision is to develop and enable the organization to proactively identify and mitigate\ninformation security risk to our assets and to evolve our core information security foundation. The VRP\nwill be a key element in achieving these goals.\n\n#Ineligibility for Participation\n\nYou may not participate in the VRP if you are any of the following:\n\n- A resident of any country/region that is under United States sanctions, such as Cuba, Iran,\nNorth Korea, Sudan, and Syria or Crimea, or a person designated in the U.S. Department of\nthe Treasury’s Specially Designated Nationals List.\n- A current employee of Global Payments Inc., a Global Payments affiliate, or an immediate\nfamily member (parent, sibling, spouse, or child) or household member of such an employee.\n- A contingent staff member, contractor, or vendor employee that is currently working with, or\nhas worked in the past twelve (12) months with, Global Payments Inc. or a Global Payments\naffiliate.\n\n#Response Targets\n\nGlobal Payments will make a best effort to meet the following SLAs for security researchers participating\nin the VRP:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Scope\n\nAll assets associated with our core enterprise are considered in scope. No VPN access nor credentials will be\nprovided for testing. \n\n#Disclosure Policy\n\n- You agree not to discuss this VRP or any vulnerabilities (even\nresolved ones) outside of the VRP without express consent from Global Payments.\n- Global Payments reserves the right to approve or deny any request for disclosure.\n- You agree to follow HackerOne's disclosure guidelines.\n\n#Program Rules\n##Keep scans to 45 requests per minute\n- Please provide detailed reports with reproducible steps. If the report is not sufficiently\ndetailed to enable reproduction of the issue, the issue may not be triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide\nimpact.\n- When duplicates occur, we only triage the first report that was received (provided that it can\nbe fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Only interact with accounts you own or with explicit permission of the account holder.\n- Do not engage in any activity that can potentially or actually cause harm to Global Payments,\nour customers, or our employees.\n- Do not engage in any activity that can potentially or actually stop or degrade Global\nPayments’ services or assets.\n- Do no harm and do not exploit any vulnerability beyond the minimal amount of testing\nrequired to prove that a vulnerability exists or to identify an indicator related to a\nvulnerability.\n- Do not store, share, compromise or destroy Global Payments or our customer data. If\nPersonally Identifiable Information (PII) is encountered, you should immediately halt your\nactivity, purge related data from your system, and contact Global Payments. This step\nprotects any potentially vulnerable data, and you.\n- Do not initiate a fraudulent financial transaction.\n\n#Out of scope vulnerabilities\n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security\nimpact of the bug. The following issues are considered out of scope:\n\n - Unexploitable vulnerabilities discovered via scanning. All submissions must have a valid proof\nof concept\n- Any activity that could lead to the disruption of our service (DoS/DDOS).\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive\nactions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Content spoofing and text injection issues without showing an attack vector/without being\nable to modify HTML/CSS\n- Rate limiting or bruteforce issues on non-authentication endpoints\n- Missing best practices in Content Security Policy\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable\nversions behind the latest released stable version)\n- Software version disclosure / Banner identification issues / Descriptive error messages or\nheaders (e.g. stack traces, application or server errors).\n- Tabnabbing\n- Open redirect - unless an additional security impact can be demonstrated\n- Issues that require unlikely user interaction\n\n#Grounds for Disqualification\n\nAttempting any of the following could result in permanent disqualification from the VRP and possible\ncriminal and/or legal investigation. We do not allow any actions that could negatively impact the\nexperience on our websites, apps, or other assets for other Global Payments customers.\n\n- Disruption or denial-of-service attacks (Application and Network)\n- Social engineering attacks\n- Brute-force attacks\n- Exfiltration of data\n- Code injection on live systems\n- The compromise or testing of application accounts that are not your own\n- Any threats, attempts at coercion, or extortion of Global Payments employees, other partner\nemployees, or customers\n- Physical attacks against Global Payments, contractors, or customers\n- Any physical attempts against Global Payments property or data centers\n- Access the personal information of any other person without consent\n- Any other action that violates the law\n- Any action that endangers yourself or others\n- Aggressive vulnerability scans or automated scans on Global Payments servers (including\nscans using tools such as Core Impact or Nessus)\n\n#Legal\n\nYou must otherwise comply with all applicable Federal, State, and local laws, regulations, and rules in connection with your security research activities. You may not engage in any security research or vulnerability disclosure activity that is inconsistent with terms and conditions of the VRP or the law. If you engage in any activities that are inconsistent with the terms and conditions of the VRP or the law, you will not be considered a security researcher and may be subject to criminal penalties and civil liability. Global Payments reserves all rights against any illegal use of the reported vulnerability information.\n\nAny Global Payments information that you may encounter, view, acquire, or access, is owned by Global Payments or its customers, clients, or third-party providers. You have no rights, title, or ownership in any such information. Nothing in this Program Policy shall be deemed to constitute the grant to you of any license or other right to or in respect of any Global Payments or third-party product, service, patent, trademark, trade secret, or other intellectual property.\n\nYou have no obligation to provide Global Payments with the abovementioned security and vulnerability information. By submitting such information to Global Payments, you are indicating that you have read, understand, and agree to the terms and conditions of this Program Policy. Further, you agree that by submitting such information to Global Payments, even if the information is not eligible for a reward, you grant Global Payments a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicensable, fully-paid and royalty-free license under any and all intellectual property rights that you own or control to use, copy, modify, create derivative works based upon and otherwise exploit such information for any purpose.\n\nGlobal Payments retains the right to obtain Personal Information (as defined in the HackerOne Privacy Policy)from HackerOne in the case of a significant security threat or incident to identify and resolve the security threat or incident. A 'significant security threat or incident' shall be defined by Global Payments in its sole discretion. \n\nAdditionally, Global Payments retains the right to obtain Personal Information from HackerOne, in Global\nPayments’ sole discretion, to exercise or defend legal rights; to take precautions against liability; to protect the rights, property, or safety of Global Payments, of any other individuals, or of the general public; to maintain and protect the security and integrity of Global Payments’ assets or infrastructure; to protect Global Payments and our assets from fraudulent, abusive, or unlawful uses; or to investigate and defend Global Payments against third-party claims or allegations. By submitting a vulnerability report via the [Global Payments VDP (https://hackerone.com/global-payments) you consent to HackerOne sharing Personal Information with Global Payments, upon request, in the circumstances described in this paragraph.\n\nGlobal Payments may modify the terms and conditions or terminate the VRP at any time.\n\n##Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Global Payments and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-11-24T16:59:50.701Z"},{"id":3662152,"new_policy":"**Please note that we will be pausing our program for holiday code freezes between**\n- **November 21, 2021 to November 30, 2021**\n**and**\n- **December 19, 2021 to January 3, 2022**\n\n**We look forward to working with you again soon!**\n___________________________________________________________________________________________\n\nHave feedback on our program? Let us know [here!](https://docs.google.com/forms/d/e/1FAIpQLSc_bAdYNvHTZCaU8J0ES0u77I8znDQpN6FqAeCUdIeZARH_Uw/viewform?usp=sf_link)\n\n#Global Payments Vulnerability Research Program (“VRP”) Policy\n\nGlobal Payments is a Fortune 500 worldwide commerce ecosystem serving customers in over 100 countries! We have a team of 24,000 experts and innovators working to serve our customers—dedicated to solving complexity in commerce by providing simple, secure payments and software solutions that anticipate changing needs and carry our customers forward. We’re trusted in over 3.5 million customer locations and 1,300 financial institutions. \n\nGlobal Payments Inc. (“Global Payments”) looks forward to working with the information security\ncommunity to find vulnerabilities in order to keep our businesses and customers safe. Please read this\nProgram Policy in its entirety.\n\n#Global Payments Information Security\n\nThe information security team at Global Payments is devoted to being a trusted security and assurance\npartner across the enterprise.\n\nPart of our vision is to develop and enable the organization to proactively identify and mitigate\ninformation security risk to our assets and to evolve our core information security foundation. The VRP\nwill be a key element in achieving these goals.\n\n#Ineligibility for Participation\n\nYou may not participate in the VRP if you are any of the following:\n\n- A resident of any country/region that is under United States sanctions, such as Cuba, Iran,\nNorth Korea, Sudan, and Syria or Crimea, or a person designated in the U.S. Department of\nthe Treasury’s Specially Designated Nationals List.\n- A current employee of Global Payments Inc., a Global Payments affiliate, or an immediate\nfamily member (parent, sibling, spouse, or child) or household member of such an employee.\n- A contingent staff member, contractor, or vendor employee that is currently working with, or\nhas worked in the past twelve (12) months with, Global Payments Inc. or a Global Payments\naffiliate.\n\n#Response Targets\n\nGlobal Payments will make a best effort to meet the following SLAs for security researchers participating\nin the VRP:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Scope\n\nAll assets associated with our core enterprise are considered in scope. No VPN access nor credentials will be\nprovided for testing. \n\n#Disclosure Policy\n\n- You agree not to discuss this VRP or any vulnerabilities (even\nresolved ones) outside of the VRP without express consent from Global Payments.\n- Global Payments reserves the right to approve or deny any request for disclosure.\n- You agree to follow HackerOne's disclosure guidelines.\n\n#Program Rules\n##Keep scans to 45 requests per minute\n- Please provide detailed reports with reproducible steps. If the report is not sufficiently\ndetailed to enable reproduction of the issue, the issue may not be triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide\nimpact.\n- When duplicates occur, we only triage the first report that was received (provided that it can\nbe fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Only interact with accounts you own or with explicit permission of the account holder.\n- Do not engage in any activity that can potentially or actually cause harm to Global Payments,\nour customers, or our employees.\n- Do not engage in any activity that can potentially or actually stop or degrade Global\nPayments’ services or assets.\n- Do no harm and do not exploit any vulnerability beyond the minimal amount of testing\nrequired to prove that a vulnerability exists or to identify an indicator related to a\nvulnerability.\n- Do not store, share, compromise or destroy Global Payments or our customer data. If\nPersonally Identifiable Information (PII) is encountered, you should immediately halt your\nactivity, purge related data from your system, and contact Global Payments. This step\nprotects any potentially vulnerable data, and you.\n- Do not initiate a fraudulent financial transaction.\n\n#Out of scope vulnerabilities\n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security\nimpact of the bug. The following issues are considered out of scope:\n\n - Unexploitable vulnerabilities discovered via scanning. All submissions must have a valid proof\nof concept\n- Any activity that could lead to the disruption of our service (DoS/DDOS).\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive\nactions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Content spoofing and text injection issues without showing an attack vector/without being\nable to modify HTML/CSS\n- Rate limiting or bruteforce issues on non-authentication endpoints\n- Missing best practices in Content Security Policy\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable\nversions behind the latest released stable version)\n- Software version disclosure / Banner identification issues / Descriptive error messages or\nheaders (e.g. stack traces, application or server errors).\n- Tabnabbing\n- Open redirect - unless an additional security impact can be demonstrated\n- Issues that require unlikely user interaction\n\n#Grounds for Disqualification\n\nAttempting any of the following could result in permanent disqualification from the VRP and possible\ncriminal and/or legal investigation. We do not allow any actions that could negatively impact the\nexperience on our websites, apps, or other assets for other Global Payments customers.