Careful work helps protect our team of dedicated security experts to protect customer information. We recognize the important role you play in security experts and your user community to help protect PayPal and our customers. If you are following a site or product for discrimination We are informed by using the instructions.
We conclude, that PayPal can promote responsible advertising, does not point to its complete independence, in matters of disclosure and all these program rules and PayPal contract policies are a private action against you or brings public control to a case.
Their research piece has not changed, any files or information, permissions and all information used intentionally or not is to prove contact.
If the error or reward is for the program, you should:
- The resident does not own or the country the United States on which sanctions or other trade sanctions (eg Cuba, Iran, North Korea, Sudan and Syria) issued your export offer;
- Violating national, state or local laws or regulations;
- PayPal, Inc. Or used by its subsidiaries;
- PayPal, Inc. Or become an immediate family member of a person employed by its subsidiaries or affiliates; Or
- Keep 14 years. You need to be at least 14 years old, but to be considered a bit in your residence, you must meet before parental participation or allow for an educational program.
PayPal indicates that all of the above-mentioned, eliminating or inaccurate prize programs are not eligible to receive PayPal and every premium payment.
By agreeing to the terms of the offer or program, you acknowledge that any third party may publicly disclose its results or the content of your document in any way without the prior written consent of PayPal.
The program terms on any premium paid reward program meet with error and disqualification leads to immediate disqualification.
Scope for web applications
The acceptable scope has weaknesses, including but not limited to:
From advertising sensitive or personal information
Cross-site scripting (XSS)
- Cross-Site Request for Sensitive Tasks in a Privileged Context Forjri (CSRF)
- Server page or remote code implementation (RCE)
- Including authentication or authentication errors, insecure direct object references, and authentication bypass
- Injection sensitivities, including SQL and XML injection
- Directory traversal
- An inspection on sensitive critical security misalignments
- Exposure credentials extent a legal threat to property
Out of scope vulnerabilities
- Some of the weaknesses out of the category considered error program. There are weaknesses in this space, including but not limited to:
- Any physical attacks against PayPal ownership or information center
- Username Consumer-oriented systems computation side (if answers are used to determine the server or whether the given information is present)
- Generates scanners or reports created automatically or with scanners, including active use tools
- Payment includes fraud, theft or malicious merchant accounts
- Man-in-the-middle attacks
- Steal certificates or vulnerabilities in connection with physical usage on the device
- Target visited social engineering, including internal staff
- Sensitivities for which document control is current (e.g. https://developer.paypal.com/docs/classic/paypal-payments-standard/integration-guide/encryptedwebpayments/)
- In open redirects, except in the following cases:
- Clicking on a PayPal-owned URL immediately leads
- Sensitive information redirected by token loss (eg, sitting PII, etc.)
- Specific header injection host with no direct effect
- Service (DoS) attacks with denial of automatic equipment
- Also enter XSS, which victim of any payload
- The browser is critically important and rarely inactive as a control to interact with the victims of all possible threats,
- Login / Logout CSRF
Infrastructure sensitivities include:
Related issues with connecting SSL certificates:
- DNS configuration issues
- Server configuration issues (such as open ports, TLS versions, etc.)
- With the exception of vulnerabilities, Braintree within the staging environments in our Sandbox Lab.
- The vulnerabilities do not just affect older or patches browsers and platform users
- Weaknesses that are checked for case by case because only one browser affects one may have less attack surface and are closed as informative
- Public or non-secure disclosures of information (such as public store code server banners, etc.)
- Exposé credentials were not recognized as either any longer valid or risk-averse