[{"id":3557790,"new_policy":"#Rewarding security bugs in our open source projects\nSquare recognizes the important contributions the security research community can make.  Part of keeping Square's customers safe is making sure that we find and fix any security issues in our open source projects.  If you find any vulnerabilities in any of our participating open source projects, send us a report.  Even better, send us a fix!\n\nNote: this program is to report issues in our open source projects. If you believe you have discovered a security vulnerability in one of Square's domains ([squareup.com](https://squareup.com), [square.com](https://square.com), or [cash.me](https://cash.me)), please report them at [https://hackerone.com/square](https://hackerone.com/square).\n\n#Attributes of a good report\n- Detailed explanation of the bug.\n- Include specific source code references when possible. You should at least list which project you are referring to.\n- Please include a proof-of-concept of the issue you're reporting.\n- Describe the versions of all relevant components of the issue (e.g. browser, operating system, mobile app version, etc.).\n\n#How to send a fix\nPlease do not open a pull request to fix an issue you're reporting.  This would unnecessarily reveal any potential vulnerabilities.  Instead, if you'd like to send us a fix, attach a patch file to the issue you open.  You'll need to sign our [Individual Contributor License Agreement](https://spreadsheets.google.com/spreadsheet/viewform?formkey=dDViT2xzUHAwRkI3X3k5Z0lQM091OGc6MQ\u0026ndplr=1) before any patches can be accepted.\n\n#Scope\nProjects which are hosted at https://github.com/square/, which contain a `BUG-BOUNTY.md` file in the root directory, and only the latest code in the `master` branch. Currently, the projects in scope are:\n- [git-fastclone](https://github.com/square/git-fastclone)\n- [Go-JOSE](https://github.com/square/go-jose)\n- [js-JOSE](https://github.com/square/js-jose)\n- [Keywhiz](https://github.com/square/keywhiz)\n- [KeywhizFs](https://github.com/square/keywhiz-fs)\n- [OkHttp](https://github.com/square/okhttp)\n- [Okio](https://github.com/square/okio)\n- [pam_krb_cache](https://github.com/square/pam_krb5_ccache)\n- [ghostunnel](https://github.com/square/ghostunnel)\n- [rails-auth](https://github.com/square/rails-auth)\n- [Retrofit](https://github.com/square/retrofit)\n- [Squalor](https://github.com/square/squalor)\n- [Valet](https://github.com/square/Valet)\n- [Wire](https://github.com/square/wire)\n \n#Ineligible reports\n- Issues related to software not under our control. Issues in underlying libraries used by our open source projects are not eligible for a reward. You are more than welcome to report them and we will follow up to try to get things fixed.\n- Most of our open source development is publicly visible. Reports related to an issue being fixed in a branch or being tracked in a public way will therefore not be eligible for a bounty.\n- Reports of issues without a proof-of-concept or clear path to exploitation.\n- Issues which can only be reproduced on specific combinations of hardware or software not used by Square.\f\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-07-17T18:19:29.510Z"},{"id":2198647,"new_policy":"#Rewarding security bugs in our open source projects\nSquare recognizes the important contributions the security research community can make.  Part of keeping Square's customers safe is making sure that we find and fix any security issues in our open source projects.  If you find any vulnerabilities in any of our participating open source projects, send us a report.  Even better, send us a fix!\n\nNote: this program is to report issues in our open source projects. If you believe you have discovered a security vulnerability in one of Square's domains ([squareup.com](https://squareup.com), [square.com](https://square.com), or [cash.me](https://cash.me)), please report them at [https://hackerone.com/square](https://hackerone.com/square).\n\n#Attributes of a good report\n- Detailed explanation of the bug.\n- Include specific source code references when possible. You should at least list which project you are referring to.\n- Please include a proof-of-concept of the issue you're reporting.\n- Describe the versions of all relevant components of the issue (e.g. browser, operating system, mobile app version, etc.).\n\n#How to send a fix\nPlease do not open a pull request to fix an issue you're reporting.  This would unnecessarily reveal any potential vulnerabilities.  Instead, if you'd like to send us a fix, attach a patch file to the issue you open.  You'll need to sign our [Individual Contributor License Agreement](https://spreadsheets.google.com/spreadsheet/viewform?formkey=dDViT2xzUHAwRkI3X3k5Z0lQM091OGc6MQ\u0026ndplr=1) before any patches can be accepted.