\n\n- Disruption or denial-of-service attacks (Application and Network)\n- Social engineering attacks\n- Brute-force attacks\n- Exfiltration of data\n- Code injection on live systems\n- The compromise or testing of application accounts that are not your own\n- Any threats, attempts at coercion, or extortion of Global Payments employees, other partner\nemployees, or customers\n- Physical attacks against Global Payments, contractors, or customers\n- Any physical attempts against Global Payments property or data centers\n- Access the personal information of any other person without consent\n- Any other action that violates the law\n- Any action that endangers yourself or others\n- Aggressive vulnerability scans or automated scans on Global Payments servers (including\nscans using tools such as Core Impact or Nessus)\n\n#Legal\n\nYou must otherwise comply with all applicable Federal, State, and local laws, regulations, and rules in connection with your security research activities. You may not engage in any security research or vulnerability disclosure activity that is inconsistent with terms and conditions of the VRP or the law. If you engage in any activities that are inconsistent with the terms and conditions of the VRP or the law, you will not be considered a security researcher and may be subject to criminal penalties and civil liability. Global Payments reserves all rights against any illegal use of the reported vulnerability information.\n\nAny Global Payments information that you may encounter, view, acquire, or access, is owned by Global Payments or its customers, clients, or third-party providers. You have no rights, title, or ownership in any such information. Nothing in this Program Policy shall be deemed to constitute the grant to you of any license or other right to or in respect of any Global Payments or third-party product, service, patent, trademark, trade secret, or other intellectual property.\n\nYou have no obligation to provide Global Payments with the abovementioned security and vulnerability information. By submitting such information to Global Payments, you are indicating that you have read, understand, and agree to the terms and conditions of this Program Policy. Further, you agree that by submitting such information to Global Payments, even if the information is not eligible for a reward, you grant Global Payments a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicensable, fully-paid and royalty-free license under any and all intellectual property rights that you own or control to use, copy, modify, create derivative works based upon and otherwise exploit such information for any purpose.\n\nGlobal Payments retains the right to obtain Personal Information (as defined in the HackerOne Privacy Policy)from HackerOne in the case of a significant security threat or incident to identify and resolve the security threat or incident. A 'significant security threat or incident' shall be defined by Global Payments in its sole discretion. \n\nAdditionally, Global Payments retains the right to obtain Personal Information from HackerOne, in Global\nPayments’ sole discretion, to exercise or defend legal rights; to take precautions against liability; to protect the rights, property, or safety of Global Payments, of any other individuals, or of the general public; to maintain and protect the security and integrity of Global Payments’ assets or infrastructure; to protect Global Payments and our assets from fraudulent, abusive, or unlawful uses; or to investigate and defend Global Payments against third-party claims or allegations. By submitting a vulnerability report via the [Global Payments VDP (https://hackerone.com/global-payments) you consent to HackerOne sharing Personal Information with Global Payments, upon request, in the circumstances described in this paragraph.\n\nGlobal Payments may modify the terms and conditions or terminate the VRP at any time.\n\n##Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Global Payments and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-11-24T16:58:55.269Z"},{"id":3659722,"new_policy":"Have feedback on our program? Let us know [here!](https://docs.google.com/forms/d/e/1FAIpQLSc_bAdYNvHTZCaU8J0ES0u77I8znDQpN6FqAeCUdIeZARH_Uw/viewform?usp=sf_link)\n\n#Global Payments Vulnerability Research Program (“VRP”) Policy\n\nGlobal Payments is a Fortune 500 worldwide commerce ecosystem serving customers in over 100 countries! We have a team of 24,000 experts and innovators working to serve our customers—dedicated to solving complexity in commerce by providing simple, secure payments and software solutions that anticipate changing needs and carry our customers forward. We’re trusted in over 3.5 million customer locations and 1,300 financial institutions. \n\nGlobal Payments Inc. (“Global Payments”) looks forward to working with the information security\ncommunity to find vulnerabilities in order to keep our businesses and customers safe. Please read this\nProgram Policy in its entirety.\n\n#Global Payments Information Security\n\nThe information security team at Global Payments is devoted to being a trusted security and assurance\npartner across the enterprise.\n\nPart of our vision is to develop and enable the organization to proactively identify and mitigate\ninformation security risk to our assets and to evolve our core information security foundation. The VRP\nwill be a key element in achieving these goals.\n\n#Ineligibility for Participation\n\nYou may not participate in the VRP if you are any of the following:\n\n- A resident of any country/region that is under United States sanctions, such as Cuba, Iran,\nNorth Korea, Sudan, and Syria or Crimea, or a person designated in the U.S. Department of\nthe Treasury’s Specially Designated Nationals List.\n- A current employee of Global Payments Inc., a Global Payments affiliate, or an immediate\nfamily member (parent, sibling, spouse, or child) or household member of such an employee.\n- A contingent staff member, contractor, or vendor employee that is currently working with, or\nhas worked in the past twelve (12) months with, Global Payments Inc. or a Global Payments\naffiliate.\n\n#Response Targets\n\nGlobal Payments will make a best effort to meet the following SLAs for security researchers participating\nin the VRP:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Scope\n\nAll assets associated with our core enterprise are considered in scope. No VPN access nor credentials will be\nprovided for testing. \n\n#Disclosure Policy\n\n- You agree not to discuss this VRP or any vulnerabilities (even\nresolved ones) outside of the VRP without express consent from Global Payments.\n- Global Payments reserves the right to approve or deny any request for disclosure.\n- You agree to follow HackerOne's disclosure guidelines.\n\n#Program Rules\n##Keep scans to 45 requests per minute\n- Please provide detailed reports with reproducible steps. If the report is not sufficiently\ndetailed to enable reproduction of the issue, the issue may not be triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide\nimpact.\n- When duplicates occur, we only triage the first report that was received (provided that it can\nbe fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Only interact with accounts you own or with explicit permission of the account holder.\n- Do not engage in any activity that can potentially or actually cause harm to Global Payments,\nour customers, or our employees.\n- Do not engage in any activity that can potentially or actually stop or degrade Global\nPayments’ services or assets.\n- Do no harm and do not exploit any vulnerability beyond the minimal amount of testing\nrequired to prove that a vulnerability exists or to identify an indicator related to a\nvulnerability.\n- Do not store, share, compromise or destroy Global Payments or our customer data. If\nPersonally Identifiable Information (PII) is encountered, you should immediately halt your\nactivity, purge related data from your system, and contact Global Payments. This step\nprotects any potentially vulnerable data, and you.\n- Do not initiate a fraudulent financial transaction.\n\n#Out of scope vulnerabilities\n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security\nimpact of the bug. The following issues are considered out of scope:\n\n - Unexploitable vulnerabilities discovered via scanning. All submissions must have a valid proof\nof concept\n- Any activity that could lead to the disruption of our service (DoS/DDOS).\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive\nactions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Content spoofing and text injection issues without showing an attack vector/without being\nable to modify HTML/CSS\n- Rate limiting or bruteforce issues on non-authentication endpoints\n- Missing best practices in Content Security Policy\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable\nversions behind the latest released stable version)\n- Software version disclosure / Banner identification issues / Descriptive error messages or\nheaders (e.g. stack traces, application or server errors).\n- Tabnabbing\n- Open redirect - unless an additional security impact can be demonstrated\n- Issues that require unlikely user interaction\n\n#Grounds for Disqualification\n\nAttempting any of the following could result in permanent disqualification from the VRP and possible\ncriminal and/or legal investigation. We do not allow any actions that could negatively impact the\nexperience on our websites, apps, or other assets for other Global Payments customers.\n\n- Disruption or denial-of-service attacks (Application and Network)\n- Social engineering attacks\n- Brute-force attacks\n- Exfiltration of data\n- Code injection on live systems\n- The compromise or testing of application accounts that are not your own\n- Any threats, attempts at coercion, or extortion of Global Payments employees, other partner\nemployees, or customers\n- Physical attacks against Global Payments, contractors, or customers\n- Any physical attempts against Global Payments property or data centers\n- Access the personal information of any other person without consent\n- Any other action that violates the law\n- Any action that endangers yourself or others\n- Aggressive vulnerability scans or automated scans on Global Payments servers (including\nscans using tools such as Core Impact or Nessus)\n\n#Legal\n\nYou must otherwise comply with all applicable Federal, State, and local laws, regulations, and rules in connection with your security research activities. You may not engage in any security research or vulnerability disclosure activity that is inconsistent with terms and conditions of the VRP or the law. If you engage in any activities that are inconsistent with the terms and conditions of the VRP or the law, you will not be considered a security researcher and may be subject to criminal penalties and civil liability. Global Payments reserves all rights against any illegal use of the reported vulnerability information.\n\nAny Global Payments information that you may encounter, view, acquire, or access, is owned by Global Payments or its customers, clients, or third-party providers. You have no rights, title, or ownership in any such information. Nothing in this Program Policy shall be deemed to constitute the grant to you of any license or other right to or in respect of any Global Payments or third-party product, service, patent, trademark, trade secret, or other intellectual property.\n\nYou have no obligation to provide Global Payments with the abovementioned security and vulnerability information. By submitting such information to Global Payments, you are indicating that you have read, understand, and agree to the terms and conditions of this Program Policy. Further, you agree that by submitting such information to Global Payments, even if the information is not eligible for a reward, you grant Global Payments a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicensable, fully-paid and royalty-free license under any and all intellectual property rights that you own or control to use, copy, modify, create derivative works based upon and otherwise exploit such information for any purpose.\n\nGlobal Payments retains the right to obtain Personal Information (as defined in the HackerOne Privacy Policy)from HackerOne in the case of a significant security threat or incident to identify and resolve the security threat or incident. A 'significant security threat or incident' shall be defined by Global Payments in its sole discretion. \n\nAdditionally, Global Payments retains the right to obtain Personal Information from HackerOne, in Global\nPayments’ sole discretion, to exercise or defend legal rights; to take precautions against liability; to protect the rights, property, or safety of Global Payments, of any other individuals, or of the general public; to maintain and protect the security and integrity of Global Payments’ assets or infrastructure; to protect Global Payments and our assets from fraudulent, abusive, or unlawful uses; or to investigate and defend Global Payments against third-party claims or allegations. By submitting a vulnerability report via the [Global Payments VDP (https://hackerone.com/global-payments) you consent to HackerOne sharing Personal Information with Global Payments, upon request, in the circumstances described in this paragraph.\n\nGlobal Payments may modify the terms and conditions or terminate the VRP at any time.\n\n##Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Global Payments and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-10-08T15:21:22.092Z"},{"id":3656370,"new_policy":"#Global Payments Vulnerability Research Program (“VRP”) Policy\n\nGlobal Payments is a Fortune 500 worldwide commerce ecosystem serving customers in over 100 countries! We have a team of 24,000 experts and innovators working to serve our customers—dedicated to solving complexity in commerce by providing simple, secure payments and software solutions that anticipate changing needs and carry our customers forward. We’re trusted in over 3.5 million customer locations and 1,300 financial institutions. \n\nGlobal Payments Inc. (“Global Payments”) looks forward to working with the information security\ncommunity to find vulnerabilities in order to keep our businesses and customers safe. Please read this\nProgram Policy in its entirety.\n\n#Global Payments Information Security\n\nThe information security team at Global Payments is devoted to being a trusted security and assurance\npartner across the enterprise.\n\nPart of our vision is to develop and enable the organization to proactively identify and mitigate\ninformation security risk to our assets and to evolve our core information security foundation. The VRP\nwill be a key element in achieving these goals.\n\n#Ineligibility for Participation\n\nYou may not participate in the VRP if you are any of the following:\n\n- A resident of any country/region that is under United States sanctions, such as Cuba, Iran,\nNorth Korea, Sudan, and Syria or Crimea, or a person designated in the U.S. Department of\nthe Treasury’s Specially Designated Nationals List.