PayKickstart WhiteHat Program

PayKickstart offers a WhiteHat program for developers/researchers to report security vulnerabilities they discover and properly disclose with the PayKickstart to help maintain the integrity of the platform while rewarding developers for their contributions.


Proper Disclosure

Proper disclosure includes:

  • Providing proper recommendations to replicate and resolve the related issue.
  • Providing us a reasonable amount of time to fix the issue before publishing the findings elsewhere.
  • DO NOT leak or destroy any PayKickstart data.
  • DO NOT defraud PayKickstart users or PayKickstart itself in the process of discovery/reporting.

In order to encourage responsible disclosure, PayKickstart promises not to bring legal action against developers/researchers who identify a problem, provided they do their best to follow the above guidelines.

Rewards

  • Payouts:
    The minimum payout is $100 USD for reporting a previously unknown security vulnerability of sufficient severity. There is no maximum reward, and we may award higher amounts based on the severity or creativity of the vulnerability found.

Bounty payouts will be paid via PayPal OR If you are a PayKickstart vendor, we may provide bounty payouts in the form of "credit" added to your PayKickstart vendor account.

PayKickstart reserves the right to determine the bounty payout method and final amount as we deem necessary.

  • Special Mentions:
    With your permission, we also provide attribution on this page as a thank you.

Eligibility

PayKickstart reserves the right to decide if the bug is real and serious enough to receive the bounty. As a framework for reference, please consider the following list of things we want to know about:

  • XSS
  • CSRF
  • Authentication bypass or privilege escalation
  • Remote code execution
  • Obtaining sensitive user information
  • Accounting errors

In general, the following are not of interest to us:

  • Denial of service
  • Spamming
  • Misconfigured SPF, DKIM or DMARC records.
  • Any other service not directly hosted or controlled by PayKickstart

How To Disclose

You can disclose a vulnerability by contacting us here.

Please include:

  • Subject: [Vulnerability Report] - Your Subject
  • Code that reproduces the issue.
  • A detailed description and potential impact of the reported vulnerability.
  • A detailed description for possible resolutions.
  • Your name and link for attribution on this page (if desired).
  • Your PayKickstart account email address (if using an account)
  • Your PayPal email address for your pay-out (if applicable).

Special Mentions

On behalf of our users, we would like to thank the following people for making a responsible disclosure to us to ensure the integrity of the PayKickstart platform

  • Faisal Mehmood

Thank you for helping keep the PayKickstart community safe!

Related Articles