Bug Bounty Program
Help us make payments more secure
Quick Overview
This bounty program is for Chargezoom’s PayPortal Software-as-a-service (SaaS). The product is used primarily by small businesses but also other types of online businesses. It is a hosted PHP based application installed and managed by Chargezoom.
As a Researcher, you will utilize your knowledge and skill to find security flaws in the implementation of the software, whose design is to provide automation around financial processes.
Reports will be reviewed and evaluated on an individual basis. You can expect valid security flaws to be rewarded based on both technical and business impact.
In Scope Targets
Important: all bug testing must be done only on In Scope Targets. Please refer to details in Out of Scope section before proceeding.
*.payportal.net
api.payportal.net
Create your Bug Testing Account here: https://chargezoom.com/bugbounty/account/
Focus Areas
Unauthenticated and authenticated client areas
Each report is evaluated and variably rewarded based on both technical and business impact given the focus and trust outlined above.
- Server-side Remote Code Execution (RCE)
- SQL Injection (SQLi)
- Authentication Bypass
- Cross-site Request Forgery (CSRF)
- Cross-site Scripting (XSS)
Out of Scope
The following targets and vulnerabilities are specifically excluded from scope and should not be tested.
- Testing against live production is strictly forbidden.
- Testing against production systems are disruptive to operators and is problematic to research
- Observed flawed behaviors to a production system out of your control may not be related to product or reproducible and thus are ineligible for reward
Testing against the website is strictly forbidden and not eligible for rewards.
External services/APIs utilized by the Chargezoom application for integration to vendor services, such as merchant gateways, SaaS platforms, etc.
This also includes external services offered through the reseller channel.
Server environment context or behaviors, such as the LAMP stack, OpenSSL, cURL libraries, etc.
General product bugs that do not have a security impact.
Miscalculation of payment, tax, or other bug related to improper billing for access to services.
License circumvention by means of deobfuscation, core code replacement, other means for product mutation.
Self-XSS and issues exploitable only through Self-XSS.
Stored XSS created by Admin (whose privileges allow content creation for use by lesser or equally privileged admins, clients, or site visitors).
CSRF on forms that are available to anonymous users or for customization (i.e. the contact form, login form, etc).
SSRF by Admin with privilege to access or manage 1) remote servers/3rd-party integrations and/or B) configurations within Chargezoom for servers or integrations.
Presence of application or web browser ‘autocomplete’ or ‘save password’
Impact from third-party code that augments core functionality (i.e, hooks, modules)
Any flaw requiring access to, or execution of, files or routines of the manual installer/updater.
Disclosure of access credentials for remote systems to Admins authorized to access respective system.
The Chargezoom application has many service integrations (modules). In most cases, these integrations will be managed by Chargezoom. Of course, the design of the services’ API will be a limiting factor to the level of security that may be possible and practical for Chargezoom. In other cases the integration code will have been provided directly from the service provider and maintenance/security will need to be handled by them; Chargezoom simply provides the integration as part of the packaged application. Reports against these integrations will be evaluated for scope applicability. Researchers will be provided an appropriate contact when available if it is not applicable for the Chargezoom security team.
Non Disclosure
Please note: This program does NOT allow disclosure. You may not release information about vulnerabilities found in this program to the public.
If a researcher wants to retain disclosure rights, they may put forth a proposal that will be considered under the most extreme and convincing circumstances.
In summary: all submissions rewarded or not, including Duplicates, Out of Scope, and Not Applicable submissions, are not to be disclosed at any level of detail to the public at any time unless guided by Chargezoom following explicit, written permission.
If this is unacceptable, we humbly request researchers find another Program that is more aligned to their needs and perspective.
Rewards
Monetary rewards are variable and guided by the following severity criteria. All payouts are made via PayPal.
Reward is up to $5,000 USD
Reward is up to $2,500 USD
Reward is up to $1,000 USD
Reward is up to $500 USD