\n- A current employee of Global Payments Inc., a Global Payments affiliate, or an immediate\nfamily member (parent, sibling, spouse, or child) or household member of such an employee.\n- A contingent staff member, contractor, or vendor employee that is currently working with, or\nhas worked in the past twelve (12) months with, Global Payments Inc. or a Global Payments\naffiliate.\n\n#Response Targets\n\nGlobal Payments will make a best effort to meet the following SLAs for security researchers participating\nin the VRP:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Scope\n\nAll assets associated with our core enterprise are considered in scope. No VPN access nor credentials will be\nprovided for testing. \n\n#Disclosure Policy\n\n- You agree not to discuss this VRP or any vulnerabilities (even\nresolved ones) outside of the VRP without express consent from Global Payments.\n- Global Payments reserves the right to approve or deny any request for disclosure.\n- You agree to follow HackerOne's disclosure guidelines.\n\n#Program Rules\n##Keep scans to 45 requests per minute\n- Please provide detailed reports with reproducible steps. If the report is not sufficiently\ndetailed to enable reproduction of the issue, the issue may not be triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide\nimpact.\n- When duplicates occur, we only triage the first report that was received (provided that it can\nbe fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Only interact with accounts you own or with explicit permission of the account holder.\n- Do not engage in any activity that can potentially or actually cause harm to Global Payments,\nour customers, or our employees.\n- Do not engage in any activity that can potentially or actually stop or degrade Global\nPayments’ services or assets.\n- Do no harm and do not exploit any vulnerability beyond the minimal amount of testing\nrequired to prove that a vulnerability exists or to identify an indicator related to a\nvulnerability.\n- Do not store, share, compromise or destroy Global Payments or our customer data. If\nPersonally Identifiable Information (PII) is encountered, you should immediately halt your\nactivity, purge related data from your system, and contact Global Payments. This step\nprotects any potentially vulnerable data, and you.\n- Do not initiate a fraudulent financial transaction.\n\n#Out of scope vulnerabilities\n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security\nimpact of the bug. The following issues are considered out of scope:\n\n - Unexploitable vulnerabilities discovered via scanning. All submissions must have a valid proof\nof concept\n- Any activity that could lead to the disruption of our service (DoS/DDOS).\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive\nactions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Content spoofing and text injection issues without showing an attack vector/without being\nable to modify HTML/CSS\n- Rate limiting or bruteforce issues on non-authentication endpoints\n- Missing best practices in Content Security Policy\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable\nversions behind the latest released stable version)\n- Software version disclosure / Banner identification issues / Descriptive error messages or\nheaders (e.g. stack traces, application or server errors).\n- Tabnabbing\n- Open redirect - unless an additional security impact can be demonstrated\n- Issues that require unlikely user interaction\n\n#Grounds for Disqualification\n\nAttempting any of the following could result in permanent disqualification from the VRP and possible\ncriminal and/or legal investigation. We do not allow any actions that could negatively impact the\nexperience on our websites, apps, or other assets for other Global Payments customers.\n\n- Disruption or denial-of-service attacks (Application and Network)\n- Social engineering attacks\n- Brute-force attacks\n- Exfiltration of data\n- Code injection on live systems\n- The compromise or testing of application accounts that are not your own\n- Any threats, attempts at coercion, or extortion of Global Payments employees, other partner\nemployees, or customers\n- Physical attacks against Global Payments, contractors, or customers\n- Any physical attempts against Global Payments property or data centers\n- Access the personal information of any other person without consent\n- Any other action that violates the law\n- Any action that endangers yourself or others\n- Aggressive vulnerability scans or automated scans on Global Payments servers (including\nscans using tools such as Core Impact or Nessus)\n\n#Legal\n\nYou must otherwise comply with all applicable Federal, State, and local laws, regulations, and rules in connection with your security research activities. You may not engage in any security research or vulnerability disclosure activity that is inconsistent with terms and conditions of the VRP or the law. If you engage in any activities that are inconsistent with the terms and conditions of the VRP or the law, you will not be considered a security researcher and may be subject to criminal penalties and civil liability. Global Payments reserves all rights against any illegal use of the reported vulnerability information.\n\nAny Global Payments information that you may encounter, view, acquire, or access, is owned by Global Payments or its customers, clients, or third-party providers. You have no rights, title, or ownership in any such information. Nothing in this Program Policy shall be deemed to constitute the grant to you of any license or other right to or in respect of any Global Payments or third-party product, service, patent, trademark, trade secret, or other intellectual property.\n\nYou have no obligation to provide Global Payments with the abovementioned security and vulnerability information. By submitting such information to Global Payments, you are indicating that you have read, understand, and agree to the terms and conditions of this Program Policy. Further, you agree that by submitting such information to Global Payments, even if the information is not eligible for a reward, you grant Global Payments a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicensable, fully-paid and royalty-free license under any and all intellectual property rights that you own or control to use, copy, modify, create derivative works based upon and otherwise exploit such information for any purpose.\n\nGlobal Payments retains the right to obtain Personal Information (as defined in the HackerOne Privacy Policy)from HackerOne in the case of a significant security threat or incident to identify and resolve the security threat or incident. A 'significant security threat or incident' shall be defined by Global Payments in its sole discretion. \n\nAdditionally, Global Payments retains the right to obtain Personal Information from HackerOne, in Global\nPayments’ sole discretion, to exercise or defend legal rights; to take precautions against liability; to protect the rights, property, or safety of Global Payments, of any other individuals, or of the general public; to maintain and protect the security and integrity of Global Payments’ assets or infrastructure; to protect Global Payments and our assets from fraudulent, abusive, or unlawful uses; or to investigate and defend Global Payments against third-party claims or allegations. By submitting a vulnerability report via the [Global Payments VDP (https://hackerone.com/global-payments) you consent to HackerOne sharing Personal Information with Global Payments, upon request, in the circumstances described in this paragraph.\n\nGlobal Payments may modify the terms and conditions or terminate the VRP at any time.\n\n##Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Global Payments and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-08-09T11:21:31.889Z"},{"id":3653380,"new_policy":"#Global Payments Vulnerability Research Program (“VRP”) Policy\n\nGlobal Payments Inc. (“Global Payments”) looks forward to working with the information security\ncommunity to find vulnerabilities in order to keep our businesses and customers safe. Please read this\nProgram Policy in its entirety.\n\n#Global Payments Information Security\n\nThe information security team at Global Payments is devoted to being a trusted security and assurance\npartner across the enterprise.\n\nPart of our vision is to develop and enable the organization to proactively identify and mitigate\ninformation security risk to our assets and to evolve our core information security foundation. The VRP\nwill be a key element in achieving these goals.\n\n#Ineligibility for Participation\n\nYou may not participate in the VRP if you are any of the following:\n\n- A resident of any country/region that is under United States sanctions, such as Cuba, Iran,\nNorth Korea, Sudan, and Syria or Crimea, or a person designated in the U.S. Department of\nthe Treasury’s Specially Designated Nationals List.\n- A current employee of Global Payments Inc., a Global Payments affiliate, or an immediate\nfamily member (parent, sibling, spouse, or child) or household member of such an employee.\n- A contingent staff member, contractor, or vendor employee that is currently working with, or\nhas worked in the past twelve (12) months with, Global Payments Inc. or a Global Payments\naffiliate.\n\n#Response Targets\n\nGlobal Payments will make a best effort to meet the following SLAs for security researchers participating\nin the VRP:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Scope\n\nAll assets associated with our core enterprise are considered in scope. No VPN access nor credentials will be\nprovided for testing. \n\n#Disclosure Policy\n\n- You agree not to discuss this VRP or any vulnerabilities (even\nresolved ones) outside of the VRP without express consent from Global Payments.\n- Global Payments reserves the right to approve or deny any request for disclosure.\n- You agree to follow HackerOne's disclosure guidelines.\n\n#Program Rules\n##Keep scans to 45 requests per minute\n- Please provide detailed reports with reproducible steps. If the report is not sufficiently\ndetailed to enable reproduction of the issue, the issue may not be triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide\nimpact.\n- When duplicates occur, we only triage the first report that was received (provided that it can\nbe fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Only interact with accounts you own or with explicit permission of the account holder.\n- Do not engage in any activity that can potentially or actually cause harm to Global Payments,\nour customers, or our employees.\n- Do not engage in any activity that can potentially or actually stop or degrade Global\nPayments’ services or assets.\n- Do no harm and do not exploit any vulnerability beyond the minimal amount of testing\nrequired to prove that a vulnerability exists or to identify an indicator related to a\nvulnerability.\n- Do not store, share, compromise or destroy Global Payments or our customer data. If\nPersonally Identifiable Information (PII) is encountered, you should immediately halt your\nactivity, purge related data from your system, and contact Global Payments. This step\nprotects any potentially vulnerable data, and you.\n- Do not initiate a fraudulent financial transaction.\n\n#Out of scope vulnerabilities\n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security\nimpact of the bug. The following issues are considered out of scope:\n\n - Unexploitable vulnerabilities discovered via scanning. All submissions must have a valid proof\nof concept\n- Any activity that could lead to the disruption of our service (DoS/DDOS).\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive\nactions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Content spoofing and text injection issues without showing an attack vector/without being\nable to modify HTML/CSS\n- Rate limiting or bruteforce issues on non-authentication endpoints\n- Missing best practices in Content Security Policy\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable\nversions behind the latest released stable version)\n- Software version disclosure / Banner identification issues / Descriptive error messages or\nheaders (e.g. stack traces, application or server errors).\n- Tabnabbing\n- Open redirect - unless an additional security impact can be demonstrated\n- Issues that require unlikely user interaction\n\n#Grounds for Disqualification\n\nAttempting any of the following could result in permanent disqualification from the VRP and possible\ncriminal and/or legal investigation. We do not allow any actions that could negatively impact the\nexperience on our websites, apps, or other assets for other Global Payments customers.\n\n- Disruption or denial-of-service attacks (Application and Network)\n- Social engineering attacks\n- Brute-force attacks\n- Exfiltration of data\n- Code injection on live systems\n- The compromise or testing of application accounts that are not your own\n- Any threats, attempts at coercion, or extortion of Global Payments employees, other partner\nemployees, or customers\n- Physical attacks against Global Payments, contractors, or customers\n- Any physical attempts against Global Payments property or data centers\n- Access the personal information of any other person without consent\n- Any other action that violates the law\n- Any action that endangers yourself or others\n- Aggressive vulnerability scans or automated scans on Global Payments servers (including\nscans using tools such as Core Impact or Nessus)\n\n#Legal\n\nYou must otherwise comply with all applicable Federal, State, and local laws, regulations, and rules in connection with your security research activities. You may not engage in any security research or vulnerability disclosure activity that is inconsistent with terms and conditions of the VRP or the law. If you engage in any activities that are inconsistent with the terms and conditions of the VRP or the law, you will not be considered a security researcher and may be subject to criminal penalties and civil liability. Global Payments reserves all rights against any illegal use of the reported vulnerability information.\n\nAny Global Payments information that you may encounter, view, acquire, or access, is owned by Global Payments or its customers, clients, or third-party providers. You have no rights, title, or ownership in any such information. Nothing in this Program Policy shall be deemed to constitute the grant to you of any license or other right to or in respect of any Global Payments or third-party product, service, patent, trademark, trade secret, or other intellectual property.