Scope - PayPal¶
Snapshot Date: 2025-09-01
Program Policy URL: https://hackerone.com/paypal
Official Policy / Scope¶
Skip to main content > Learn more about HackerOne Log in Security page Program guidelines Scope Hacktivity Thanks Updates Collaborators Program highlights Platform Standards Fully compliant with Platform Standards. Top Response Efficiency This program's response efficiency is above 90%. Managed by HackerOne Collaboration Enabled Includes Retesting 1 day Average time to first response 4 weeks, 21 hours Average time to bounty 4 weeks, 21 hours Average time from submission to bounty 2 months, 3 weeks Average time to resolution Rewards summary Last updated on April 9, 2024. View changes Each severity lists the 90-day average bounty and the percentage of total resolved reports, if applicable. Low (0.1-3.9)
Avg. bounty $542 20.92% submissions
Medium (4.0-6.9)
Avg. bounty $2,611 54.92% submissions
High (7.0-8.9)
Avg. bounty $10,057 16.83% submissions
Critical (9.0-10.0)
Avg. bounty $16,500 7.33% submissions
\(50–\)1,000
\(1,000–\)10,000
\(10,000–\)20,000
\(20,000–\)30,000
Scope exclusions
Core Ineligible Findings are out of scope.
Learn more
Overview
Last updated on May 18, 2025. View changes
Our team of dedicated security professionals works diligently to maintain the security of customer information. We acknowledge the crucial role that security researchers and our user community play in helping to keep PayPal and our customers secure. If you identify a vulnerability in our site or products, please notify us using the guidelines outlined below.
Summary
As a researcher, we understand your eagerness to start testing immediately. However, we strongly recommend that you read the full program terms. We also follow the HackerOne platform standards. Here is a brief overview:
Submit a well-written report following the submission guidelines.
Do not cause any damage or disruption to our systems or services.
Rewards are based on the demonstrated impact of the vulnerability, not solely on CVSS scores.
What is Impact?
We at PayPal define impact as the potential consequences of a vulnerability on our systems, operations, and users. This includes factors such as financial losses, data breaches, operational disruptions, reputational damage, and regulatory or legal consequences. By assessing the impact of a vulnerability, we can prioritize our response and remediation efforts and ensure the security and integrity of our platform, while protecting our users' sensitive information and maintaining their trust in our services.
Program Terms
Please note that your participation in the Bug Bounty Program is voluntary and subject to the terms and conditions set forth on this page ("Program Terms"). By submitting a site or product vulnerability to PayPal, Inc. ("PayPal") you acknowledge that you have read and agreed to these Program Terms.
These Program Terms supplement the terms of PayPal User Agreement, the PayPal Acceptable Use Policy, and any other agreement in which you have entered with PayPal (collectively "PayPal Agreements"). The terms of those PayPal Agreements will apply to your use of, and participation in, the Bug Bounty Program as if fully set forth herein. If any inconsistency exists between the terms of the PayPal Agreements and these Program Terms, these Program Terms will control, but only regarding the Bug Bounty Program.
To encourage responsible disclosures, PayPal commits that, if we conclude, in our sole discretion, that a disclosure respects and meets all the guidelines of these Program Terms and the PayPal Agreements, PayPal will not bring a private action against you or refer a matter for public inquiry.
As part of your research, do not modify any files or data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.
The following PayPal brands are in scope:
PayPal
Venmo
Xoom
Braintree Payments
Swift Financial/ Loanbuilder
Hyperwallet
For questions or issues specific to accounts or transactions, or other requests that do not fall under this scope, please contact our customer support service.
Brands and acquisitions not listed above are not in scope. These brands include, but are not limited to the following:
Chargehound
Honey
Paidy
Simility
Zettle
PayPal will make a best effort to adhere to the following response targets:
Type of Response Business days Reason
First Response 2 days
Time to Triage 10+ days Depends on report clarity and complexity
Time to Bounty 15 - 30 days Depends on report clarity, complexity and demonstrated Impact
Time to Resolution depends on severity and complexity
Eligibility Requirements
To be eligible for the Bug Bounty Program, you must not:
Be a resident of, or make your Submission from, a country against which the United States has issued export sanctions or other trade restrictions (e.g., Cuba, Iran, North Korea, Sudan and Syria);
Be in violation of any national, state, or local law or regulation;
Be employed by PayPal, Inc. or its subsidiaries;
Be an immediate family member of a person employed by PayPal, Inc. or its subsidiaries or affiliates; or
Be less than 14 years of age. If you are at least 14 years old, but are considered a minor in your place of residence, you must get your parent’s or legal guardian’s permission prior to participating in the program.
