Skip to main content

Bug Bounty Program

Overview

ChargeOver offers a security-focused bug bounty program, where security researchers can responsibly disclose vulnerabilities or security weaknesses, in return for monetary payouts.

After you submit a bug bounty form, your form will be sent to us and we will reach out to you after reviewing it.

info

If you are a security researcher looking to participate in our bug bounty program, you must read the following first.

Getting started

  1. We pay via PayPal or credit card; for PayPal you must report issues from your PayPal email address
  2. Sign up for one ChargeOver trial account using the same email address you're going to report issues from: https://app.chargeover.com/signup
  3. Read and follow the rules below
  4. All issues must be reported via this bug bounty form

We welcome responsible security disclosures from security researchers. Payouts range from $25 USD to $1000 USD depending on the severity of the issue found.

General rules

  • Don't spam our sign-up form, or sign up for hundreds of ChargeOver accounts You only need one account to test
  • Don't spam our contact us or demo request forms. You don't need to send us thousands of demo requests or contact us requests to test these. The forms are out of scope anyways
  • Don't use automated testing tools. We already run scans with Nessus and IBM AppScan, and automated scanning tools often result in many false positives and high system load on our end
  • Don't attempt to gain access to another user's account or data
  • Don't perform any attack that could harm the reliability or integrity of our services or data
  • DDoS or spam attacks are not allowed
  • Don't publicly disclose a bug before it has been fixed
  • Don't harass, verbally abuse, threaten, or berate any of our staff or customers. This includes asking for follow-up or payment multiple times

In-scope sites

These include www.ChargeOver.com, app.Chargeover.com, help.ChargeOver.com, and developer.ChargeOver.com.

  • We welcome responsibly disclosed reports for these sites: www.ChargeOver.com, app.ChargeOver.com, developer.ChargeOver.com, help.ChargeOver.com
  • We also welcome responsibly disclosed reports for application sign-ups using your email address
note

When submitting forms, use your own email address.

In-scope application sign-ups

This includes {{your-name-here}}.ChargeOver.com.

  • We welcome responsibly disclosed reports for the ChargeOver application
  • To begin testing, you sign up for a trial account using your own email address at the link below: https://app.chargeover.com/signup
  • You must restrict your testing to the subdomain you sign up for. For example: {{your-name-here}}.ChargeOver.com
  • You must sign up for the trial using the same email address you used to contact us

Obligations

  • You must be able to accept PayPal or credit card payments. We can not pay you in any other way besides PayPal or credit card. PayPal payments will be sent to the same email address you report the bug, issue or vulnerability from
  • You must be able to provide us with either a signed 1099 form or a Form W-8BEN

Restrictions

  • You must not be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions
20-min Demo
Can your subscription billing improve your cashflow?
Schedule a demo and get a free consultation!Schedule your demo today

Exceptions that do not qualify

  • We will not pay out for duplicate issues
    • For example, if you find an issue in a shared component that affects multiple pages, we will only pay out for the single issue of fixing the shared component
  • We will not pay out for bugs already reported by other security researchers
  • We do offer customizable email templates which an Administrator to embed their own links, HTML, and send this email from: ... email addresses. The ability to customize these messages is a core part of functionality, and not a vulnerability
  • We do offer several places where an administrator is allowed to override or embed their own CSS and Javascript. The ability to override these styles and provide this Javascript is a core part of functionality, and not a vulnerability
  • We will not pay out for social engineering attacks
  • We will not pay out for attacks that require physical access to a user's device or computer
  • We will not pay out for bugs requiring exceedingly unlikely user interaction.
  • We will not pay out for "best practice" type reports
    • For example, DNSSEC, missing HTTP security headers, SPF, DKIM, DMARC, unless related to an actual specific vulnerability or information disclosure issue, that you can identify within the platform, or the practice is required by our PCI ASV or our other security auditors. We are aware of best practices, and are continually evolving our security program to incorporate new security features
  • Issues related to rate-limiting email sending rates are generally not eligible for a bug bounty
  • CSRF or XSS attacks which do not result in unwanted behavior or security issues are not eligible for a bug bounty payout. Though if you encounter one, please do let us know so we can improve it
  • Generally, bugs or UI improvements which do not result in a security issue or vulnerability are not eligible for a bug bounty payout

Out-of-scope sites

We will not pay bug bounties for out of scope sites. This includes sites like custom.ChargeOver.com and Chatlio live chat.

  • custom.ChargeOver.com is out of scope
  • cap.ChargeOver.com is out of scope
  • pa.ChargeOver.com is out of scope
  • Scheduling components provided by calendly.com
  • Our live chat is out of scope
  • GitHub is out of scope
    • We are aware that some of our examples have mock or fake usernames and passwords in them, which point to non-existing mock or fake websites

Other sites

When in doubt, please contact us and ask! contact us if you wish to test or have already found vulnerability in a site not listed here.