\n\nYou have no obligation to provide Global Payments with the abovementioned security and vulnerability information. By submitting such information to Global Payments, you are indicating that you have read, understand, and agree to the terms and conditions of this Program Policy. Further, you agree that by submitting such information to Global Payments, even if the information is not eligible for a reward, you grant Global Payments a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicensable, fully-paid and royalty-free license under any and all intellectual property rights that you own or control to use, copy, modify, create derivative works based upon and otherwise exploit such information for any purpose.\n\nGlobal Payments retains the right to obtain Personal Information (as defined in the HackerOne Privacy Policy)from HackerOne in the case of a significant security threat or incident to identify and resolve the security threat or incident. A 'significant security threat or incident' shall be defined by Global Payments in its sole discretion. \n\nAdditionally, Global Payments retains the right to obtain Personal Information from HackerOne, in Global\nPayments’ sole discretion, to exercise or defend legal rights; to take precautions against liability; to protect the rights, property, or safety of Global Payments, of any other individuals, or of the general public; to maintain and protect the security and integrity of Global Payments’ assets or infrastructure; to protect Global Payments and our assets from fraudulent, abusive, or unlawful uses; or to investigate and defend Global Payments against third-party claims or allegations. By submitting a vulnerability report via the [Global Payments VDP (https://hackerone.com/global-payments) you consent to HackerOne sharing Personal Information with Global Payments, upon request, in the circumstances described in this paragraph.\n\nGlobal Payments may modify the terms and conditions or terminate the VRP at any time.\n\n##Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Global Payments and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-06-11T16:41:35.050Z"},{"id":3653378,"new_policy":"#Global Payments Vulnerability Research Program (“VRP”) Policy\n\nGlobal Payments Inc. (“Global Payments”) looks forward to working with the information security\ncommunity to find vulnerabilities in order to keep our businesses and customers safe. Please read this\nProgram Policy in its entirety.\n\n#Global Payments Information Security\n\nThe information security team at Global Payments is devoted to being a trusted security and assurance\npartner across the enterprise.\n\nPart of our vision is to develop and enable the organization to proactively identify and mitigate\ninformation security risk to our assets and to evolve our core information security foundation. The VRP\nwill be a key element in achieving these goals.\n\n#Ineligibility for Participation\n\nYou may not participate in the VRP if you are any of the following:\n\n- A resident of any country/region that is under United States sanctions, such as Cuba, Iran,\nNorth Korea, Sudan, and Syria or Crimea, or a person designated in the U.S. Department of\nthe Treasury’s Specially Designated Nationals List.\n- A current employee of Global Payments Inc., a Global Payments affiliate, or an immediate\nfamily member (parent, sibling, spouse, or child) or household member of such an employee.\n- A contingent staff member, contractor, or vendor employee that is currently working with, or\nhas worked in the past twelve (12) months with, Global Payments Inc. or a Global Payments\naffiliate.\n\n#Response Targets\n\nGlobal Payments will make a best effort to meet the following SLAs for security researchers participating\nin the VRP:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Scope\n\nAll assets associated with our core enterprise are considered in scope. No VPN access nor credentials will be\nprovided for testing. \n\n#Disclosure Policy\n\n- You agree not to discuss this VRP or any vulnerabilities (even\nresolved ones) outside of the VRP without express consent from Global Payments.\n- Global Payments reserves the right to approve or deny any request for disclosure.\n- You agree to follow HackerOne's disclosure guidelines.\n\n#Program Rules\n##Keep scans to 45 requests per minute\n- Please provide detailed reports with reproducible steps. If the report is not sufficiently\ndetailed to enable reproduction of the issue, the issue may not be triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide\nimpact.\n- When duplicates occur, we only triage the first report that was received (provided that it can\nbe fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Only interact with accounts you own or with explicit permission of the account holder.\n- Do not engage in any activity that can potentially or actually cause harm to Global Payments,\nour customers, or our employees.\n- Do not engage in any activity that can potentially or actually stop or degrade Global\nPayments’ services or assets.\n- Do no harm and do not exploit any vulnerability beyond the minimal amount of testing\nrequired to prove that a vulnerability exists or to identify an indicator related to a\nvulnerability.\n- Do not store, share, compromise or destroy Global Payments or our customer data. If\nPersonally Identifiable Information (PII) is encountered, you should immediately halt your\nactivity, purge related data from your system, and contact Global Payments. This step\nprotects any potentially vulnerable data, and you.\n- Do not initiate a fraudulent financial transaction.\n\n#Out of scope vulnerabilities\n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security\nimpact of the bug. The following issues are considered out of scope:\n\n - Unexploitable vulnerabilities discovered via scanning. All submissions must have a valid proof\nof concept\n- Any activity that could lead to the disruption of our service (DoS/DDOS).\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive\nactions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Content spoofing and text injection issues without showing an attack vector/without being\nable to modify HTML/CSS\n- Rate limiting or bruteforce issues on non-authentication endpoints\n- Missing best practices in Content Security Policy\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable\nversions behind the latest released stable version)\n- Software version disclosure / Banner identification issues / Descriptive error messages or\nheaders (e.g. stack traces, application or server errors).\n- Tabnabbing\n- Open redirect - unless an additional security impact can be demonstrated\n- Issues that require unlikely user interaction\n\n#Grounds for Disqualification\n\nAttempting any of the following could result in permanent disqualification from the VRP and possible\ncriminal and/or legal investigation. We do not allow any actions that could negatively impact the\nexperience on our websites, apps, or other assets for other Global Payments customers.\n\n- Disruption or denial-of-service attacks (Application and Network)\n- Social engineering attacks\n- Brute-force attacks\n- Exfiltration of data\n- Code injection on live systems\n- The compromise or testing of application accounts that are not your own\n- Any threats, attempts at coercion, or extortion of Global Payments employees, other partner\nemployees, or customers\n- Physical attacks against Global Payments, contractors, or customers\n- Any physical attempts against Global Payments property or data centers\n- Access the personal information of any other person without consent\n- Any other action that violates the law\n- Any action that endangers yourself or others\n- Aggressive vulnerability scans or automated scans on Global Payments servers (including\nscans using tools such as Core Impact or Nessus)\n\n#Legal\n\nYou must otherwise comply with all applicable Federal, State, and local laws, regulations, and rules in\nconnection with your security research activities. You may not engage in any security research or\nvulnerability disclosure activity that is inconsistent with terms and conditions of the VRP or the law. If\nyou engage in any activities that are inconsistent with the terms and conditions of the VRP or the law,\nyou will not be considered a security researcher and may be subject to criminal penalties and civil\nliability. Global Payments reserves all rights against any illegal use of the reported vulnerability\ninformation.\n\nAny Global Payments information that you may encounter, view, acquire, or access, is owned by Global\nPayments or its customers, clients, or third-party providers. You have no rights, title, or ownership in\nany such information. Nothing in this Program Policy shall be deemed to constitute the grant to you of\nany license or other right to or in respect of any Global Payments or third-party product, service, patent,\ntrademark, trade secret, or other intellectual property.\n\nYou have no obligation to provide Global Payments with the abovementioned security and vulnerability\ninformation. By submitting such information to Global Payments, you are indicating that you have read,\nunderstand, and agree to the terms and conditions of this Program Policy. Further, you agree that by\nsubmitting such information to Global Payments, even if the information is not eligible for a reward, you\ngrant Global Payments a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicensable,\nfully-paid and royalty-free license under any and all intellectual property rights that you own or control\nto use, copy, modify, create derivative works based upon and otherwise exploit such information for any\npurpose.\n\nGlobal Payments retains the right to obtain Personal Information (as defined in the HackerOne Privacy Policy)from HackerOne in the case of a significant security threat or incident to identify and resolve the security threat or incident. A 'significant security threat or incident' shall be defined by Global Payments in its sole discretion. \n\nAdditionally, Global Payments retains the right to obtain Personal Information from HackerOne, in Global\nPayments’ sole discretion, to exercise or defend legal rights; to take precautions against liability; to protect the rights, property, or safety of Global Payments, of any other individuals, or of the general public; to maintain and protect the security and integrity of Global Payments’ assets or infrastructure; to protect Global Payments and our assets from fraudulent, abusive, or unlawful uses; or to investigate and defend Global Payments against third-party claims or allegations. By submitting a vulnerability report via the [Global Payments VDP (https://hackerone.com/global-payments) you consent to HackerOne sharing Personal Information with Global Payments, upon request, in the circumstances described in this paragraph.\n\nGlobal Payments may modify the terms and conditions or terminate the VRP at any time.\n\n##Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Global Payments and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-06-11T16:33:13.776Z"},{"id":3653377,"new_policy":"#Global Payments Vulnerability Research Program (“VRP”) Policy\n\nGlobal Payments Inc. (“Global Payments”) looks forward to working with the information security\ncommunity to find vulnerabilities in order to keep our businesses and customers safe. Please read this\nProgram Policy in its entirety.\n\n#Global Payments Information Security\n\nThe information security team at Global Payments is devoted to being a trusted security and assurance\npartner across the enterprise.\n\nPart of our vision is to develop and enable the organization to proactively identify and mitigate\ninformation security risk to our assets and to evolve our core information security foundation. The VRP\nwill be a key element in achieving these goals.\n\n#Ineligibility for Participation\n\nYou may not participate in the VRP if you are any of the following:\n\n- A resident of any country/region that is under United States sanctions, such as Cuba, Iran,\nNorth Korea, Sudan, and Syria or Crimea, or a person designated in the U.S. Department of\nthe Treasury’s Specially Designated Nationals List.\n- A current employee of Global Payments Inc., a Global Payments affiliate, or an immediate\nfamily member (parent, sibling, spouse, or child) or household member of such an employee.\n- A contingent staff member, contractor, or vendor employee that is currently working with, or\nhas worked in the past twelve (12) months with, Global Payments Inc. or a Global Payments\naffiliate.\n\n#Response Targets\n\nGlobal Payments will make a best effort to meet the following SLAs for security researchers participating\nin the VRP:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Scope\n\nAll assets associated with our core enterprise are considered in scope. No VPN access nor credentials will be\nprovided for testing. \n\n#Disclosure Policy\n\n- You agree not to discuss this VRP or any vulnerabilities (even\nresolved ones) outside of the VRP without express consent from Global Payments.\n- Global Payments reserves the right to approve or deny any request for disclosure.\n- You agree to follow HackerOne's disclosure guidelines.\n\n#Program Rules\n##Keep scans to 45 requests per minute\n- Please provide detailed reports with reproducible steps. If the report is not sufficiently\ndetailed to enable reproduction of the issue, the issue may not be triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide\nimpact.\n- When duplicates occur, we only triage the first report that was received (provided that it can\nbe fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Only interact with accounts you own or with explicit permission of the account holder.\n- Do not engage in any activity that can potentially or actually cause harm to Global Payments,\nour customers, or our employees.\n- Do not engage in any activity that can potentially or actually stop or degrade Global\nPayments’ services or assets.\n- Do no harm and do not exploit any vulnerability beyond the minimal amount of testing\nrequired to prove that a vulnerability exists or to identify an indicator related to a\nvulnerability.\n- Do not store, share, compromise or destroy Global Payments or our customer data. If\nPersonally Identifiable Information (PII) is encountered, you should immediately halt your\nactivity, purge related data from your system, and contact Global Payments. This step\nprotects any potentially vulnerable data, and you.\n- Do not initiate a fraudulent financial transaction.\n\n#Out of scope vulnerabilities\n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security\nimpact of the bug. The following issues are considered out of scope:\n\n - Unexploitable vulnerabilities discovered via scanning. All submissions must have a valid proof\nof concept\n- Any activity that could lead to the disruption of our service (DoS/DDOS).