Open Source Security Bug Bounty

A new way to get paid for bug reports

Written by Neal Harris.

Today, we’re excited to announce our security bug bounty program for our open source software. We recognize the important contributions the security research community can make when it comes to finding bugs, and we’re asking for your help to report security bugs in our open source code.

We’ve released more than 50 open source projects — many of which are critical components of our infrastructure. With so many sellers relying on Square to run and grow their business, it’s our number one priority to ensure our code is secure. We welcome you to report problems for any project that has a BUG-BOUNTY.md file, including Keywhiz, KeywhizFs, js-JOSE, Go-JOSE, OkHttp, Squalor, Retrofit, Okio, Wire, and pam_krb5_ccache. We’ll continue to add projects to the bounty.

If you discover a security flaw, head to our HackerOne page (created specifically for our open source software), and read about our program. While it’s not required that you attach a fix to bug reports, patches are greatly appreciated. To preserve confidentiality of potential security issues, please do not open a pull request against the project to fix issues you report; instead, create a patch and attach it to the HackerOne report.

Happy hacking!