BugHunters — Bug Bounty Platform
    Back to Programs
    Stripe

    Stripe

    Fintech

    Global payment infrastructure platform processing billions in transactions for internet businesses of every size.

    https://stripe.com

    Max Reward

    $50,000

    Total Paid

    $4,100,000

    Resolved

    312

    Avg Response

    1 day

    In-Scope Assets

    stripe.com

    Dashboard, documentation, and marketing site

    Stripe API

    Payment, subscription, and connect APIs

    Stripe.js / Elements

    Client-side payment SDKs and embeddable UIs

    Stripe CLI

    Developer tools and webhook testing

    Out of Scope

    • Third-party integrations
    • Stripe Atlas legal services
    • Rate limiting on docs

    Severity Levels & Rewards

    Critical

    RCE, authentication bypass, privilege escalation, fund extraction

    High

    Stored XSS, CSRF with impact, API abuse, data manipulation

    Medium

    Reflected XSS, data leakage, logic flaws, information disclosure

    Low

    Verbose errors, minor config issues, low-impact info disclosure

    Active Bounties (2)

    IDTitleSeverityStatusRewardSubmissions
    STRP-001Payment intent amount mismatch via concurrent API calls
    Critical
    Open
    		$15,000–$50,0000
    STRP-002Webhook signature bypass via timing attack
    High
    In Review
    		$5,000–$15,0002

    Rules of Engagement

    • Do not access, modify, or delete data belonging to other users.

    • Do not perform denial-of-service attacks or automated scanning at high volume.

    • Report vulnerabilities promptly and provide sufficient detail to reproduce.

    • Allow reasonable time for fix before public disclosure (90 days).

    • Safe harbor: We will not pursue legal action against researchers acting in good faith within these rules.