\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive\nactions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Content spoofing and text injection issues without showing an attack vector/without being\nable to modify HTML/CSS\n- Rate limiting or bruteforce issues on non-authentication endpoints\n- Missing best practices in Content Security Policy\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable\nversions behind the latest released stable version)\n- Software version disclosure / Banner identification issues / Descriptive error messages or\nheaders (e.g. stack traces, application or server errors).\n- Tabnabbing\n- Open redirect - unless an additional security impact can be demonstrated\n- Issues that require unlikely user interaction\n\n#Grounds for Disqualification\n\nAttempting any of the following could result in permanent disqualification from the VRP and possible\ncriminal and/or legal investigation. We do not allow any actions that could negatively impact the\nexperience on our websites, apps, or other assets for other Global Payments customers.\n\n- Disruption or denial-of-service attacks (Application and Network)\n- Social engineering attacks\n- Brute-force attacks\n- Exfiltration of data\n- Code injection on live systems\n- The compromise or testing of application accounts that are not your own\n- Any threats, attempts at coercion, or extortion of Global Payments employees, other partner\nemployees, or customers\n- Physical attacks against Global Payments, contractors, or customers\n- Any physical attempts against Global Payments property or data centers\n- Access the personal information of any other person without consent\n- Any other action that violates the law\n- Any action that endangers yourself or others\n- Aggressive vulnerability scans or automated scans on Global Payments servers (including\nscans using tools such as Core Impact or Nessus)\n\n#Legal\n\nYou must otherwise comply with all applicable Federal, State, and local laws, regulations, and rules in connection with your security research activities. You may not engage in any security research or vulnerability disclosure activity that is inconsistent with terms and conditions of the VRP or the law. If you engage in any activities that are inconsistent with the terms and conditions of the VRP or the law, you will not be considered a security researcher and may be subject to criminal penalties and civil liability. Global Payments reserves all rights against any illegal use of the reported vulnerability information. \n\nAny Global Payments information that you may encounter, view, acquire, or access, is owned by Global Payments or its customers, clients, or third-party providers. You have no rights, title, or ownership in any such information. Nothing in this Program Policy shall be deemed to constitute the grant to you of any license or other right to or in respect of any Global Payments or third-party product, service, patent, trademark, trade secret, or other intellectual property. \n\nYou have no obligation to provide Global Payments with the abovementioned security and vulnerability information. By submitting such information to Global Payments, you are indicating that you have read, understand, and agree to the terms and conditions of this Program Policy. Further, you agree that by submitting such information to Global Payments, even if the information is not eligible for a reward, you grant Global Payments a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicensable, fully-paid and royalty-free license under any and all intellectual property rights that you own or control to use, copy, modify, create derivative works based upon and otherwise exploit such information for any purpose. \n\nGlobal Payments retains the right to obtain Personal Information (as defined in the HackerOne Privacy Policy)from HackerOne in the case of a significant security threat or incident to identify and resolve the security threat or incident. A 'significant security threat or incident' shall be defined by Global Payments in its sole discretion. \n\nAdditionally, Global Payments retains the right to obtain Personal Information from HackerOne, in Global Payments’ sole discretion, to exercise or defend legal rights; to take precautions against liability; to protect the rights, property, or safety of Global Payments, of any other individuals, or of the general public; to maintain and protect the security and integrity of Global Payments’ assets or infrastructure; to protect Global Payments and our assets from fraudulent, abusive, or unlawful uses; or to investigate and defend Global Payments against third-party claims or allegations. By submitting a vulnerability report via the [Global Payments VDP (https://hackerone.com/global-payments) you consent to HackerOne sharing Personal Information with Global Payments, upon request, in the circumstances described in this paragraph. \n\nGlobal Payments may modify the terms and conditions or terminate the VRP at any time.\n\n##Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct\nand we will not initiate legal action against you. If legal action is initiated by a third party against you in\nconnection with activities conducted under this policy, we will take steps to make it known that your\nactions were conducted in compliance with this policy.\nThank you for helping keep Global Payments and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-06-11T16:32:38.012Z"},{"id":3653372,"new_policy":"#Global Payments Vulnerability Research Program (“VRP”) Policy\n\nGlobal Payments Inc. (“Global Payments”) looks forward to working with the information security\ncommunity to find vulnerabilities in order to keep our businesses and customers safe. Please read this\nProgram Policy in its entirety.\n\n#Global Payments Information Security\n\nThe information security team at Global Payments is devoted to being a trusted security and assurance\npartner across the enterprise.\n\nPart of our vision is to develop and enable the organization to proactively identify and mitigate\ninformation security risk to our assets and to evolve our core information security foundation. The VRP\nwill be a key element in achieving these goals.\n\n#Ineligibility for Participation\n\nYou may not participate in the VRP if you are any of the following:\n\n- A resident of any country/region that is under United States sanctions, such as Cuba, Iran,\nNorth Korea, Sudan, and Syria or Crimea, or a person designated in the U.S. Department of\nthe Treasury’s Specially Designated Nationals List.\n- A current employee of Global Payments Inc., a Global Payments affiliate, or an immediate\nfamily member (parent, sibling, spouse, or child) or household member of such an employee.\n- A contingent staff member, contractor, or vendor employee that is currently working with, or\nhas worked in the past twelve (12) months with, Global Payments Inc. or a Global Payments\naffiliate.\n\n#Response Targets\n\nGlobal Payments will make a best effort to meet the following SLAs for security researchers participating\nin the VRP:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Scope\n\nAll assets associated with our core enterprise are considered in scope. No VPN access nor credentials will be\nprovided for testing. \n\n#Disclosure Policy\n\n- You agree not to discuss this VRP or any vulnerabilities (even\nresolved ones) outside of the VRP without express consent from Global Payments.\n- Global Payments reserves the right to approve or deny any request for disclosure.\n- You agree to follow HackerOne's disclosure guidelines.\n\n#Program Rules\n##Keep scans to 45 requests per minute\n- Please provide detailed reports with reproducible steps. If the report is not sufficiently\ndetailed to enable reproduction of the issue, the issue may not be triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide\nimpact.\n- When duplicates occur, we only triage the first report that was received (provided that it can\nbe fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Only interact with accounts you own or with explicit permission of the account holder.\n- Do not engage in any activity that can potentially or actually cause harm to Global Payments,\nour customers, or our employees.\n- Do not engage in any activity that can potentially or actually stop or degrade Global\nPayments’ services or assets.\n- Do no harm and do not exploit any vulnerability beyond the minimal amount of testing\nrequired to prove that a vulnerability exists or to identify an indicator related to a\nvulnerability.\n- Do not store, share, compromise or destroy Global Payments or our customer data. If\nPersonally Identifiable Information (PII) is encountered, you should immediately halt your\nactivity, purge related data from your system, and contact Global Payments. This step\nprotects any potentially vulnerable data, and you.\n- Do not initiate a fraudulent financial transaction.\n\n#Out of scope vulnerabilities\n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security\nimpact of the bug. The following issues are considered out of scope:\n\n - Unexploitable vulnerabilities discovered via scanning. All submissions must have a valid proof\nof concept\n- Any activity that could lead to the disruption of our service (DoS/DDOS).\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive\nactions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Content spoofing and text injection issues without showing an attack vector/without being\nable to modify HTML/CSS\n- Rate limiting or bruteforce issues on non-authentication endpoints\n- Missing best practices in Content Security Policy\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable\nversions behind the latest released stable version)\n- Software version disclosure / Banner identification issues / Descriptive error messages or\nheaders (e.g. stack traces, application or server errors).\n- Tabnabbing\n- Open redirect - unless an additional security impact can be demonstrated\n- Issues that require unlikely user interaction\n\n#Grounds for Disqualification\n\nAttempting any of the following could result in permanent disqualification from the VRP and possible\ncriminal and/or legal investigation. We do not allow any actions that could negatively impact the\nexperience on our websites, apps, or other assets for other Global Payments customers.\n\n- Disruption or denial-of-service attacks (Application and Network)\n- Social engineering attacks\n- Brute-force attacks\n- Exfiltration of data\n- Code injection on live systems\n- The compromise or testing of application accounts that are not your own\n- Any threats, attempts at coercion, or extortion of Global Payments employees, other partner\nemployees, or customers\n- Physical attacks against Global Payments, contractors, or customers\n- Any physical attempts against Global Payments property or data centers\n- Access the personal information of any other person without consent\n- Any other action that violates the law\n- Any action that endangers yourself or others\n- Aggressive vulnerability scans or automated scans on Global Payments servers (including\nscans using tools such as Core Impact or Nessus)\n\n#Legal\n\nYou must otherwise comply with all applicable Federal, State, and local laws, regulations, and rules in\nconnection with your security research activities. You may not engage in any security research or\nvulnerability disclosure activity that is inconsistent with terms and conditions of the VRP or the law. If\nyou engage in any activities that are inconsistent with the terms and conditions of the VRP or the law,\nyou will not be considered a security researcher and may be subject to criminal penalties and civil\nliability. Global Payments reserves all rights against any illegal use of the reported vulnerability\ninformation.\n\nAny Global Payments information that you may encounter, view, acquire, or access, is owned by Global\nPayments or its customers, clients, or third-party providers. You have no rights, title, or ownership in\nany such information. Nothing in this Program Policy shall be deemed to constitute the grant to you of\nany license or other right to or in respect of any Global Payments or third-party product, service, patent,\ntrademark, trade secret, or other intellectual property.\n\nYou have no obligation to provide Global Payments with the abovementioned security and vulnerability\ninformation. By submitting such information to Global Payments, you are indicating that you have read,\nunderstand, and agree to the terms and conditions of this Program Policy. Further, you agree that by\nsubmitting such information to Global Payments, even if the information is not eligible for a reward, you\ngrant Global Payments a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicensable,\nfully-paid and royalty-free license under any and all intellectual property rights that you own or control\nto use, copy, modify, create derivative works based upon and otherwise exploit such information for any\npurpose.\n\nGlobal Payments retains the right to obtain Personal Information (as defined in the HackerOne Privacy Policy)from HackerOne in the case of a significant security threat or incident to identify and resolve the security threat or incident. A 'significant security threat or incident' shall be defined by Global Payments in its sole discretion. \n\nAdditionally, Global Payments retains the right to obtain Personal Information from HackerOne, in Global\nPayments’ sole discretion, to exercise or defend legal rights; to take precautions against liability; to protect the rights, property, or safety of Global Payments, of any other individuals, or of the general public; to maintain and protect the security and integrity of Global Payments’ assets or infrastructure; to protect Global Payments and our assets from fraudulent, abusive, or unlawful uses; or to investigate and defend Global Payments against third-party claims or allegations. By submitting a vulnerability report via the [Global Payments VDP (https://hackerone.com/global-payments) you consent to HackerOne sharing Personal Information with Global Payments, upon request, in the circumstances described in this paragraph.\n\nGlobal Payments may modify the terms and conditions or terminate the VRP at any time.\n\n##Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct\nand we will not initiate legal action against you. If legal action is initiated by a third party against you in\nconnection with activities conducted under this policy, we will take steps to make it known that your\nactions were conducted in compliance with this policy.