Cardpeer

Bug Bounty Program

Last updated: January 18, 2026

1. Overview

At Cardpeer, security is a top priority. We value the contributions of security researchers who help us identify vulnerabilities in our platform. Our Bug Bounty Program rewards individuals who responsibly disclose security issues that affect our services.

We are committed to working with security researchers to verify, reproduce, and respond to legitimate reports. If you believe you have discovered a security vulnerability, we encourage you to report it through the process outlined below.

2. Scope

The following assets are within the scope of our Bug Bounty Program:

  • cardpeer.com and all subdomains
  • Cardpeer API endpoints
  • Cardpeer mobile applications (iOS and Android)
  • Authentication and authorization systems
  • Payment processing integrations

The following are explicitly out of scope:

  • Third-party services and applications not owned by Cardpeer
  • Social engineering attacks against Cardpeer employees or users
  • Physical security attacks
  • Denial of Service (DoS/DDoS) attacks
  • Spam or social engineering techniques
  • Issues in third-party libraries unless they directly affect Cardpeer

3. Eligibility

To be eligible for a reward, you must:

  • Be the first to report the vulnerability
  • Not be a current or former Cardpeer employee
  • Not reside in a country under trade sanctions
  • Report the vulnerability within 90 days of discovery
  • Not publicly disclose the vulnerability before we have addressed it
  • Comply with all applicable laws and regulations

4. Qualifying Vulnerabilities

We are particularly interested in vulnerabilities that could lead to:

  • Remote Code Execution (RCE)
  • SQL Injection
  • Authentication or authorization bypass
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Server-Side Request Forgery (SSRF)
  • Sensitive data exposure
  • Payment or financial manipulation
  • Account takeover vulnerabilities
  • Privilege escalation

5. Non-Qualifying Issues

The following issues are generally not eligible for rewards:

  • Missing security headers without demonstrated impact
  • Clickjacking on pages without sensitive actions
  • Self-XSS (XSS that only affects your own account)
  • Login/logout CSRF
  • Content spoofing without clear security impact
  • Rate limiting issues without demonstrated abuse potential
  • Vulnerabilities requiring physical access to a user's device
  • Outdated software versions without proof of exploitability
  • Issues that require unlikely user interaction
  • Theoretical vulnerabilities without working proof of concept

6. Rewards

Rewards are determined solely by Cardpeer based on the severity and impact of the vulnerability. Factors we consider include:

  • The severity of the vulnerability (Critical, High, Medium, Low)
  • The quality and clarity of the report
  • The complexity of the vulnerability
  • The potential impact on our users and platform
  • Whether a working proof of concept was provided

The final reward amount, if any, is at our sole discretion and is non-negotiable. We reserve the right to determine the appropriate reward for each valid submission.

7. How to Report

Please submit your vulnerability report to support@cardpeer.com with the following information:

  • A detailed description of the vulnerability
  • Steps to reproduce the issue
  • Proof of concept (screenshots, videos, or code)
  • The potential impact of the vulnerability
  • Any suggestions for remediation
  • Your contact information for follow-up

We will acknowledge receipt of your report within 3 business days and aim to provide an initial assessment within 10 business days.

8. Rules of Engagement

When conducting security research, please adhere to the following rules:

  • Do not access, modify, or delete data belonging to other users
  • Do not perform actions that could impact the availability of our services
  • Do not use automated scanning tools that generate excessive traffic
  • Only test against accounts you own or have explicit permission to test
  • Do not publicly disclose vulnerabilities before they are fixed
  • Stop testing and report immediately if you access user data
  • Respect the privacy of our users at all times

9. Legal Safe Harbor

We consider security research conducted in accordance with this policy to be authorized and will not pursue legal action against researchers who:

  • Act in good faith and comply with this policy
  • Avoid privacy violations and do not access user data unnecessarily
  • Report vulnerabilities promptly and do not exploit them maliciously
  • Do not disrupt our services or degrade user experience

If you have any doubts about whether your research complies with this policy, please contact us before proceeding.

10. Contact

For security-related inquiries or to submit a vulnerability report, please contact us at support@cardpeer.com.

For general questions about our Bug Bounty Program, you can also reach out via our support channels at support@cardpeer.com.