sumbit bug reportMastercard is a technology company in the global payments industry. We operate the world’s fastest payments processing network, connecting consumers, financial institutions, merchants, governments and businesses in more than 210 countries and territories. Mastercard products and solutions make everyday commerce activities – such as shopping, traveling, running a business and managing finances – easier, more secure and more efficient for everyone. For nearly half a century, Mastercard has been a leader in safety and security. As payment methods continue to evolve, Mastercard is committed to advancing digital security, which includes rigorous testing for potential vulnerabilities. You can help us make our products and services even safer and earn rewards by reporting potential vulnerabilities.
A Couple Important Requirements for Mastercard:
When submitting a report to Mastercard, please be sure to include your IP address that you were testing from somewhere in your report. It is greatly helpful to MasterCard.
Due to GDPR and legal requirements. All testing must be conducted using your @bugcrowdninja.com email ID only. If you fail to use your @Bugcrowdninja.com email ID, you run the risk of getting blocked from accessing Mastercard applications.
Rewards
Rewards will be facilitated through Payoneer ONLY (Setup payment methods)
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
Out of Scope
The following targets are explicitly out of scope and any submissions reported will be marked out of scope.
demo.priceless.com/golf
demo.priceless.com/travel
demo.priceless.com/standup
All Available Mastercard Developer APIs
All vulnerabilities discovered and reported on other targets (including subdomains) will be accepted, but are not eligible for a reward at this time. These submissions will be marked "Not Applicable" to prevent negative ratings. But out of scope findings, we highly recommend submitting the vulnerabilities/findings in our VDP program.
Known Issue: The Mastercard Payment Gateway Virtual Payment Client (VPC) API that uses the MD5 based cryptogram to provide an integrity check of request parameters contains a critical vulnerability that allows limited modification of those parameters without causing a change in the cryptogram value. This vulnerability is remotely exploitable and does not require authentication. Mastercard has assessed the severity as CVSS 7.5. Mastercard recommends all customers to update their integration to use the HmacSHA256 based cryptogram, which is not vulnerable to parameter tampering. We thank Yohanes Nugroho for his support to identify this security vulnerability to protect our customers.
Related to GitHub:
Any finding related to the GitHub: API keys/passwords/SSH Private Keys. Please validate from your end once before submitting here. Sometimes employees may have pushed their personal project or test project by mistakenly to GitHub. That we may not consider here. Please submit those to our VDP program.
Related to Subdomain Takeovers:
Please submit the subdomain taken over findings to our VDP program if it is not in scope here.
Recently disclosed critical, high-risk, 0-Day vulnerabilities in third-party products/software/OS where there is no patch or a recent patch (< 2 weeks) is available. If you have a report that falls within this window and want to make us aware please submit to our Vulnerability Disclosure Program for further evaluation.
Additional information
Mastercard Donate
Researchers are encouraged to create their own accounts by visiting this page:
https://donate.mastercard.com/wfp/en-it.html and signing up. When signing up, please use the following credit card info:
Card number: 5333170000000008, 5333170000000057
Expiration: 09/24
CVC: 464
Simplify Commerce
Simplify Commerce is a uniquely versatile, highly scalable and incredibly simple cloud-based payments platform from MasterCard. It works for card brands that the acquirer supports. Designed with the small business owner in mind, it’s a simple, easily integrated and dynamic platform that makes it a strong choice for businesses of all sizes.
DO NOT register a new merchant account or attempt to accept real payments as this will involve parties which are out of scope. We have ensured the sandbox has the same functionality needed for testing
Testing is limited to the developer sandbox environment
To create your account register as a developer. Accounts can be self-provisioned by using your @bugcrowdninja email and the test numbers are available here.
If a link goes outside the
www.simplify.com or sandbox.simplify.com domains it is no longer in scope and should not be tested.
Simplify has two live partners Priority Payment Systems, EVO Payment Systems which are explicitly out of scope.
Mastercard Regional Websites
The regional MasterCard sites are the company’s external websites, which include public information available to unauthenticated users. The sites include outbound links to resources not hosted on the
www.mastercard.com domain. Only the core MasterCard domain is in scope and open to testing. Please be mindful of which domain / sub domain you are testing.
https://developer.mastercard.comThe APIs for the developer portal are fully out of scope for this. You may either use an existing account, or create new users are needed using your <@bugcrowdninja.com> address.
Credentials
Please create an account on your own using your @bugcrowdninja.com email address. Your 'bugcrowdninja' email address is your username@bugcrowdninja.com. All emails will go to the email address associated with your account.
Focus Areas
Cross Site Scripting (XSS)
Cross Site Request Forgery (CSRF)
Insecure direct object references
Injection Vulnerabilities
Authentication Vulnerabilities
Server-side Code Execution
Privilege Escalation
Significant Security Misconfiguration (when not caused by user)
Any out of the box issues which could lead to compromise or leakage of data and directly affect the confidentiality or integrity of user data of which affects user privacy.
Prohibited Testing
Do NOT conduct non-technical attacks such as social engineering, phishing or unauthorized access to infrastructure are not allowed.
Do NOT test the physical security of MasterCard offices, employees, equipment, etc.
Do NOT perform any attack that could harm our services (E.g.: DDoS/Spam)
Do NOT attack, in any way, our end users, or engage in trade of stolen user credentials.
Do NOT use automated scanners and tools to find vulnerabilities are strictly not allowed.
Do NOT Perform automated/scripted testing of web forms, especially "Contact Us" forms that are designed for customers to contact our support team.
You may investigate or target vulnerabilities against your own or test accounts, but testing must not disrupt or compromise any data or data access that is not yours.
Automated scanners/tools are strictly prohibited (not allowed).
Confidentiality: If your testing or investigation inadvertently causes a privacy violation or disruption (such as accessing account data, service configurations, or other confidential information), please include this information in your report (or email support@bugcrowd.com).
The following finding types are specifically excluded from the bounty:
Pivoting, scanning, and vulnerability exploitation.
Exfiltration of data from MasterCard systems.
Email spoofing
Missing or incorrect SPF/DMARC/DKIM records of any kind
Descriptive error messages (e.g. Stack Traces, application or server errors).
Fingerprinting / banner disclosure on common/public services.
Clickjacking and issues only exploitable through clickjacking.
Login/Logout/Unauthenticated/low-impact/anonymous user CSRF.
Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
Lack of Security Speedbump when leaving the site.
Weak Captcha / Captcha Bypass
Forgot Password page brute force and account lockout not enforced.
Username / email enumeration
via Login Page error message
via Forgot Password error message
Any missing HTTP security headers
SSL Issues, e.g.
SSL Attacks such as BEAST, BREACH, Renegotiation attack
SSL Forward secrecy not enabled
SSL weak / insecure cipher suites
Vulnerabilities affecting users of outdated browsers or
IE < 9
Chrome < 40
Firefox < 35
Safari < 7
Opera < 13