\nThank you for helping keep Global Payments and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-06-11T14:12:23.068Z"},{"id":3653290,"new_policy":"#Global Payments Vulnerability Research Program (“VRP”) Policy\n\nGlobal Payments Inc. (“Global Payments”) looks forward to working with the information security\ncommunity to find vulnerabilities in order to keep our businesses and customers safe. Please read this\nProgram Policy in its entirety.\n\n#Global Payments Information Security\n\nThe information security team at Global Payments is devoted to being a trusted security and assurance\npartner across the enterprise.\n\nPart of our vision is to develop and enable the organization to proactively identify and mitigate\ninformation security risk to our assets and to evolve our core information security foundation. The VRP\nwill be a key element in achieving these goals.\n\n#Ineligibility for Participation\n\nYou may not participate in the VRP if you are any of the following:\n\n- A resident of any country/region that is under United States sanctions, such as Cuba, Iran,\nNorth Korea, Sudan, and Syria or Crimea, or a person designated in the U.S. Department of\nthe Treasury’s Specially Designated Nationals List.\n- A current employee of Global Payments Inc., a Global Payments affiliate, or an immediate\nfamily member (parent, sibling, spouse, or child) or household member of such an employee.\n- A contingent staff member, contractor, or vendor employee that is currently working with, or\nhas worked in the past twelve (12) months with, Global Payments Inc. or a Global Payments\naffiliate.\n\n#Response Targets\n\nGlobal Payments will make a best effort to meet the following SLAs for security researchers participating\nin the VRP:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Scope\n\nAll assets associated with our core enterprise are considered in scope. No VPN access nor credentials will be\nprovided for testing. \n\n#Disclosure Policy\n\n- You agree not to discuss this VRP or any vulnerabilities (even\nresolved ones) outside of the VRP without express consent from Global Payments.\n- Global Payments reserves the right to approve or deny any request for disclosure.\n- You agree to follow HackerOne's disclosure guidelines.\n\n#Program Rules\n##Keep scans to 45 requests per minute\n- Please provide detailed reports with reproducible steps. If the report is not sufficiently\ndetailed to enable reproduction of the issue, the issue may not be triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide\nimpact.\n- When duplicates occur, we only triage the first report that was received (provided that it can\nbe fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Only interact with accounts you own or with explicit permission of the account holder.\n- Do not engage in any activity that can potentially or actually cause harm to Global Payments,\nour customers, or our employees.\n- Do not engage in any activity that can potentially or actually stop or degrade Global\nPayments’ services or assets.\n- Do no harm and do not exploit any vulnerability beyond the minimal amount of testing\nrequired to prove that a vulnerability exists or to identify an indicator related to a\nvulnerability.\n- Do not store, share, compromise or destroy Global Payments or our customer data. If\nPersonally Identifiable Information (PII) is encountered, you should immediately halt your\nactivity, purge related data from your system, and contact Global Payments. This step\nprotects any potentially vulnerable data, and you.\n- Do not initiate a fraudulent financial transaction.\n\n#Out of scope vulnerabilities\n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security\nimpact of the bug. The following issues are considered out of scope:\n\n - Unexploitable vulnerabilities discovered via scanning. All submissions must have a valid proof\nof concept\n- Any activity that could lead to the disruption of our service (DoS/DDOS).\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive\nactions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Content spoofing and text injection issues without showing an attack vector/without being\nable to modify HTML/CSS\n- Rate limiting or bruteforce issues on non-authentication endpoints\n- Missing best practices in Content Security Policy\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable\nversions behind the latest released stable version)\n- Software version disclosure / Banner identification issues / Descriptive error messages or\nheaders (e.g. stack traces, application or server errors).\n- Tabnabbing\n- Open redirect - unless an additional security impact can be demonstrated\n- Issues that require unlikely user interaction\n\n#Grounds for Disqualification\n\nAttempting any of the following could result in permanent disqualification from the VRP and possible\ncriminal and/or legal investigation. We do not allow any actions that could negatively impact the\nexperience on our websites, apps, or other assets for other Global Payments customers.\n\n- Disruption or denial-of-service attacks (Application and Network)\n- Social engineering attacks\n- Brute-force attacks\n- Exfiltration of data\n- Code injection on live systems\n- The compromise or testing of application accounts that are not your own\n- Any threats, attempts at coercion, or extortion of Global Payments employees, other partner\nemployees, or customers\n- Physical attacks against Global Payments, contractors, or customers\n- Any physical attempts against Global Payments property or data centers\n- Access the personal information of any other person without consent\n- Any other action that violates the law\n- Any action that endangers yourself or others\n- Aggressive vulnerability scans or automated scans on Global Payments servers (including\nscans using tools such as Core Impact or Nessus)\n\n#Legal\n\nYou must otherwise comply with all applicable Federal, State, and local laws, regulations, and rules in\nconnection with your security research activities. You may not engage in any security research or\nvulnerability disclosure activity that is inconsistent with terms and conditions of the VRP or the law. If\nyou engage in any activities that are inconsistent with the terms and conditions of the VRP or the law,\nyou will not be considered a security researcher and may be subject to criminal penalties and civil\nliability. Global Payments reserves all rights against any illegal use of the reported vulnerability\ninformation.\n\nAny Global Payments information that you may encounter, view, acquire, or access, is owned by Global\nPayments or its customers, clients, or third-party providers. You have no rights, title, or ownership in\nany such information. Nothing in this Program Policy shall be deemed to constitute the grant to you of\nany license or other right to or in respect of any Global Payments or third-party product, service, patent,\ntrademark, trade secret, or other intellectual property.\n\nYou have no obligation to provide Global Payments with the abovementioned security and vulnerability\ninformation. By submitting such information to Global Payments, you are indicating that you have read,\nunderstand, and agree to the terms and conditions of this Program Policy. Further, you agree that by\nsubmitting such information to Global Payments, even if the information is not eligible for a reward, you\ngrant Global Payments a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicensable,\nfully-paid and royalty-free license under any and all intellectual property rights that you own or control\nto use, copy, modify, create derivative works based upon and otherwise exploit such information for any\npurpose.\n\nGlobal Payments retains the right to obtain Personal Information (as defined in the HackerOne Privacy Policy)\nfrom HackerOne in the case of a significant security threat or incident to identify and resolve the security threat\nor incident. A 'significant security threat or incident' shall be defined by Global Payments in its sole discretion. \nAdditionally, Global Payments retains the right to obtain Personal Information from HackerOne, in Global\nPayments’ sole discretion, to exercise or defend legal rights; to take precautions against liability; to protect the\nrights, property, or safety of Global Payments, of any other individuals, or of the general public; to maintain and\nprotect the security and integrity of Global Payments’ assets or infrastructure; to protect Global Payments and\nour assets from fraudulent, abusive, or unlawful uses; or to investigate and defend Global Payments against\nthird-party claims or allegations. By submitting a vulnerability report via the [Global Payments VDP\n(https://hackerone.com/global-payments) you consent to HackerOne sharing Personal Information with Global\nPayments, upon request, in the circumstances described in this paragraph.\n\nGlobal Payments may modify the terms and conditions or terminate the VRP at any time.\n\n##Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct\nand we will not initiate legal action against you. If legal action is initiated by a third party against you in\nconnection with activities conducted under this policy, we will take steps to make it known that your\nactions were conducted in compliance with this policy.\nThank you for helping keep Global Payments and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-06-09T19:26:14.758Z"},{"id":3653289,"new_policy":"#Global Payments Vulnerability Research Program (“VRP”) Policy\n\nGlobal Payments Inc. (“Global Payments”) looks forward to working with the information security\ncommunity to find vulnerabilities in order to keep our businesses and customers safe. Please read this\nProgram Policy in its entirety.\n\n#Global Payments Information Security\n\nThe information security team at Global Payments is devoted to being a trusted security and assurance\npartner across the enterprise.\n\nPart of our vision is to develop and enable the organization to proactively identify and mitigate\ninformation security risk to our assets and to evolve our core information security foundation. The VRP\nwill be a key element in achieving these goals.\n\n#Ineligibility for Participation\n\nYou may not participate in the VRP if you are any of the following:\n\n- A resident of any country/region that is under United States sanctions, such as Cuba, Iran,\nNorth Korea, Sudan, and Syria or Crimea, or a person designated in the U.S. Department of\nthe Treasury’s Specially Designated Nationals List.\n- A current employee of Global Payments Inc., a Global Payments affiliate, or an immediate\nfamily member (parent, sibling, spouse, or child) or household member of such an employee.\n- A contingent staff member, contractor, or vendor employee that is currently working with, or\nhas worked in the past twelve (12) months with, Global Payments Inc. or a Global Payments\naffiliate.\n\n#Response Targets\n\nGlobal Payments will make a best effort to meet the following SLAs for security researchers participating\nin the VRP:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Scope\n\nAll assets associated with our core enterprise are considered in scope. No VPN access nor credentials will be provided for testing. \n\n#Disclosure Policy\n\n- You agree not to discuss this VRP or any vulnerabilities (even\nresolved ones) outside of the VRP without express consent from Global Payments.\n- Global Payments reserves the right to approve or deny any request for disclosure.\n- You agree to follow HackerOne's disclosure guidelines.\n\n#Program Rules\n##Keep scans to 45 requests per minute\n- Please provide detailed reports with reproducible steps. If the report is not sufficiently\ndetailed to enable reproduction of the issue, the issue may not be triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide\nimpact.\n- When duplicates occur, we only triage the first report that was received (provided that it can\nbe fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Only interact with accounts you own or with explicit permission of the account holder.\n- Do not engage in any activity that can potentially or actually cause harm to Global Payments,\nour customers, or our employees.\n- Do not engage in any activity that can potentially or actually stop or degrade Global\nPayments’ services or assets.\n- Do no harm and do not exploit any vulnerability beyond the minimal amount of testing\nrequired to prove that a vulnerability exists or to identify an indicator related to a\nvulnerability.\n- Do not store, share, compromise or destroy Global Payments or our customer data. If\nPersonally Identifiable Information (PII) is encountered, you should immediately halt your\nactivity, purge related data from your system, and contact Global Payments. This step\nprotects any potentially vulnerable data, and you.\n- Do not initiate a fraudulent financial transaction.\n\n#Out of scope vulnerabilities\n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security\nimpact of the bug. The following issues are considered out of scope:\n\n - Unexploitable vulnerabilities discovered via scanning. All submissions must have a valid proof\nof concept\n- Any activity that could lead to the disruption of our service (DoS/DDOS).\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive\nactions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Content spoofing and text injection issues without showing an attack vector/without being\nable to modify HTML/CSS\n- Rate limiting or bruteforce issues on non-authentication endpoints\n- Missing best practices in Content Security Policy\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable\nversions behind the latest released stable version)\n- Software version disclosure / Banner identification issues / Descriptive error messages or\nheaders (e.g. stack traces, application or server errors).\n- Tabnabbing\n- Open redirect - unless an additional security impact can be demonstrated\n- Issues that require unlikely user interaction\n\n#Grounds for Disqualification\n\nAttempting any of the following could result in permanent disqualification from the VRP and possible\ncriminal and/or legal investigation. We do not allow any actions that could negatively impact the\nexperience on our websites, apps, or other assets for other Global Payments customers.