If PayPal discovers that you meet any of the criteria above, PayPal will remove you from the Bug Bounty Program and disqualify you from receiving any Bounty Payments.
Disclosure Guidelines
By providing a Submission or agreeing to the Program Terms, You agree that you may not publicly disclose your findings or the contents of your Submission to any third parties in any way without PayPal’s prior written approval.
Failure to comply with the Program Terms will result in immediate disqualification from the Bug Bounty Program and ineligibility for receiving any Bounty Payments.
Scope for Web Applications
In-Scope Vulnerabilities
Accepted in-scope vulnerabilities include, but are not limited to:
Any PayPal proprietary AI/ML product or service (e.g., inference endpoints, generative-AI assistants, recommendation engines).
Disclosure of sensitive or personally identifiable information that does not belong to you.
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF) for sensitive functions in a privileged context
Server-side or remote code execution (RCE)
Authentication or authorization flaws, including IDOR and authentication bypass.
Injection vulnerabilities, including SQL and XML injection.
Directory traversal
Significant security misconfiguration with a verifiable vulnerability
Exposed credentials, disclosed by PayPal or its employees, that pose a valid risk to an in-scope asset.
Out-of-Scope Vulnerabilities
Certain vulnerabilities are considered out-of-scope for the Bug Bounty Program. Those out-of-scope vulnerabilities include, but are not limited to:
Any physical attacks against PayPal property or data centers
Username enumeration on customer facing systems (i.e. using server responses to determine whether a given account exists)
Scanner output or scanner-generated reports, including any automated or active exploit tool.
Man-in-the-Middle attacks.
Vulnerabilities involving stolen employee/consumer/merchant credentials or physical access to a device.
Social engineering attacks, including those targeting or impersonating internal employees by any means (e.g. customer service chat features, social media, personal domains, etc.)
Open redirection, except in the following circumstances:
Clicking a PayPal-owned URL immediately results in a redirection, and/or
A redirection results in the loss of sensitive data (e.g. session tokens, PII, etc)
Host header injections without a specific, demonstrable impact.
Vulnerabilities found through DDoS or spam attacks. Do not attempt or execute DDoS attacks.
Self-XSS, which includes any payload entered by the victim.
Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls.
Login/logout CSRF
Content spoofing without embedding an external link or JavaScript.
Infrastructure vulnerabilities with no demonstrated impact, including:
Issues related to SSL certificates.
DNS configuration issues
Server configuration issues (e.g. open ports, TLS versions, etc.)
Most vulnerabilities within our sandbox, lab, or staging environments (that are not reproducible in Production), except Braintree.
Vulnerabilities only affecting users of outdated, unpatched, or unsupported browsers and platforms, including any version of Internet Explorer
Information disclosure of public or non-protected information (e.g. code in a public impact repository, server banners, etc.), or information disclosed outside of PayPal's control (e.g. a personal, non-employee repository; a list from a previous infodump; etc.)
Exposed credentials that are either no longer valid, or do not pose a risk to an in-scope asset.
Any other submission determined to be low risk, based on unlikely or theoretical attack vectors, requiring significant user interaction, or resulting in minimal impact.
Vulnerabilities on third party libraries without showing specific impact to the target application (e.g. a CVE with no exploit)
Reports that involve secondary business accounts, and the impact is limited solely to the parent account.
Denial of Service
In our commitment to maintaining a secure environment, we value your assistance in identifying Denial of Service (DoS) vulnerabilities that meet our specific criteria. Generally:
We only consider DoS issues that can be triggered by a single user with a single request.
We only consider DoS issues that cause a significant disruption to the entire service, not just an individual merchant or instance
We explicitly do not accept any kind of DDOS (Distributed Denial of Service) issues.
Slow requests that eventually complete successfully without rendering the service unavailable to others do not constitute an availability impact for our program.
No Automated Scanning: Automated tools or scripts designed to overload our infrastructure, or services are not permitted for use in testing. Researchers should refrain from testing techniques that could degrade service availability.
