Skip to main content

Bug Bounty Program

ChargeOver offers a security-focused bug bounty program, where security researchers can responsibly disclose vulnerabilities or security weaknesses, in return for monetary payouts.

If you are a security researcher looking to participate in our bug bounty program, you must read the following first.

Getting Started

  1. We pay via PayPal or credit card; for PayPal you must report issues from your PayPal email address
  2. Sign up for one ChargeOver trial account using the same email address you're going to report issues from: https://app.chargeover.com/signup
  3. Read and follow the rules below
  4. All issues must be reported via this bug bounty form

We welcome responsible security disclosures from security researchers. Payouts range from $25 USD to $1000 USD depending on the severity of the issue found.

General Rules

  • Do not spam our sign-up form, or sign up for hundreds of ChargeOver accounts. You only need one account to test.
  • Do not spam our contact us or demo request forms. You don't need to send us thousands of demo requests or contact us requests to test these. The forms are out of scope anyways :)
  • Do not use automated testing tools (we already run scans with Nessus and IBM AppScan, and automated scanning tools often result in many false positives and high system load on our end).
  • Don't attempt to gain access to another user's account or data.
  • Don't perform any attack that could harm the reliability/integrity of our services or data.
  • DDoS/spam attacks are not allowed.
  • Don't publicly disclose a bug before it has been fixed.
  • Don't harass, verbally abuse, threaten, or berate any of our staff or customers. This includes asking for follow-up/payment multiple times.

YOU MUST

  • Be able to accept PayPal or credit card payments. We can NOT pay you in any other way besides PayPal or credit card. PayPal payments will be sent to the same email address you report the bug/issue/vulnerability from
  • Provide us with either a signed 1099 form (if you're in the US) or a Form W-8BEN (if you're outside of the US)

YOU MUST NOT

  • Be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions
20-min Demo
Can your subscription billing improve your cashflow?
Schedule a demo and get a free consultation!Schedule your demo today

Out-of-Scope Sites

These include custom.ChargeOver.com or Chatlio live chat.

  • We will not pay bug bounties for out of scope sites.
  • custom.ChargeOver.com is out of scope
  • cap.ChargeOver.com is out of scope
  • pa.ChargeOver.com is out of scope
  • scheduling components provided by calendly.com
  • our live chat tool is out of scope (this is the "Contact Us" / "Live Chat" tabs in the bottom right)
  • GitHub is out of scope (we are aware that some of our examples have mock/fake usernames/passwords in them, which point to non-existing mock/fake websites)

In-Scope Sites

These include www.ChargeOver.com, app.Chargeover.com, help.ChargeOver.com, and developer.ChargeOver.com.

  • We welcome responsibly disclosed reports for these sites: www.ChargeOver.com, app.ChargeOver.com, developer.ChargeOver.com, help.ChargeOver.com
  • We also welcome responsibly disclosed reports for application sign-ups using your email address (see the next section below titled "Application Sign-Ups")
  • When submitting forms, use your own email address

In-Scope Application Sign-Ups

This includes {{your-name-here}}.ChargeOver.com.

  • We welcome responsibly disclosed reports for the ChargeOver application
  • To begin testing, you sign up for a trial account using your own email address at the link below: https://app.chargeover.com/signup
  • You MUST restrict your testing to the subdomain you sign up for (e.g. {{your-name-here}}.ChargeOver.com)
  • You MUST sign up for the trial using the same email address you used to contact us

Other Sites

  • Please contact us if you wish to test or have already found vulnerability in a site not listed here

Exceptions That Do NOT Qualify

  • We will NOT pay out for duplicate issues (e.g. if you find an issue in a shared component that affects multiple pages, we will only pay out for the single issue of fixing the shared component)
  • We will NOT pay out for bugs already reported by other security researchers
  • We do offer customizable email templates which an Administrator to embed their own links, HTML, and "send this email from: ..." email addresses. The ability to customize these messages is a core part of functionality, and not a vulnerability.
  • We do offer several places where an Administrator is allowed to override/embed their own CSS and Javascript. The ability to override these styles/provide this Javascript is a core part of functionality, and not a vulnerability.
  • We will NOT pay out for social engineering attacks.
  • We will NOT pay out for attacks that require physical access to a user's device/computer.
  • We will NOT pay out for bugs requiring exceedingly unlikely user interaction.
  • We will NOT pay out for "best practice" type reports (e.g. DNSSEC, missing HTTP security headers, SPF, DKIM, DMARC, etc.) unless related to an actual specific vulnerability/information disclosure issue you can identify within the platform, or the practice is required by our PCI ASV or our other security auditors. We are aware of best practices, and are continually evolving our security program to incorporate new security features.
  • Issues related to rate-limiting email sending rates are generally not eligible for a bug bounty.
  • CSRF/XSS/etc. attacks which do not result in unwanted behavior/security issues are not eligible for a bug bounty payout (though if you encounter one, please do let us know so we can improve it).
  • Generally, bugs or UI improvements which do not result in a security issue/vulnerability are not eligible for a bug bounty payout.

When in doubt, please contact us and ask!