PayKickstart offers a WhiteHat program for developers/researchers to report security vulnerabilities they discover and properly disclose with the PayKickstart to help maintain the integrity of the platform while rewarding developers for their contributions.
Proper Disclosure
Proper disclosure includes:
- Providing proper recommendations to replicate and resolve the related issue.
- PayKickstart does NOT consent to public disclosures of issues due to the nature of our platform. Public disclosure releases will void any and all bounty rewards for the researcher(s) involved.
- DO NOT leak or destroy any PayKickstart data.
- DO NOT defraud PayKickstart users or PayKickstart itself in the process of discovery/reporting.
In order to encourage responsible disclosure, PayKickstart promises not to bring legal action against developers/researchers who identify a problem, provided they do their best to follow the above guidelines.
Rewards
- Payouts:
PayKickstart reserves the right to determine the severity of the bounty as well as the payout method and final amount as we deem necessary.
The minimum payout is $50 USD for reporting a previously unknown security vulnerability of sufficient severity(confirmed by our team). There is no maximum reward, and we may award higher amounts based on the severity or creativity of the vulnerability found.
Bounty payouts will be paid via PayPal OR If you are a PayKickstart vendor, we may provide bounty payouts in the form of “credit” added to your PayKickstart vendor account.
- Special Mentions:
With your permission, we also provide attribution on this page as a thank you.
Eligibility
PayKickstart reserves the right to decide if the bug is real and serious enough to receive the bounty. As a framework for reference, please consider the following list of things we want to know about:
- XSS*
- CSRF*
- Authentication bypass or privilege escalation
- Remote code execution
- Obtaining sensitive user information
- Accounting errors
*Depends on where the issue is identified and is solely at our discretion
In general, the following are not of interest to us:
- Denial of service
- Spamming
- Misconfigured SPF, DKIM or DMARC records.
- Vulnerabilities identified on our support articles. support.paykickstart.com
- Vulnerabilities identified on static Worpress sites
- Vulnerabilities identified on Staging/demo environments
- Any other service not directly hosted or controlled by PayKickstart
How to send Disclosure Report
You can disclose a vulnerability by contacting us here.
Include #’s 1-7 in your report:
- Subject: [Vulnerability Report] – Your Subject
- Code that reproduces the issue.
- A detailed description and potential impact of the reported vulnerability.
- A detailed description for possible resolutions.
- Your name and link for attribution on this page (if desired).
- Your PayKickstart account email address (if using an account)
- Your PayPal email address for your pay-out (if applicable).
*Please ensure all the required information above is submitted in your report email to ensure proper credit is awarded to you.
Special Mentions
On behalf of our users, we would like to thank the following people for making a responsible disclosure to us to ensure the integrity of the PayKickstart platform
- Faisal Mehmood
- Joshua Osabel: (LinkedIn Profile)
- Ayon Hasan(lollipop1337)
- Mubassir Kamdar (website)