To ensure the stability and security of our systems while allowing responsible security research, we have established the following policy regarding Denial-of-Service (DoS) testing:
Sandbox-Only DoS Testing
Allowed: DoS proof-of-concept (PoC) testing is only permitted against applications where a sandbox environment is available. Researchers must confirm the availability of such an environment before proceeding with any DoS testing.
Prohibited: Under no circumstances are researchers permitted to perform any denial-of-service (DoS) tests or attacks against any of PayPal's production systems or any of it's subsidiaries. Generating excessive traffic, flooding endpoints, or otherwise degrading service availability is strictly disallowed and will lead to further consequences.
Theoretical Reports for Production
High-Confidence Hypotheses: If your DoS test fails or does not reproduce in the Sandbox but you have strong reason to believe it would succeed in Production, please submit a theoretical report.
Proof-of-Concept Not Required: You do not need to actively exploit the potential vulnerability. Instead, outline the reasoning or evidence behind your suspicion and any relevant technical details(technical reasoning, endpoint details, potential impact).
Internal Validation: Our security team will investigate your claim internally and determine whether the endpoint is indeed vulnerable.
If you neglect the DoS policy and test on production and cause an availability Issue:
Immediate Impact: Any submission associated with a live service disruption may be disqualified from receiving a bounty.
Escalating Penalties: We will evaluate the severity and intent.
First-time / Accidental: Typically results in a formal warning and no bounty.
Repeat or Malicious: May lead to removal from our program (temporary or permanent) if we see a pattern of negligence or bad faith.
Open Dialogue: We understand mistakes can happen in good-faith research. If you promptly disclose what happened, cooperate fully, and make every effort to avoid further harm, we will take that into account when determining your status.
DoS Testing Guidelines:
Avoid Actual Service Disruption:
No Service Degradation: Make every effort to prevent any actual degradation or disruption of our services during testing.
Gradual Testing Approach:
Start Small: Begin with minimal payloads or input values.
Incremental Increases within reason: Slowly increase payload size or complexity while monitoring system responses.
Monitor Continuously: Keep an eye on service performance metrics (response times, error messages, etc.).
Immediate Cessation upon Degradation:
Stop Immediately: Cease all testing at the first sign of service degradation or abnormal behavior.
Document Findings: Record all relevant information up to that point for your report.
Timing Considerations:
Off-Peak Hours: Conduct testing during periods of low user activity to minimize potential impact.
Time Zones: Be mindful of global users and avoid universally high-traffic periods.
If you think you have found an eligible DoS issue, please include the following information in your report:
The URL of the page that is vulnerable to DoS
The Paypal-Debug-Id of the HTTP response that causes the DoS
The HTTP request that causes the DoS
The HTTP response that is returned by the server after the DoS has been triggered
The time it takes for the DoS to be triggered
Scope for Mobile Applications
In-Scope Vulnerabilities
In addition to in-scope items mentioned above, some additional vulnerability types will be considered in-scope for mobile applications. These include:
Man-in-the-Middle attacks
Attacks requiring physical access to a mobile device
Out-of-Scope Vulnerabilities
The following mobile vulnerabilities are out-of-scope and will not be accepted:
Vulnerabilities requiring a rooted, jailbroken, or otherwise modified device
Username enumeration on customer facing systems (i.e. using server responses to determine whether a given account exists)
Vulnerabilities requiring extensive user interaction
Exposure of non-sensitive data on the device
Vulnerabilities on third party libraries without showing specific impact to the target application (e.g. a CVE with no exploit)
Bug Submission Requirements
When testing PayPal assets:
We recommend registering accounts using your
Severity
Rewards
Low
Avg. bounty $542 20.92% submissions
\(50–\)1,000 Medium
Avg. bounty $2,611 54.92% submissions
\(1,000–\)10,000 High
Avg. bounty $10,057 16.83% submissions
\(10,000–\)20,000 Critical
Avg. bounty $16,500 7.33% submissions
\(20,000–\)30,000 Stats Total bounties paid $12,686,667 Average bounty range $1,900 - $3,200 Top bounty range $16,300 - $52,000 Bounties paid | 90 days $168,750 Reports received | 90 days 485 Last report resolved 7 days ago Reports resolved 2201 Hackers thanked 1047 Assets In Scope 41 © HackerOne Opportunities Security Leaderboard Blog Status Docs Support Disclosure Guidelines Press Privacy Terms
Parsed Scope (to fill)¶
In Scope¶
-
Out of Scope¶
-
Changes¶
- 2025-09-01: Snapshot recorded.