\n\n#Scope\nProjects which are hosted at https://github.com/square/ and which contain a `BUG-BOUNTY.md` file in the root directory.  Currently, the projects in scope are:\n- [git-fastclone](https://github.com/square/git-fastclone)\n- [Go-JOSE](https://github.com/square/go-jose)\n- [js-JOSE](https://github.com/square/js-jose)\n- [Keywhiz](https://github.com/square/keywhiz)\n- [KeywhizFs](https://github.com/square/keywhiz-fs)\n- [OkHttp](https://github.com/square/okhttp)\n- [Okio](https://github.com/square/okio)\n- [pam_krb_cache](https://github.com/square/pam_krb5_ccache)\n- [ghostunnel](https://github.com/square/ghostunnel)\n- [rails-auth](https://github.com/square/rails-auth)\n- [Retrofit](https://github.com/square/retrofit)\n- [Squalor](https://github.com/square/squalor)\n- [Valet](https://github.com/square/Valet)\n- [Wire](https://github.com/square/wire)\n \n#Ineligible reports\n- Issues related to software not under our control. Issues in underlying libraries used by our open source projects are not eligible for a reward. You are more than welcome to report them and we will follow up to try to get things fixed.\n- Most of our open source development is publicly visible. Reports related to an issue being fixed in a branch or being tracked in a public way will therefore not be eligible for a bounty.\n- Reports of issues without a proof-of-concept or clear path to exploitation.\n- Issues which can only be reproduced on specific combinations of hardware or software not used by Square.\f\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-01-26T19:22:48.162Z"},{"id":2079267,"new_policy":"#Rewarding security bugs in our open source projects\nSquare recognizes the important contributions the security research community can make.  Part of keeping Square's customers safe is making sure that we find and fix any security issues in our open source projects.  If you find any vulnerabilities in any of our participating open source projects, send us a report.  Even better, send us a fix!\n\nNote: this program is to report issues in our open source projects. If you believe you have discovered a security vulnerability in one of Square's domains ([squareup.com](https://squareup.com), [square.com](https://square.com), or [cash.me](https://cash.me)), please report them at [https://hackerone.com/square](https://hackerone.com/square).\n\n#Attributes of a good report\n- Detailed explanation of the bug.\n- Include specific source code references when possible. You should at least list which project you are referring to.\n- Please include a proof-of-concept of the issue you're reporting.\n- Describe the versions of all relevant components of the issue (e.g. browser, operating system, mobile app version, etc.).\n\n#How to send a fix\nPlease do not open a pull request to fix an issue you're reporting.  This would unnecessarily reveal any potential vulnerabilities.  Instead, if you'd like to send us a fix, attach a patch file to the issue you open.  You'll need to sign our [Individual Contributor License Agreement](https://spreadsheets.google.com/spreadsheet/viewform?formkey=dDViT2xzUHAwRkI3X3k5Z0lQM091OGc6MQ\u0026ndplr=1) before any patches can be accepted.\n\n#Scope\nProjects which are hosted at https://github.com/square/ and which contain a `BUG-BOUNTY.md` file in the root directory.  Currently, the projects in scope are:\n- [git-fastclone](https://github.com/square/git-fastclone)\n- [Go-JOSE](https://github.com/square/go-jose)\n- [js-JOSE](https://github.com/square/js-jose)\n- [Keywhiz](https://github.com/square/keywhiz)\n- [KeywhizFs](https://github.com/square/keywhiz-fs)\n- [OkHttp](https://github.com/square/okhttp)\n- [Okio](https://github.com/square/okio)\n- [pam_krb_cache](https://github.com/square/pam_krb5_ccache)\n- [ghostunnel](https://github.com/square/ghostunnel)\n- [Retrofit](https://github.com/square/retrofit)\n- [Squalor](https://github.com/square/squalor)\n- [Valet](https://github.com/square/Valet)\n- [Wire](https://github.com/square/wire)\n \n#Ineligible reports\n- Issues related to software not under our control. Issues in underlying libraries used by our open source projects are not eligible for a reward. You are more than welcome to report them and we will follow up to try to get things fixed.\n- Most of our open source development is publicly visible. Reports related to an issue being fixed in a branch or being tracked in a public way will therefore not be eligible for a bounty.\n- Reports of issues without a proof-of-concept or clear path to exploitation.\n- Issues which can only be reproduced on specific combinations of hardware or software not used by Square.