square

Square

We make selling simple for businesses of all sizes.

Serious about security

Our approach to security is designed to protect buyers and sellers. We monitor every transaction from swipe to payment, we continuously innovate in fraud prevention, and we protect businesses’ data like our business depends on it—because it does. We adhere to industry-leading standards to manage our network, secure our web and client applications, and set policies across our organization.

If you believe you have discovered a security vulnerability, please follow the guidelines below.

Disclosure procedures

Square recognizes the important contributions the security research community can make. We encourage coordinated reporting of security issues with our services. We take the security of our services very seriously and monitor their use for indications of a malicious attack. In order to allow us to identify legitimate security research as opposed to malicious attacks against our services, we promise not to bring legal action against researchers who:

  • Share with us the full details of any problem found.
  • Do not disclose the issue to others until we’ve had reasonable time to address it.
  • Do not intentionally harm the experience or usefulness of the service to others.
  • Never attempt to view, modify, or damage data belonging to others.
  • Do not attempt a denial-of-service attack.
  • Do not perform any research or testing in violation of law.

Attributes of a good report

  • Detailed steps on reproducing the bug. If valuable, please include any screenshots, links you clicked on, pages visited, etc.
  • Describe the versions of all relevant components of the attack (eg browser, OS, mobile app version).
  • Describe a concrete attack scenario. How will the problem impact Square or Square buyers/sellers? Put the problem into context.

Scope

We welcome you to report problems under squareup.com or square.com. Our Android and iOS mobile applications for Square Cash and Square Register are also in scope. We are particularly interested in problems with Square’s payment flows. Confirmed vulnerabilities that directly affect our payments flows will receive a $500 minimum reward.

Ineligible reports

  • Issues related to software not under Square's control
  • Reports from automated tools or scans
  • Social engineering of Square staff or contractors
  • Any physical attempts against Square property or data centers
  • Logout CSRF
  • Presence of autocomplete attribute on web forms
  • Missing cookie flags on non-sensitive cookies
  • Missing http security headers (unless you deliver a proof of concept that leverages their absence)
  • Clickjacking on widgets intended to be embedded in other pages
  • Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)
  • POODLE: We have implemented protections against the recently reported vulnerability in SSLv3. Please do not send POODLE vulnerability reports from automated scanners.
  • An oracle that discloses whether a given username is associated with an actual account. (However, please do submit anything that allows you to recover usernames en masse.)
Now
Square resolved a bug that was submitted by deepankerchawla.
About 9 hours ago
Square rewarded deepankerchawla with a $300 bounty.
About 9 hours ago
Square resolved a bug that was submitted by sergeym.
About 10 hours ago
Square rewarded sergeym with a $300 bounty.
About 10 hours ago
Square resolved a bug that was submitted by shahmeer_amir.
3 days ago
Square rewarded shahmeer_amir with a $250 bounty.
3 days ago
Square rewarded jmoore15 with a $500 bounty.
5 days ago
Square resolved a bug that was submitted by mohaab007.
5 days ago
Square rewarded mlitchfield with a $500 bounty.
11 days ago
Square rewarded geekboy with a $400 bounty.
13 days ago
Square rewarded c37hun with a $300 bounty.
13 days ago
Square rewarded bughuntergr with a $300 bounty.
13 days ago
Square resolved a bug that was submitted by mohaab007.
13 days ago
Square rewarded mohaab007 with a $300 bounty.
13 days ago
Square rewarded stoun with a $300 bounty.
13 days ago
Square rewarded andrusha with a $400 bounty.
13 days ago
Square rewarded haiderm with a $300 bounty.
18 days ago
Square resolved a bug that was submitted by haiderm.
18 days ago
Square resolved a bug that was submitted by cliffordtrigo.
18 days ago
Square rewarded hammad with a $750 bounty.
18 days ago
Square resolved a bug that was submitted by hammad.
18 days ago
Square resolved a bug that was submitted by robin.
21 days ago
Square rewarded hysteria with a $300 bounty.
21 days ago
Square resolved a bug that was submitted by hysteria.
21 days ago
Square resolved a bug that was submitted by cryptopeg.
About 1 month ago
Square rewarded cryptopeg with a $250 bounty.
About 1 month ago
Square resolved a bug that was submitted by fransrosen.
About 1 month ago
Square rewarded fransrosen with a $250 bounty.
About 1 month ago
Square rewarded lccunha with a $350 bounty.
About 1 month ago
Square resolved a bug that was submitted by lccunha.
About 1 month ago
Square resolved a bug that was submitted by ankitbharathan.
About 2 months ago
Square resolved a bug that was submitted by hammadshamsi.
About 2 months ago
Show all
  • $300
    Minimum bounty
  • 133
    Hackers thanked
  • 204
    Bugs closed