\n\n- Disruption or denial-of-service attacks (Application and Network)\n- Social engineering attacks\n- Brute-force attacks\n- Exfiltration of data\n- Code injection on live systems\n- The compromise or testing of application accounts that are not your own\n- Any threats, attempts at coercion, or extortion of Global Payments employees, other partner\nemployees, or customers\n- Physical attacks against Global Payments, contractors, or customers\n- Any physical attempts against Global Payments property or data centers\n- Access the personal information of any other person without consent\n- Any other action that violates the law\n- Any action that endangers yourself or others\n- Aggressive vulnerability scans or automated scans on Global Payments servers (including\nscans using tools such as Core Impact or Nessus)\n\n#Legal\n\nYou must otherwise comply with all applicable Federal, State, and local laws, regulations, and rules in\nconnection with your security research activities. You may not engage in any security research or\nvulnerability disclosure activity that is inconsistent with terms and conditions of the VRP or the law. If\nyou engage in any activities that are inconsistent with the terms and conditions of the VRP or the law,\nyou will not be considered a security researcher and may be subject to criminal penalties and civil\nliability. Global Payments reserves all rights against any illegal use of the reported vulnerability\ninformation.\n\nAny Global Payments information that you may encounter, view, acquire, or access, is owned by Global\nPayments or its customers, clients, or third-party providers. You have no rights, title, or ownership in\nany such information. Nothing in this Program Policy shall be deemed to constitute the grant to you of\nany license or other right to or in respect of any Global Payments or third-party product, service, patent,\ntrademark, trade secret, or other intellectual property.\n\nYou have no obligation to provide Global Payments with the abovementioned security and vulnerability\ninformation. By submitting such information to Global Payments, you are indicating that you have read,\nunderstand, and agree to the terms and conditions of this Program Policy. Further, you agree that by\nsubmitting such information to Global Payments, even if the information is not eligible for a reward, you\ngrant Global Payments a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicensable,\nfully-paid and royalty-free license under any and all intellectual property rights that you own or control\nto use, copy, modify, create derivative works based upon and otherwise exploit such information for any\npurpose.\n\nGlobal Payments retains the right to obtain Personal Information (as defined in the HackerOne Privacy Policy)\nfrom HackerOne in the case of a significant security threat or incident to identify and resolve the security threat\nor incident. A 'significant security threat or incident' shall be defined by Global Payments in its sole discretion. \nAdditionally, Global Payments retains the right to obtain Personal Information from HackerOne, in Global\nPayments’ sole discretion, to exercise or defend legal rights; to take precautions against liability; to protect the\nrights, property, or safety of Global Payments, of any other individuals, or of the general public; to maintain and\nprotect the security and integrity of Global Payments’ assets or infrastructure; to protect Global Payments and\nour assets from fraudulent, abusive, or unlawful uses; or to investigate and defend Global Payments against\nthird-party claims or allegations. By submitting a vulnerability report via the [Global Payments VDP\n(https://hackerone.com/global-payments) you consent to HackerOne sharing Personal Information with Global\nPayments, upon request, in the circumstances described in this paragraph.\n\nGlobal Payments may modify the terms and conditions or terminate the VRP at any time.\n\n##Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct\nand we will not initiate legal action against you. If legal action is initiated by a third party against you in\nconnection with activities conducted under this policy, we will take steps to make it known that your\nactions were conducted in compliance with this policy.\nThank you for helping keep Global Payments and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-06-09T19:24:32.836Z"},{"id":3653232,"new_policy":"#Global Payments Vulnerability Research Program (“VRP”) Policy\n\nGlobal Payments Inc. (“Global Payments”) looks forward to working with the information security\ncommunity to find vulnerabilities in order to keep our businesses and customers safe. Please read this\nProgram Policy in its entirety.\n\n#Global Payments Information Security\n\nThe information security team at Global Payments is devoted to being a trusted security and assurance\npartner across the enterprise.\n\nPart of our vision is to develop and enable the organization to proactively identify and mitigate\ninformation security risk to our assets and to evolve our core information security foundation. The VRP\nwill be a key element in achieving these goals.\n\n#Ineligibility for Participation\n\nYou may not participate in the VRP if you are any of the following:\n\n- A resident of any country/region that is under United States sanctions, such as Cuba, Iran,\nNorth Korea, Sudan, and Syria or Crimea, or a person designated in the U.S. Department of\nthe Treasury’s Specially Designated Nationals List.\n- A current employee of Global Payments Inc., a Global Payments affiliate, or an immediate\nfamily member (parent, sibling, spouse, or child) or household member of such an employee.\n- A contingent staff member, contractor, or vendor employee that is currently working with, or\nhas worked in the past twelve (12) months with, Global Payments Inc. or a Global Payments\naffiliate.\n\n#Response Targets\n\nGlobal Payments will make a best effort to meet the following SLAs for security researchers participating\nin the VRP:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Scope\n\nAll assets associated with our core enterprise are considered in scope. No VPN access nor credentials will be provided for testing. \n\n#Disclosure Policy\n\n- You agree not to discuss this VRP or any vulnerabilities (even\nresolved ones) outside of the VRP without express consent from Global Payments.\n- Global Payments reserves the right to approve or deny any request for disclosure.\n- You agree to follow HackerOne's disclosure guidelines.\n\n#Program Rules\n##Keep scans to 45 requests per minute\n- Please provide detailed reports with reproducible steps. If the report is not sufficiently\ndetailed to enable reproduction of the issue, the issue may not be triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide\nimpact.\n- When duplicates occur, we only triage the first report that was received (provided that it can\nbe fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Only interact with accounts you own or with explicit permission of the account holder.\n- Do not engage in any activity that can potentially or actually cause harm to Global Payments,\nour customers, or our employees.\n- Do not engage in any activity that can potentially or actually stop or degrade Global\nPayments’ services or assets.\n- Do no harm and do not exploit any vulnerability beyond the minimal amount of testing\nrequired to prove that a vulnerability exists or to identify an indicator related to a\nvulnerability.\n- Do not store, share, compromise or destroy Global Payments or our customer data. If\nPersonally Identifiable Information (PII) is encountered, you should immediately halt your\nactivity, purge related data from your system, and contact Global Payments. This step\nprotects any potentially vulnerable data, and you.\n- Do not initiate a fraudulent financial transaction.\n\n#Out of scope vulnerabilities\n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security\nimpact of the bug. The following issues are considered out of scope:\n\n - Unexploitable vulnerabilities discovered via scanning. All submissions must have a valid proof\nof concept\n- Any activity that could lead to the disruption of our service (DoS/DDOS).\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive\nactions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Content spoofing and text injection issues without showing an attack vector/without being\nable to modify HTML/CSS\n- Rate limiting or bruteforce issues on non-authentication endpoints\n- Missing best practices in Content Security Policy\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable\nversions behind the latest released stable version)\n- Software version disclosure / Banner identification issues / Descriptive error messages or\nheaders (e.g. stack traces, application or server errors).\n- Tabnabbing\n- Open redirect - unless an additional security impact can be demonstrated\n- Issues that require unlikely user interaction\n\n#Grounds for Disqualification\n\nAttempting any of the following could result in permanent disqualification from the VRP and possible\ncriminal and/or legal investigation. We do not allow any actions that could negatively impact the\nexperience on our websites, apps, or other assets for other Global Payments customers.\n\n- Disruption or denial-of-service attacks (Application and Network)\n- Social engineering attacks\n- Brute-force attacks\n- Exfiltration of data\n- Code injection on live systems\n- The compromise or testing of application accounts that are not your own\n- Any threats, attempts at coercion, or extortion of Global Payments employees, other partner\nemployees, or customers\n- Physical attacks against Global Payments, contractors, or customers\n- Any physical attempts against Global Payments property or data centers\n- Access the personal information of any other person without consent\n- Any other action that violates the law\n- Any action that endangers yourself or others\n- Aggressive vulnerability scans or automated scans on Global Payments servers (including\nscans using tools such as Core Impact or Nessus)\n\n#Legal\n\nYou must otherwise comply with all applicable Federal, State, and local laws, regulations, and rules in\nconnection with your security research activities. You may not engage in any security research or\nvulnerability disclosure activity that is inconsistent with terms and conditions of the VRP or the law. If\nyou engage in any activities that are inconsistent with the terms and conditions of the VRP or the law,\nyou will not be considered a security researcher and may be subject to criminal penalties and civil\nliability. Global Payments reserves all rights against any illegal use of the reported vulnerability\ninformation.\n\nAny Global Payments information that you may encounter, view, acquire, or access, is owned by Global\nPayments or its customers, clients, or third-party providers. You have no rights, title, or ownership in\nany such information. Nothing in this Program Policy shall be deemed to constitute the grant to you of\nany license or other right to or in respect of any Global Payments or third-party product, service, patent,\ntrademark, trade secret, or other intellectual property.\n\nYou have no obligation to provide Global Payments with the abovementioned security and vulnerability\ninformation. By submitting such information to Global Payments, you are indicating that you have read,\nunderstand, and agree to the terms and conditions of this Program Policy. Further, you agree that by\nsubmitting such information to Global Payments, even if the information is not eligible for a reward, you\ngrant Global Payments a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicensable,\nfully-paid and royalty-free license under any and all intellectual property rights that you own or control\nto use, copy, modify, create derivative works based upon and otherwise exploit such information for any\npurpose.\n\nGlobal Payments retains the right to obtain Personal Information (as defined in the HackerOne Privacy Policy) from HackerOne in the case of a significant security threat or incident to identify and resolve the security threat or incident. A 'significant security threat or incident' shall be defined by Global Payments in its sole discretion.  Additionally, Global Payments retains the right to obtain Personal Information from HackerOne, in Global Payments’ sole discretion, to exercise or defend legal rights; to take precautions against liability; to protect the rights, property, or safety of Global Payments, of any other individuals, or of the general public; to maintain and protect the security and integrity of Global Payments’ assets or infrastructure; to protect Global Payments and our assets from fraudulent, abusive, or unlawful uses; or to investigate and defend Global Payments against third-party claims or allegations. By submitting a vulnerability report via the [Global Payments VDP](https://hackerone.com/global-payments) you consent to HackerOne sharing Personal Information with Global Payments, upon request, in the circumstances described in this paragraph.\n\nGlobal Payments may modify the terms and conditions or terminate the VRP at any time.\n\n##Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct\nand we will not initiate legal action against you. If legal action is initiated by a third party against you in\nconnection with activities conducted under this policy, we will take steps to make it known that your\nactions were conducted in compliance with this policy.\nThank you for helping keep Global Payments and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-06-08T19:41:51.348Z"},{"id":3651316,"new_policy":"#Global Payments Vulnerability Research Program (“VRP”) Policy\n\nGlobal Payments Inc. (“Global Payments”) looks forward to working with the information security\ncommunity to find vulnerabilities in order to keep our businesses and customers safe. Please read this\nProgram Policy in its entirety.\n\n#Global Payments Information Security\n\nThe information security team at Global Payments is devoted to being a trusted security and assurance\npartner across the enterprise.\n\nPart of our vision is to develop and enable the organization to proactively identify and mitigate\ninformation security risk to our assets and to evolve our core information security foundation. The VRP\nwill be a key element in achieving these goals.\n\n#Ineligibility for Participation\n\nYou may not participate in the VRP if you are any of the following:\n\n- A resident of any country/region that is under United States sanctions, such as Cuba, Iran,\nNorth Korea, Sudan, and Syria or Crimea, or a person designated in the U.S. Department of\nthe Treasury’s Specially Designated Nationals List.\n- A current employee of Global Payments Inc., a Global Payments affiliate, or an immediate\nfamily member (parent, sibling, spouse, or child) or household member of such an employee.\n- A contingent staff member, contractor, or vendor employee that is currently working with, or\nhas worked in the past twelve (12) months with, Global Payments Inc. or a Global Payments\naffiliate.