\f\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-10T00:04:14.374Z"},{"id":1921321,"new_policy":"#Rewarding security bugs in our open source projects\nSquare recognizes the important contributions the security research community can make.  Part of keeping Square's customers safe is making sure that we find and fix any security issues in our open source projects.  If you find any vulnerabilities in any of our participating open source projects, send us a report.  Even better, send us a fix!\n\nNote: this program is to report issues in our open source projects. If you believe you have discovered a security vulnerability in one of Square's domains ([squareup.com](https://squareup.com), [square.com](https://square.com), or [cash.me](https://cash.me)), please report them at [https://hackerone.com/square](https://hackerone.com/square).\n\n#Attributes of a good report\n- Detailed explanation of the bug.\n- Include specific source code references when possible. You should at least list which project you are referring to.\n- Please include a proof-of-concept of the issue you're reporting.\n- Describe the versions of all relevant components of the issue (e.g. browser, operating system, mobile app version, etc.).\n\n#How to send a fix\nPlease do not open a pull request to fix an issue you're reporting.  This would unnecessarily reveal any potential vulnerabilities.  Instead, if you'd like to send us a fix, attach a patch file to the issue you open.  You'll need to sign our [Individual Contributor License Agreement](https://spreadsheets.google.com/spreadsheet/viewform?formkey=dDViT2xzUHAwRkI3X3k5Z0lQM091OGc6MQ\u0026ndplr=1) before any patches can be accepted.\n\n#Scope\nProjects which are hosted at https://github.com/square/ and which contain a `BUG-BOUNTY.md` file in the root directory.  Currently, the projects in scope are:\n- [Go-JOSE](https://github.com/square/go-jose)\n- [js-JOSE](https://github.com/square/js-jose)\n- [Keywhiz](https://github.com/square/keywhiz)\n- [KeywhizFs](https://github.com/square/keywhiz-fs)\n- [OkHttp](https://github.com/square/okhttp)\n- [Okio](https://github.com/square/okio)\n- [pam_krb_cache](https://github.com/square/pam_krb5_ccache)\n- [ghostunnel](https://github.com/square/ghostunnel)\n- [Retrofit](https://github.com/square/retrofit)\n- [Squalor](https://github.com/square/squalor)\n- [Valet](https://github.com/square/Valet)\n- [Wire](https://github.com/square/wire)\n \n#Ineligible reports\n- Issues related to software not under our control. Issues in underlying libraries used by our open source projects are not eligible for a reward. You are more than welcome to report them and we will follow up to try to get things fixed.\n- Most of our open source development is publicly visible. Reports related to an issue being fixed in a branch or being tracked in a public way will therefore not be eligible for a bounty.\n- Reports of issues without a proof-of-concept or clear path to exploitation.\n- Issues which can only be reproduced on specific combinations of hardware or software not used by Square.\f\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-10-20T16:37:54.096Z"},{"id":1642605,"new_policy":"#Rewarding security bugs in our open source projects\nSquare recognizes the important contributions the security research community can make.  Part of keeping Square's customers safe is making sure that we find and fix any security issues in our open source projects.  If you find any vulnerabilities in any of our participating open source projects, send us a report.  Even better, send us a fix!\n\nNote: this program is to report issues in our open source projects. If you believe you have discovered a security vulnerability in one of Square's domains ([squareup.com](https://squareup.com), [square.com](https://square.com), or [cash.me](https://cash.me)), please report them at [https://hackerone.com/square](https://hackerone.com/square).\n\n#Attributes of a good report\n- Detailed explanation of the bug.\n- Include specific source code references when possible. You should at least list which project you are referring to.\n- Please include a proof-of-concept of the issue you're reporting.\n- Describe the versions of all relevant components of the issue (e.g. browser, operating system, mobile app version, etc.).\n\n#How to send a fix\nPlease do not open a pull request to fix an issue you're reporting.  This would unnecessarily reveal any potential vulnerabilities.  Instead, if you'd like to send us a fix, attach a patch file to the issue you open.  You'll need to sign our [Individual Contributor License Agreement](https://spreadsheets.google.com/spreadsheet/viewform?formkey=dDViT2xzUHAwRkI3X3k5Z0lQM091OGc6MQ\u0026ndplr=1) before any patches can be accepted.