RESPONSIBLE DISCLOSURE

Bug bounty program.

If you believe you have found a security issue in Foundation hardware, firmware, software, websites, or services, report it privately so we can investigate and fix it responsibly.

Report a security issue PGP security key

In scope

We are primarily interested in vulnerabilities that create a real security or privacy impact for Foundation customers, users, employees, or production systems.

Sensitive data exposure, whether data at rest or in transit
Customer data, API tokens, passwords, private keys, or other secrets
Access control issues, insecure direct object references, or privilege escalation
Cryptographic vulnerabilities in encryption, decryption, signing, or verification code
Signing a transaction without user approval, or signing a different transaction than was shown
Remote code execution, SSRF, CSRF, MITM, and SQL injection with real exploitability
Circuit board, secure boot, firmware update validation, or downgrade vulnerabilities

Out of scope

These reports generally are not eligible for payment unless they are accompanied by a concrete exploit path and meaningful impact.

Development or staging systems, third-party integrations, booking, or docs subdomains
SSL/TLS version reports, weak ciphers, or expired certificates without a direct exploit
Denial-of-service attacks, including denial-of-wallet, email or notification flooding, and rate-limit issues.
Self-XSS without a reasonable attack scenario
SPF, DKIM, or DMARC reports
Vulnerable software version disclosure without proof of vulnerability
Brute-force attacks and issues unrelated to the security or privacy of our users
Reports that duplicate an existing submission, or that describe an issue Foundation already knows about, is already tracking, or has scheduled or under remediation. Only the first valid report of a previously unknown issue is eligible.
Third-party API keys that are intended to ship inside client applications and whose only impact is third-party quota or billing use.
Missing security headers or cookie attributes (for example HttpOnly), and automated scanner output, where no working exploit is demonstrated.

REQUIREMENTS

Report privately. Keep users safe.

Public disclosure is welcome after Foundation has identified, reproduced, and patched the issue, and after you receive written confirmation from Foundation.

Use test payment methods only and avoid disrupting live transactions.

Act in good faith. Ransom demands, abuse, or active exploitation will disqualify the report.

Do not include sensitive customer data in your report. Describe how to reproduce the issue instead.

Keep communication professional and provide enough detail for Foundation to reproduce the issue.

Report privately first. Public disclosure should wait until Foundation confirms the issue is resolved.

PAYOUT TABLE

Web security bug bounty rewards.

Bugs related to Passport products and Envoy are handled case-by-case and are separate from the table below.

Tier	Payout	Examples
Critical	$500	Payment bypass, credit card data exposure, remote code execution, administrative authentication bypass, SQL injection affecting payment or customer data.
High	$200	Customer information disclosure, unauthorized order access, stored XSS in checkout flows, CSRF affecting administrative functions, session hijacking.
Medium	$100	Information disclosure of non-sensitive business data, reflected XSS, missing authorization on lower-impact functions, limited directory traversal.
Low	$50	Minor information leakage, limited security misconfiguration, clickjacking on non-sensitive pages, email enumeration through contact forms.

REPORT

Send the report securely.

Use the form and choose Security disclosure. If you need to encrypt details, use the PGP security disclosures key.

View PGP security key