Responsible disclosure policy
Recharge’s Responsible Disclosure Policy provides rewards to eligible parties who discover and discretely report verified security bugs. Our intent is to reward folks who help us keep Recharge secure.
The Recharge Responsible Disclosure Policy (defined below) allows Recharge, in its sole discretion, to reward participants who discover bugs, exploits, or vulnerabilities and allow Recharge to remove such problems that might exist in services provided by Recharge. Under this program, people who participate in our program; discover bugs, vulnerabilities, and exploits; and report them to us (“Participants”) will be paid a reward as a token of our gratitude for cooperating to help us improve the quality of our services.
This policy utilizes the following definitions:
- Bug – is a software error, flaw, or failure or a fault in a computer program or system that causes it to produce an incorrect or unexpected result, or to behave in unintended ways.
- Responsible Disclosure – the program described in this document, which is intended to provide rewards to eligible submitters of bug information to Recharge (i.e., Participants).
- Exploit – a portion of software, a collection of data, or a sequence of commands that takes advantage of a bug or vulnerability in a separate computer with the intent of causing unintended or unanticipated behavior to occur in that separate program.
- Vulnerability – is a weakness in computer security, internal controls, design or implementation, which allows an attacker to reduce the system’s information assurance or exploit it whether accidentally or intentionally in any ways.
Under the terms of the this policy, we offer a bounty (a money reward) for any security relevant Bugs, Vulnerabilities, or Exploits discovered in our software or platform.
How do I report a bug to Recharge?
All bugs must be submitted using the form below. Provide as much information as possible about the potential issue you have discovered. The more information you provide, the faster Recharge will be able to validate the issue.
Who is eligible for a reward?
You are eligible to for an award under this program if:
- You have executed Recharge’s Confidentiality and Terms Agreement.
- You are either an individual researcher participating in your own individual capacity, or you work for an organization that permits you to participate. You are responsible for reviewing your employer’s rules for participating in this program;
- You are not the author of the code that’s been infected with the bug, nor were you otherwise involved in its integration into Recharge;
- You did not create, or assist in the creation of, the bug about which you are reporting;
- You are not a current employee or contractor of Recharge or its affiliates; and
- You do not reside in a country that is under any current U.S. sanctions.
What kind of rewards are offered? How are they awarded?
We offer a range of rewards and decide the appropriate award for qualified bug report submissions based on our own discretion. We are excited about this program, but please note that our decisions are final with respect to who gets a reward, what we reward, and if a reward is provided at all.
- If multiple people report a bug together, the reward will be split evenly among them;
- If multiple people submit separate qualified reports claiming to have discovered the same bug, the person whose report we received first gets the reward; and
- When a single bug manifests in multiple forms, it will be classified as a single vulnerability (and only one reward will be paid).
What about the legal terms?
As further consideration for receiving an award, Recharge may require you to sign additional documents such as a reward release and confidentiality agreements. The reward release and confidentiality agreements may specify that, among other things, Recharge will be responsible for reporting the bug, Recharge will give you credit for identifying such bug(s), and you shall be restricted from disclosing any information about such bug(s).
What other requirements exist?
- We are not responsible for reports that we do not receive or for submissions that we receive but are incomplete or unclear;
- Our lack of response to your submission does not mean we are ignoring you. We may get numerous submissions, with only a small portion of them being material. We take our time to verify submissions. Going public with a potential security bug will rescind eligibility for a reward.
- We reserve the right to withhold a reward if we believe you have acted in a way that has violated law or endangered the security of Recharge or Recharge users – for example, by publicly disclosing a bug or testing a vulnerability on a real user.
- In no event are you authorized to access Recharge customer data. We reserve the right to take appropriate measures, including notifying authorities and law enforcement.
- If you report a vulnerability, you are agreeing that you will never disclose functioning exploit code (including binaries of that code) for the applicable vulnerability to any other entity or person, unless Recharge makes that code generally publicly available or you are required by law to disclose it.
- This does not prevent you from discussing the vulnerability once it is fixed or showing the effects of the exploit in code.
- Do not discuss the vulnerability in any form prior to Recharge notifying you that it is fixed. (We may decide to pay bounties before a vulnerability is fixed, so please wait for the confirmation that it is fixed). Disclosing a vulnerability before we notify you that it has been fixed may render you ineligible to participate in our program.
- This program is void where prohibited by law.
The following issues are considered out of scope:
- Link injection without evidence on how the vulnerability can be used to attack
- Clickjacking on pages with no sensitive actions
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
- Attacks requiring MITM or physical access to a user’s device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Use of a known-vulnerable libraries or frameworks – for example an outdated JQuery or AngularJS (without a clear and working exploit)
- Self-exploitation (cookie reuse, self cookie-bomb, self denial-of-service etc.)
- Self Cross-site Scripting vulnerabilities without evidence on how the vulnerability can be used to attack another user
- Lack of HTTPS
- Reports about insecure SSL / TLS configuration
- Rate limiting or bruteforce issues on non-authentication endpoints
- Missing best practices in Content Security Policy.
- Missing HttpOnly or Secure flags on cookies
- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
- OPTIONS/TRACE/DELETE/PUT/WEBDAV or any other HTTP Methods accepted by the server which do not specifically show a valid attack scenario
- Weak Certificate Hash Algorithm
- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
- Open redirect – unless an additional security impact can be demonstrated
- Issues that require unlikely user interaction
- Security bugs in rechargepayments.com – this site runs on WordPress/WPEngine, so if you find vulnerabilities in the WPEngine service, please contact them directly for reporting details
- Conducting non-technical attacks such as social engineering, phishing or unauthorized access to infrastructure and employees of Recharge.
View the terms and conditions.