Bug Bounty Programme

Our team of developers work continuously to keep client information secure. At the same time, we understand the important role that security researchers and our user community play in helping to keep client data secure. If you discover a website or product vulnerability, please notify us using the guidelines below.

Bug Bounty Programme

Programme terms and conditions

Please note that your participation in the Bug Bounty Programme is voluntary and subject to the terms and conditions set forth on this page. By submitting a website or product vulnerability to Paysera, you acknowledge that you have read and agreed to the terms and conditions of this Programme.
These Programme term and conditions supplement the terms of any other agreement in which you have entered with Paysera. In the event of any inconsistency between the terms of the Paysera Agreements and these Programme terms and conditions, the latter shall prevail solely with respect to the Bug Bounty Programme.

Security issue reporting guidelines

If you think you have found a security vulnerability in Paysera, please report it to us by email [email protected]. Please include detailed steps to reproduce the issue and a brief description of its potential impact. We encourage responsible disclosure (as described below) and commit to investigating all legitimate reports promptly, addressing any confirmed issues as soon as possible.

Services in scope

Any Paysera service that processes reasonably sensitive user data is considered in scope. This includes, but is not limited to, virtually all content under the following domains: *.paysera.com.

Responsible disclosure policy

The security of user funds, data, and communications is a top priority at Paysera. To encourage responsible disclosure, we will not take legal action against researchers who identify vulnerabilities, provided they adhere to responsible disclosure principles, which include, but are not limited to, the following:

Only access, disclose, or modify your own customer data.

Do not perform any attack that could harm the reliability or integrity of our services or data.

Avoid scanning techniques that are likely to cause degradation of service to other customers (DoS, spamming).

Always keep details of vulnerabilities secret until Paysera has been notified and fixed the issue.

Do not attempt to gain access to another user’s account or data.

In researching vulnerabilities on the website of Paysera, it is strictly forbidden to:

Perform actions that could disrupt or affect the operation of Paysera systems;

Attempt to unlawfully access, copy, distribute, or destroy Paysera’s or its clients’ data, either independently or through third parties;

Harm Paysera’s clients, including disrupting service provision, using social‑engineering methods, or sending unsolicited messages.

If you do not comply with these principles, Paysera may restrict your account, block your IP address, and take other legal actions.
We invite you to work together with Paysera developers in reproducing, diagnosing, and fixing the issue. We use the following guidelines to determine the eligibility of requests and the amount of reward.

Eligibility

A person is not eligible to participate in the Bug Bounty Programme if they:

Have violated any national or local laws;

Are a close family member of an employee of Paysera, its subsidiaries, or branches;

Are under 14 years of age. If you are at least 14 years old, but are considered a minor in your place of residence, you must get a permission signed by your parents or legal guardians prior to participating in the Programme.

If Paysera discovers that you do not meet any of the criteria above, Paysera will remove you from the Bug Bounty Programme and disqualify you from receiving any bounty payments.

Amount of reward

Rewards are granted based on the severity of the security vulnerability. The more significant the vulnerability, the higher the reward for reporting it. Vulnerabilities that could lead to financial loss or compromise data security are considered particularly critical.

A smaller reward is given for vulnerabilities that do not cause the following results:

Partial/complete loss of funds;

Leakage of user data;

Compromise of data transmission integrity.

In all cases, keep information about system vulnerabilities confidential until Paysera has been notified and the issue has been resolved.

Do not attempt to gain access to another user's account or data.

To be eligible for a reward, a security vulnerability must meet the following criteria:

Must be original and previously unreported;

Demonstrate a remote system vulnerability, the potential to escalate privileges, or a risk of disclosing confidential information.

If multiple individuals report the same security vulnerability at the same time, the reward will be divided proportionally among them.
A higher reward may be granted in the following cases:

The researcher can demonstrate new classes of attacks, or techniques for bypassing security features. Or, if an existing vulnerability can be demonstrated to be exploitable though additional research by the reporter, additional compensation can be earned for the same bug.

Research might also uncover extremely severe, complex, or interesting problem areas that were previously unreported or unknown issues.

