square

Square

We make selling simple for businesses of all sizes.

Serious about security

Our approach to security is designed to protect buyers and sellers. We monitor every transaction from swipe to payment, we continuously innovate in fraud prevention, and we protect businesses’ data like our business depends on it—because it does. We adhere to industry-leading standards to manage our network, secure our web and client applications, and set policies across our organization.

If you believe you have discovered a security vulnerability, please follow the guidelines below.

 

Disclosure procedures

Square recognizes the important contributions the security research community can make. We encourage coordinated reporting of security issues with our services. We take the security of our services very seriously and monitor their use for indications of a malicious attack. In order to allow us to identify legitimate security research as opposed to malicious attacks against our services, we promise not to bring legal action against researchers who:

  • Share with us the full details of any problem found.
  • Do not disclose the issue to others until we’ve had reasonable time to address it.
  • Do not intentionally harm the experience or usefulness of the service to others.
  • Never attempt to view, modify, or damage data belonging to others.
  • Do not attempt a denial-of-service attack.
  • Do not perform any research or testing in violation of law.

 

Attributes of a good report

  • Detailed steps on reproducing the bug. If valuable, please include any screenshots, links you clicked on, pages visited, etc.
  • Describe the versions of all relevant components of the attack (eg browser, OS, mobile app version).
  • Describe a concrete attack scenario. How will the problem impact Square or Square buyers/sellers? Put the problem into context.

 

Scope

We welcome you to report problems under squareup.com, square.com, or cash.me. Our Android and iOS mobile applications for Square Cash and Square Register are also in scope. We are particularly interested in problems with Square’s payment flows. Confirmed vulnerabilities that directly affect our payments flows will receive a $500 minimum reward.

 

Special CTF-style Flags!

Find the account

We've created an account with an email address of the form ftwr+[32 character flag]@squareup.com. Tell us how you found it, and you'll get a $1000 bounty. In case it helps, you can find the associated Square Market page here.

The SHA1 digest of the flag is: b9559723b3fd537e368fdc5c221eef72dc2e8adc.

Find the file

Find a file called hackerone-flag.txt with the contents of the form ftwr+[32 character flag]. Tell us how you found it, and you'll get a $1000 bounty.

The SHA1 digest of the flag is: 1fb27653e08cef9c6acdd520f2e9398ad3576549.

Computing the sha1

To make sure you know that you have found the right flag, we are publishing the digests of the flags by running echo [32 characters] | sha1sum. You can do the same on your terminal (you might need to install sha1sum or use an alternate method).
For example, if the value of the token were fb3f8fe63cc107c1977855c95633fb13 (it's not), then you would get:

~ echo fb3f8fe63cc107c1977855c95633fb13 | sha1sum
6f475d857588da6cc27cf38142c57fdbf4d57b9e  -

Rules

Some things to keep in mind when hunting for flags:

  • Only flags created by Square are eligible for the reward. There will be at most one reward per flag.
  • Only the first person to report a flag and methodology for discovery will be rewarded.
  • The flags are long enough that brute force won't work. You'll have to be more creative!

 

Ineligible reports

  • Issues related to software not under Square's control
  • Reports from automated tools or scans
  • Social engineering of Square staff or contractors
  • Any physical attempts against Square property or data centers
  • Logout CSRF
  • Presence of autocomplete attribute on web forms
  • Missing cookie flags on non-sensitive cookies
  • Missing http security headers (unless you deliver a proof of concept that leverages their absence)
  • Clickjacking on widgets intended to be embedded in other pages
  • Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)
  • An oracle that discloses whether a given username, email address, or phone number is associated with an actual account. (However, please do submit anything that allows you to recover usernames en masse.)
  • Using spoofed emails for phishing
Now
Square resolved a bug that was submitted by dor1s.
14 days ago
Square resolved a bug that was submitted by bughuntergr.
15 days ago
Square resolved a bug that was submitted by c37hun.
29 days ago
Square rewarded dor1s with a $300 bounty.
30 days ago
Square rewarded hax with a $1,000 bounty.
About 1 month ago
Square resolved a bug that was submitted by hax.
About 1 month ago
Square rewarded uname with a $500 bounty.
About 1 month ago
Square resolved a bug that was submitted by uname.
About 1 month ago
Square rewarded shahmeer_amir with a $400 bounty.
About 1 month ago
Square resolved a bug that was submitted by kyprizel.
About 1 month ago
Square resolved a bug that was submitted by uname.
About 1 month ago
Square resolved a bug that was submitted by danielchatfield.
About 1 month ago
Square rewarded danielchatfield with a $400 bounty.
About 1 month ago
Square resolved a bug that was submitted by apo143u.
About 1 month ago
Square resolved a bug that was submitted by cliffordtrigo.
About 2 months ago
Square rewarded apo143u with a $400 bounty.
About 2 months ago
Square rewarded uname with a $500 bounty.
About 2 months ago
Square rewarded kyprizel with a $400 bounty.
About 2 months ago
Square rewarded ng1 with a $300 bounty.
About 2 months ago
Square resolved a bug that was submitted by jmoore15.
About 2 months ago
Square resolved a bug that was submitted by hotkarl.
About 2 months ago
Square resolved a bug that was submitted by cdump.
About 2 months ago
Square rewarded cdump with a $350 bounty.
About 2 months ago
Square resolved a bug that was submitted by prakharprasad.
About 2 months ago
Square resolved a bug that was submitted by atom.
2 months ago
Square resolved a bug that was submitted by psaux.
2 months ago
Square rewarded psaux with a $500 bounty.
2 months ago
Square resolved a bug that was submitted by iceplasm.
2 months ago
Square resolved a bug that was submitted by pranav_hivarekar.
2 months ago
Square rewarded pranav_hivarekar with a $400 bounty.
2 months ago
Square resolved a bug that was submitted by cliffordtrigo.
Updated 2 months ago
Square rewarded atom with a $350 bounty.
2 months ago
Square resolved a bug that was submitted by geekboy.
2 months ago
Square resolved a bug that was submitted by lccunha.
2 months ago
Square resolved a bug that was submitted by lordappsec.
2 months ago
Square rewarded lccunha with a $350 bounty.
3 months ago
Square resolved a bug that was submitted by ipentest.
3 months ago
Square rewarded ipentest with a $300 bounty.
3 months ago
Square rewarded hotkarl with a $300 bounty.
3 months ago
Square resolved a bug that was submitted by andrusha.
3 months ago
Square rewarded bobrov with a $300 bounty.
3 months ago
Square resolved a bug that was submitted by bobrov.
3 months ago
Square resolved a bug that was submitted by stoun.
3 months ago
Square resolved a bug that was submitted by deepankerchawla.
3 months ago
Square rewarded deepankerchawla with a $300 bounty.
3 months ago
Square resolved a bug that was submitted by sergeym.
3 months ago
Square rewarded sergeym with a $300 bounty.
3 months ago
Square resolved a bug that was submitted by shahmeer_amir.
3 months ago
Square rewarded shahmeer_amir with a $250 bounty.
3 months ago
Square rewarded jmoore15 with a $500 bounty.
3 months ago
1 2 3 4 5
  • $300
    Minimum bounty
  • 154
    Hackers thanked
  • 230
    Bugs closed