BugHunters — Bug Bounty Platform
    Back to Programs
    PayPal

    PayPal

    Fintech

    Global digital payments platform enabling secure online transactions for 430M+ active accounts across 200+ markets.

    https://paypal.com

    Max Reward

    $30,000

    Total Paid

    $4,200,000

    Resolved

    534

    Avg Response

    2 days

    In-Scope Assets

    paypal.com

    Consumer and merchant dashboards

    PayPal API

    Payments, subscriptions, and checkout APIs

    Venmo

    Social payments platform

    PayPal Mobile

    iOS and Android applications

    Out of Scope

    • Honey browser extension
    • Third-party integrations
    • PayPal Credit underwriting

    Severity Levels & Rewards

    Critical

    RCE, authentication bypass, privilege escalation, fund extraction

    High

    Stored XSS, CSRF with impact, API abuse, data manipulation

    Medium

    Reflected XSS, data leakage, logic flaws, information disclosure

    Low

    Verbose errors, minor config issues, low-impact info disclosure

    Active Bounties (2)

    IDTitleSeverityStatusRewardSubmissions
    PP-001Transaction amount modification via concurrent API race condition
    Critical
    Open
    		$15,000–$30,0000
    PP-002Venmo private transaction exposure via API enumeration
    High
    Resolved
    		$5,000–$10,0005

    Rules of Engagement

    • Do not access, modify, or delete data belonging to other users.

    • Do not perform denial-of-service attacks or automated scanning at high volume.

    • Report vulnerabilities promptly and provide sufficient detail to reproduce.

    • Allow reasonable time for fix before public disclosure (90 days).

    • Safe harbor: We will not pursue legal action against researchers acting in good faith within these rules.