Vulnerability Disclosure and Reward Program

Paystack runs a public bug bounty program through HackerOne. Valid and in-scope reports might be eligible for rewards. Please view the terms and conditions before finalising the submission.

Paystack recognises the importance of the security community in our quest to provide a safe and secure experience for our customers and stakeholders. So, if you are a security researcher that has found a vulnerability in any Paystack product or service, we would like to hear from you.

By submitting a security bug or vulnerability to Paystack through HackerOne, you acknowledge that you have read and agreed to the Program Terms and Conditions set forth below. By providing a submission, you agree that you may not publicly disclose your findings or the contents of your submission to any third parties without Paystack’s prior written approval.

Submit Vulnerability via HackerOne

You are about to submit a report to Paystack via HackerOne. Please include detailed reporting and a working Proof of Concept.

Submit a vulnerability here

Programme terms and conditions

  • You need to show that you could exploit a vulnerability, but you must not actually exploit it. You must not: access, modify, copy, download, delete, compromise or otherwise misuse others’ data; access non-public information without authorisation; degrade, interrupt or deny services to our users; and/or incur loss of funds that are not your own.
  • You must not leverage the existence of a vulnerability or access to sensitive or confidential data to make threats, extortionate demands, or ransom requests.
  • Your testing must not violate any applicable laws or regulations.
  • You are prohibited from participating in the program if you are a resident of any U.S. embargoed jurisdiction, including but not limited to Iran, North Korea, Cuba, the Crimea region, and Syria; or if you are on the U.S. Treasury Department's list of Specially Designated Nationals or the U.S. Department of Commerce Denied Person’s List or Entity List. By participating in the program, you represent and warrant that you are not located in any such country or on any such list.
  • By providing a submission, you agree that you may not publicly disclose your findings or the contents of your submission to any third parties without Paystack's prior written approval.
  • You will be responsible for any tax implications related to any bounty payment you receive, as determined by the laws of your jurisdiction.
  • You must be 18 years of age or older.
  • You must not be employed by Paystack or any of its affiliates. You must also not be an immediate family member of someone employed by Paystack or any of its affiliates.
  • By reporting a bug, you grant Paystack and its affiliates a perpetual, irrevocable, worldwide, royalty-free license to use, copy, adapt, develop, create derivative work from, or share your submission for any purpose. You waive all claims, including breach of contract or implied-in-fact contract, arising out of your submission.
  • HackerOne may share with Paystack the personal information that you provide to HackerOne, in order to allow Paystack to run this program more effectively. To exercise your rights or find out more about how we process the personal data you provide, please refer to our Privacy Policy online or email our Data Protection Officer at [email protected]
  • Whether to provide a payment for the disclosure of a bug and the amount of the payment is entirely at our discretion, and we may cancel or modify the program at any time.
  • Only the first, responsibly-disclosed submission of a vulnerability instance will be marked as valid, any subsequent reports will not be eligible for our program.


Ineligible Vulnerabilities

Paystack does not consider the following to be eligible vulnerabilities:

  • Denial of service
  • Reports of spam
  • Social engineering
  • Self-XSS
  • Content/text spoofing
  • Unconfirmed reports from automated vulnerability scanners
  • Disclosure of server or software version numbers
  • Hypothetical subdomain takeovers without supporting evidence
  • Session invalidation or other improved-security related to account management when a credential is already known (e.g., password reset link does not immediately expire, adding MFA does not expire other sessions, etc.)
  • Perceived security weaknesses without concrete evidence of the ability to compromise a user (e.g., missing rate limits, missing headers, etc.)
  • Reports exploiting the behavior of, or vulnerabilities in, outdated browsers
  • User/merchant enumeration
  • Best practice reports without a valid exploit (e.g. use of "weak" TLS cyphers)