\n\n#Response Targets\n\nGlobal Payments will make a best effort to meet the following SLAs for security researchers participating\nin the VRP:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Scope\n\nAll assets associated with our core enterprise are considered in scope. No VPN access nor credentials will be provided for testing. \n\n#Disclosure Policy\n\n- You agree not to discuss this VRP or any vulnerabilities (even\nresolved ones) outside of the VRP without express consent from Global Payments.\n- Global Payments reserves the right to approve or deny any request for disclosure.\n- You agree to follow HackerOne's disclosure guidelines.\n\n#Program Rules\n##Keep scans to 45 requests per minute\n- Please provide detailed reports with reproducible steps. If the report is not sufficiently\ndetailed to enable reproduction of the issue, the issue may not be triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide\nimpact.\n- When duplicates occur, we only triage the first report that was received (provided that it can\nbe fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Only interact with accounts you own or with explicit permission of the account holder.\n- Do not engage in any activity that can potentially or actually cause harm to Global Payments,\nour customers, or our employees.\n- Do not engage in any activity that can potentially or actually stop or degrade Global\nPayments’ services or assets.\n- Do no harm and do not exploit any vulnerability beyond the minimal amount of testing\nrequired to prove that a vulnerability exists or to identify an indicator related to a\nvulnerability.\n- Do not store, share, compromise or destroy Global Payments or our customer data. If\nPersonally Identifiable Information (PII) is encountered, you should immediately halt your\nactivity, purge related data from your system, and contact Global Payments. This step\nprotects any potentially vulnerable data, and you.\n- Do not initiate a fraudulent financial transaction.\n\n#Out of scope vulnerabilities\n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security\nimpact of the bug. The following issues are considered out of scope:\n\n - Unexploitable vulnerabilities discovered via scanning. All submissions must have a valid proof\nof concept\n- Any activity that could lead to the disruption of our service (DoS/DDOS).\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive\nactions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Content spoofing and text injection issues without showing an attack vector/without being\nable to modify HTML/CSS\n- Rate limiting or bruteforce issues on non-authentication endpoints\n- Missing best practices in Content Security Policy\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable\nversions behind the latest released stable version)\n- Software version disclosure / Banner identification issues / Descriptive error messages or\nheaders (e.g. stack traces, application or server errors).\n- Tabnabbing\n- Open redirect - unless an additional security impact can be demonstrated\n- Issues that require unlikely user interaction\n\n#Grounds for Disqualification\n\nAttempting any of the following could result in permanent disqualification from the VRP and possible\ncriminal and/or legal investigation. We do not allow any actions that could negatively impact the\nexperience on our websites, apps, or other assets for other Global Payments customers.\n\n- Disruption or denial-of-service attacks (Application and Network)\n- Social engineering attacks\n- Brute-force attacks\n- Exfiltration of data\n- Code injection on live systems\n- The compromise or testing of application accounts that are not your own\n- Any threats, attempts at coercion, or extortion of Global Payments employees, other partner\nemployees, or customers\n- Physical attacks against Global Payments, contractors, or customers\n- Any physical attempts against Global Payments property or data centers\n- Access the personal information of any other person without consent\n- Any other action that violates the law\n- Any action that endangers yourself or others\n- Aggressive vulnerability scans or automated scans on Global Payments servers (including\nscans using tools such as Core Impact or Nessus)\n\n#Legal\n\nYou must otherwise comply with all applicable Federal, State, and local laws, regulations, and rules in\nconnection with your security research activities. You may not engage in any security research or\nvulnerability disclosure activity that is inconsistent with terms and conditions of the VRP or the law. If\nyou engage in any activities that are inconsistent with the terms and conditions of the VRP or the law,\nyou will not be considered a security researcher and may be subject to criminal penalties and civil\nliability. Global Payments reserves all rights against any illegal use of the reported vulnerability\ninformation.\n\nAny Global Payments information that you may encounter, view, acquire, or access, is owned by Global\nPayments or its customers, clients, or third-party providers. You have no rights, title, or ownership in\nany such information. Nothing in this Program Policy shall be deemed to constitute the grant to you of\nany license or other right to or in respect of any Global Payments or third-party product, service, patent,\ntrademark, trade secret, or other intellectual property.\n\nYou have no obligation to provide Global Payments with the abovementioned security and vulnerability\ninformation. By submitting such information to Global Payments, you are indicating that you have read,\nunderstand, and agree to the terms and conditions of this Program Policy. Further, you agree that by\nsubmitting such information to Global Payments, even if the information is not eligible for a reward, you\ngrant Global Payments a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicensable,\nfully-paid and royalty-free license under any and all intellectual property rights that you own or control\nto use, copy, modify, create derivative works based upon and otherwise exploit such information for any\npurpose.\n\nGlobal Payments may modify the terms and conditions or terminate the VRP at any time.\n\n##Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct\nand we will not initiate legal action against you. If legal action is initiated by a third party against you in\nconnection with activities conducted under this policy, we will take steps to make it known that your\nactions were conducted in compliance with this policy.\nThank you for helping keep Global Payments and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-04-20T19:47:53.723Z"},{"id":3650565,"new_policy":"#Global Payments Vulnerability Research Program (“VRP”) Policy\n\nGlobal Payments Inc. (“Global Payments”) looks forward to working with the information security\ncommunity to find vulnerabilities in order to keep our businesses and customers safe. Please read this\nProgram Policy in its entirety.\n\n#Global Payments Information Security\n\nThe information security team at Global Payments is devoted to being a trusted security and assurance\npartner across the enterprise.\n\nPart of our vision is to develop and enable the organization to proactively identify and mitigate\ninformation security risk to our assets and to evolve our core information security foundation. The VRP\nwill be a key element in achieving these goals.\n\n#Ineligibility for Participation\n\nYou may not participate in the VRP if you are any of the following:\n\n- A resident of any country/region that is under United States sanctions, such as Cuba, Iran,\nNorth Korea, Sudan, and Syria or Crimea, or a person designated in the U.S. Department of\nthe Treasury’s Specially Designated Nationals List.\n- A current employee of Global Payments Inc., a Global Payments affiliate, or an immediate\nfamily member (parent, sibling, spouse, or child) or household member of such an employee.\n- A contingent staff member, contractor, or vendor employee that is currently working with, or\nhas worked in the past twelve (12) months with, Global Payments Inc. or a Global Payments\naffiliate.\n\n#Response Targets\n\nGlobal Payments will make a best effort to meet the following SLAs for security researchers participating\nin the VRP:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n#Scope\n\nAll assets associated with our core enterprise are considered in scope. No VPN access nor credentials will be provided for testing. \n\n#Disclosure Policy\n\n- You agree not to discuss this VRP or any vulnerabilities (even\nresolved ones) outside of the VRP without express consent from Global Payments.\n- Global Payments reserves the right to approve or deny any request for disclosure.\n- You agree to follow HackerOne's disclosure guidelines.\n\n#Program Rules\n\n- Please provide detailed reports with reproducible steps. If the report is not sufficiently\ndetailed to enable reproduction of the issue, the issue may not be triaged.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide\nimpact.\n- When duplicates occur, we only triage the first report that was received (provided that it can\nbe fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Only interact with accounts you own or with explicit permission of the account holder.\n- Do not engage in any activity that can potentially or actually cause harm to Global Payments,\nour customers, or our employees.\n- Do not engage in any activity that can potentially or actually stop or degrade Global\nPayments’ services or assets.\n- Do no harm and do not exploit any vulnerability beyond the minimal amount of testing\nrequired to prove that a vulnerability exists or to identify an indicator related to a\nvulnerability.\n- Do not store, share, compromise or destroy Global Payments or our customer data. If\nPersonally Identifiable Information (PII) is encountered, you should immediately halt your\nactivity, purge related data from your system, and contact Global Payments. This step\nprotects any potentially vulnerable data, and you.\n- Do not initiate a fraudulent financial transaction.\n\n#Out of scope vulnerabilities\n\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security\nimpact of the bug. The following issues are considered out of scope:\n\n - Unexploitable vulnerabilities discovered via scanning. All submissions must have a valid proof\nof concept\n- Any activity that could lead to the disruption of our service (DoS/DDOS).\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive\nactions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Content spoofing and text injection issues without showing an attack vector/without being\nable to modify HTML/CSS\n- Rate limiting or bruteforce issues on non-authentication endpoints\n- Missing best practices in Content Security Policy\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable\nversions behind the latest released stable version)\n- Software version disclosure / Banner identification issues / Descriptive error messages or\nheaders (e.g. stack traces, application or server errors).\n- Tabnabbing\n- Open redirect - unless an additional security impact can be demonstrated\n- Issues that require unlikely user interaction\n\n#Grounds for Disqualification\n\nAttempting any of the following could result in permanent disqualification from the VRP and possible\ncriminal and/or legal investigation. We do not allow any actions that could negatively impact the\nexperience on our websites, apps, or other assets for other Global Payments customers.\n\n- Disruption or denial-of-service attacks (Application and Network)\n- Social engineering attacks\n- Brute-force attacks\n- Exfiltration of data\n- Code injection on live systems\n- The compromise or testing of application accounts that are not your own\n- Any threats, attempts at coercion, or extortion of Global Payments employees, other partner\nemployees, or customers\n- Physical attacks against Global Payments, contractors, or customers\n- Any physical attempts against Global Payments property or data centers\n- Access the personal information of any other person without consent\n- Any other action that violates the law\n- Any action that endangers yourself or others\n- Aggressive vulnerability scans or automated scans on Global Payments servers (including\nscans using tools such as Core Impact or Nessus)\n- **Keep scans to 45 requests per minute**\n\n#Legal\n\nYou must otherwise comply with all applicable Federal, State, and local laws, regulations, and rules in\nconnection with your security research activities. You may not engage in any security research or\nvulnerability disclosure activity that is inconsistent with terms and conditions of the VRP or the law. If\nyou engage in any activities that are inconsistent with the terms and conditions of the VRP or the law,\nyou will not be considered a security researcher and may be subject to criminal penalties and civil\nliability. Global Payments reserves all rights against any illegal use of the reported vulnerability\ninformation.\n\nAny Global Payments information that you may encounter, view, acquire, or access, is owned by Global\nPayments or its customers, clients, or third-party providers. You have no rights, title, or ownership in\nany such information. Nothing in this Program Policy shall be deemed to constitute the grant to you of\nany license or other right to or in respect of any Global Payments or third-party product, service, patent,\ntrademark, trade secret, or other intellectual property.\n\nYou have no obligation to provide Global Payments with the abovementioned security and vulnerability\ninformation. By submitting such information to Global Payments, you are indicating that you have read,\nunderstand, and agree to the terms and conditions of this Program Policy. Further, you agree that by\nsubmitting such information to Global Payments, even if the information is not eligible for a reward, you\ngrant Global Payments a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicensable,\nfully-paid and royalty-free license under any and all intellectual property rights that you own or control\nto use, copy, modify, create derivative works based upon and otherwise exploit such information for any\npurpose.\n\nGlobal Payments may modify the terms and conditions or terminate the VRP at any time.\n\n##Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct\nand we will not initiate legal action against you. If legal action is initiated by a third party against you in\nconnection with activities conducted under this policy, we will take steps to make it known that your\nactions were conducted in compliance with this policy.\nThank you for helping keep Global Payments and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-30T16:16:13.264Z"}]