\n\n#Scope\nProjects which are hosted at https://github.com/square/ and which contain a `BUG-BOUNTY.md` file in the root directory.  Currently, the projects in scope are:\n- [Go-JOSE](https://github.com/square/go-jose)\n- [js-JOSE](https://github.com/square/js-jose)\n- [Keywhiz](https://github.com/square/keywhiz)\n- [KeywhizFs](https://github.com/square/keywhiz-fs)\n- [OkHttp](https://github.com/square/okhttp)\n- [Okio](https://github.com/square/okio)\n- [pam_krb_cache](https://github.com/square/pam_krb5_ccache)\n- [Retrofit](https://github.com/square/retrofit)\n- [Squalor](https://github.com/square/squalor)\n- [Valet](https://github.com/square/Valet)\n- [Wire](https://github.com/square/wire)\n \n#Ineligible reports\n- Issues related to software not under our control. Issues in underlying libraries used by our open source projects are not eligible for a reward. You are more than welcome to report them and we will follow up to try to get things fixed.\n- Most of our open source development is publicly visible. Reports related to an issue being fixed in a branch or being tracked in a public way will therefore not be eligible for a bounty.\n- Reports of issues without a proof-of-concept or clear path to exploitation.\n- Issues which can only be reproduced on specific combinations of hardware or software not used by Square.\f\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-07-02T18:31:48.618Z"},{"id":1474001,"new_policy":"#Rewarding security bugs in our open source projects\nSquare recognizes the important contributions the security research community can make.  Part of keeping Square's customers safe is making sure that we find and fix any security issues in our open source projects.  If you find any vulnerabilities in any of our participating open source projects, send us a report.  Even better, send us a fix!\n\nNote: this program is to report issues in our open source projects. If you believe you have discovered a security vulnerability in one of Square's domains ([squareup.com](https://squareup.com), [square.com](https://square.com), or [cash.me](https://cash.me)), please report them at [https://hackerone.com/square](https://hackerone.com/square).\n\n#Attributes of a good report\n- Detailed explanation of the bug.\n- Include specific source code references when possible. You should at least list which project you are referring to.\n- Please include a proof-of-concept of the issue you're reporting.\n- Describe the versions of all relevant components of the issue (e.g. browser, operating system, mobile app version, etc.).\n\n#How to send a fix\nPlease do not open a pull request to fix an issue you're reporting.  This would unnecessarily reveal any potential vulnerabilities.  Instead, if you'd like to send us a fix, attach a patch file to the issue you open.  You'll need to sign our [Individual Contributor License Agreement](https://spreadsheets.google.com/spreadsheet/viewform?formkey=dDViT2xzUHAwRkI3X3k5Z0lQM091OGc6MQ\u0026ndplr=1) before any patches can be accepted.\n\n#Scope\nProjects which are hosted at https://github.com/square/ and which contain a `BUG-BOUNTY.md` file in the root directory.  Currently, the projects in scope are:\n- [Go-JOSE](https://github.com/square/go-jose)\n- [js-JOSE](https://github.com/square/js-jose)\n- [Keywhiz](https://github.com/square/keywhiz)\n- [KeywhizFs](https://github.com/square/keywhiz-fs)\n- [OkHttp](https://github.com/square/okhttp)\n- [Okio](https://github.com/square/okio)\n- [pam_krb_cache](https://github.com/square/pam_krb5_ccache)\n- [Retrofit](https://github.com/square/retrofit)\n- [Squalor](https://github.com/square/squalor)\n- [Wire](https://github.com/square/wire)\n \n#Ineligible reports\n- Issues related to software not under our control. Issues in underlying libraries used by our open source projects are not eligible for a reward. You are more than welcome to report them and we will follow up to try to get things fixed.\n- Most of our open source development is publicly visible. Reports related to an issue being fixed in a branch or being tracked in a public way will therefore not be eligible for a bounty.\n- Reports of issues without a proof-of-concept or clear path to exploitation.\n- Issues which can only be reproduced on specific combinations of hardware or software not used by Square.\f\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-05-22T07:41:35.494Z"},{"id":1471858,"new_policy":"#Rewarding security bugs in our open source projects\nSquare recognizes the important contributions the security research community can make.  Part of keeping Square's customers safe is making sure that we find and fix any security issues in our open source projects.  If you find any vulnerabilities in any of our participating open source projects, send us a report.  Even better, send us a fix!