If a report meets all the Programme requirements, bounty payments will be determined by Paysera, in Paysera’s sole discretion. In no event shall Paysera be obligated to pay a bounty for reports that fall outside the scope of the Bug Bounty Programme. All bounty payments can be made only in euros to an identified Paysera account. The reward may also be transferred to Greenpeace, the Red Cross or Caritas organizations at the researcher’s request. Payments via cryptocurrency or other payment systems not mentioned on this page are not supported.

When determining the reward amount, Paysera evaluates the risk posed by the security vulnerability and the potential impact it may have.

Examples of vulnerabilities

Examples of qualifying vulnerabilities

Paysera reserves the right to decide if the minimum severity qualification threshold is met and whether it was already reported.

Authentication bypass or privilege escalation.
„Clickjacking (when a user is tricked into clicking on hidden or disguised elements of a webpage).
„Cross-site scripting (XSS) (a vulnerability that allows the injection of additional code into a webpage viewed by users)
Cross-site request forgery (CSRF/XSRF)
Mixed-content scripts
Server-side code execution
User data breach
Remote code execution

Examples of non-qualifying vulnerabilities

Reporting the following vulnerabilities is appreciated but will not lead to systematic reward from Paysera:

Denial of Service (DoS) vulnerability or issues related to rate-limiting.
Possibilities to send malicious links to people you know.
Security bugs in third-party websites that integrate with Paysera API.
Vulnerabilities related to third-party software (e.g. Java, plugins, extensions) or website unless they lead to vulnerability on Paysera website.
Spam (including issues related to SPF/DKIM/DMARC).
Usability issues, forms autocomplete.
Insecure settings in non-sensitive cookies.
Browser cache vulnerabilities.
Vulnerabilities (including XSS) that require a potential victim to install non-standard software or otherwise take very unlikely active steps to make themselves be susceptible.
Non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
Vulnerabilities (including XSS) that affect only legacy browser/plugins.
„Self-XSS (when a user accidentally installs malicious code on their own website).
CSRF for non-significant actions (logout, etc.).
„Clickjacking attacks without a documented series of clicks that produce a vulnerability.
Content injection, such as reflected text or HTML tags.
Missing HTTP headers, except as where their absence fails to mitigate an existing attack.
Authentication bypasses that require access to software/hardware.
Vulnerabilities that require access to passwords, tokens, or the local system (e.g. session fixation).
Assumed vulnerabilities based upon version numbers only.
Bugs requiring exceedingly unlikely user interaction.
Disclosure of public information and information that does not present significant risk.
Scripting or other automation and brute forcing of intended functionality.
Requests violating same-origin policy without concrete attack scenario (for example, when using CORS, and cookies are not used in performing authentication or they are not sent with requests).

Required information

When submitting information about a security vulnerability, please provide:

Full description of the vulnerability being reported including the exploitability and impact.

Document all steps required to reproduce the exploit of the vulnerability.

URL(s)/application(s) affected (even if you provided us a code snippet/video as well).

IPs that were used while testing.

Always include the user ID that is used for the POC.

Always include all of the files that you attempted to upload.

Provide the complete PoC.

Please save all the attack logs and attach them to the report.

Failure to include any of the required elements may result in the bounty payment being withheld or delayed.
Report any vulnerabilities to us by email [email protected].

Note!

Rewards cannot be granted to sanctioned individuals or to citizens of countries on the sanctions list (Cuba, Iran, North Korea, Sudan, Syria). You are responsible for any taxes applicable based on your country of residence and citizenship. Local laws may impose additional restrictions that could prevent you from participating in the Programme.

This Programme is not a competition, but rather an experimental and discretionary reward initiative. Please note that Paysera may terminate the Programme at any time.

Frequently Asked Questions

What if I found a vulnerability, but I don't know how to exploit it?

We consider vulnerability testing a vital part of security research and expect submitted reports to include a credible attack scenario so they can be considered for a reward. Reward amounts are determined by the maximum potential impact of the vulnerability. The review panel may revise the reward if new information emerges that materially increases the assessed impact (such as a chain of bugs, or a revised attack scenario).

How can I demonstrate the severity of a vulnerability if I am not allowed to break the rules?

Please submit your report as soon as you have discovered a potential security issue. The panel will consider the maximum impact and will choose the reward accordingly. We routinely pay higher rewards for otherwise well-written and useful reports where the reporter didn't notice or couldn't fully analyse the impact of a particular flaw.

Bug Bounty Programme