\n\n#Attributes of a good report\n- Detailed explanation of the bug.\n- Include specific source code references when possible. You should at least list which project you are referring to.\n- Please include a proof-of-concept of the issue you're reporting.\n- Describe the versions of all relevant components of the issue (e.g. browser, operating system, mobile app version, etc.).\n\n#How to send a fix\nPlease do not open a pull request to fix an issue you're reporting.  This would unnecessarily reveal any potential vulnerabilities.  Instead, if you'd like to send us a fix, attach a patch file to the issue you open.  You'll need to sign our [Individual Contributor License Agreement](https://spreadsheets.google.com/spreadsheet/viewform?formkey=dDViT2xzUHAwRkI3X3k5Z0lQM091OGc6MQ\u0026ndplr=1) before any patches can be accepted.\n\n#Scope\nProjects which are hosted at https://github.com/square/ and which contain a `BUG-BOUNTY.md` file in the root directory.  Currently, the projects in scope are:\n- [Go-JOSE](https://github.com/square/go-jose)\n- [js-JOSE](https://github.com/square/js-jose)\n- [Keywhiz](https://github.com/square/keywhiz)\n- [KeywhizFs](https://github.com/square/keywhiz-fs)\n- [OkHttp](https://github.com/square/okhttp)\n- [Okio](https://github.com/square/okio)\n- [pam_krb_cache](https://github.com/square/pam_krb5_ccache)\n- [Retrofit](https://github.com/square/retrofit)\n- [Squalor](https://github.com/square/squalor)\n- [Wire](https://github.com/square/wire)\n \n#Ineligible reports\n- Issues related to software not under our control. Issues in underlying libraries used by our open source projects are not eligible for a reward. You are more than welcome to report them and we will follow up to try to get things fixed.\n- Most of our open source development is publicly visible. Reports related to an issue being fixed in a branch or being tracked in a public way will therefore not be eligible for a bounty.\n- Reports of issues without a proof-of-concept or clear path to exploitation.\n- Issues which can only be reproduced on specific combinations of hardware or software not used by Square.\f\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-05-21T05:32:06.076Z"},{"id":1445615,"new_policy":"#Rewarding security bugs in our open source projects\nSquare recognizes the important contributions the security research community can make.  Part of keeping Square's customers safe is making sure that we find and fix any security issues in our open source projects.  If you find any vulnerabilities in any of our participating open source projects, send us a report.  Even better, send us a fix!\n\n#Attributes of a good report\n- Detailed explanation of the bug.\n- Include specific source code references when possible.\n- Please include a proof-of-concept of the issue you're reporting.\n- Describe the versions of all relevant components of the issue (e.g. browser, operating system, mobile app version, etc.).\n\n#How to send a fix\nPlease do not open a pull request to fix an issue you're reporting.  This would unnecessarily reveal any potential vulnerabilities.  Instead, if you'd like to send us a fix, attach a patch file to the issue you open.  You'll need to sign our [Individual Contributor License Agreement](https://spreadsheets.google.com/spreadsheet/viewform?formkey=dDViT2xzUHAwRkI3X3k5Z0lQM091OGc6MQ\u0026ndplr=1) before any patches can be accepted.\n\n#Scope\nProjects which are hosted at https://github.com/square/ and which contain a `BUG-BOUNTY.md` file in the root directory.  Currently, the projects in scope are:\n- [Go-JOSE](https://github.com/square/go-jose)\n- [js-JOSE](https://github.com/square/js-jose)\n- [Keywhiz](https://github.com/square/keywhiz)\n- [KeywhizFs](https://github.com/square/keywhiz-fs)\n- [OkHttp](https://github.com/square/okhttp)\n- [Okio](https://github.com/square/okio)\n- [pam_krb_cache](https://github.com/square/pam_krb5_ccache)\n- [Retrofit](https://github.com/square/retrofit)\n- [Squalor](https://github.com/square/squalor)\n- [Wire](https://github.com/square/wire)\n \n#Ineligible reports\n- Issues related to software not under our control. Issues in underlying libraries used by our open source projects are not eligible for a reward. You are more than welcome to report them and we will follow up to try to get things fixed.\n- Most of our open source development is publicly visible. Reports related to an issue being fixed in a branch or being tracked in a public way will therefore not be eligible for a bounty.\n- Reports of issues without a proof-of-concept or clear path to exploitation.\n- Issues which can only be reproduced on specific combinations of hardware or software not used by Square.\f\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-05-11T19:50:00.683Z"}]