In-Scope Vulnerabilities
Admitted, in-scope vulnerabilities encompass, however, aren’t restricted to:
log4shell
Log4Shell RCEs, Data Exfil, and WAF Bypass might be taken into consideration high or crucial relying on the severity
Ping-again in which you may assign the surroundings, hostname, IP deal with, or date or time is assigned medium popularity.
Click on this queryplex.com
The file may be closed as informative if reproducible evidence of the idea isn’t protected.
Disclosure of sensitive or personally identifiable statistics
Cross-Site Scripting (XSS)
Cross-web page request forgery (CSRF) for sensitive capabilities in a privileged context
Server-facet or Remote Code Execution (RCE)
Authentication or authorization faults, together with insecure direct object references and authentication pass
Injection vulnerabilities, such as SQL and XML injection
listing traversal
Critical protection misconfiguration with verifiable vulnerability
Exposed credentials disclosed by using PayPal or its personnel that pose a legitimate danger to assets within a scope
out-of-scope vulnerabilities
Some vulnerabilities are taken into consideration outside the scope of the worm bounty program. Vulnerabilities out of doors the one’s scope include, but aren’t confined to:
Any physical attack against PayPal assets or information centers
Reports that involve a second-person account wherein a present enterprise dating is being leveraged and the impact is constrained to the figure account only
Username enumeration on customers going through systems (ie using server responses to determine if an account exists)
Scanner output or scanner-generated reports, which include any automatic or active make the most gear
Attacks involving price fraud, theft, or malicious service provider accounts
man-in-the-center assault
Vulnerabilities regarding stolen credentials or physical get entry to the tool
Social engineering attacks, including those focused on or impersonating inner personnel in any way (including customer support chat features, social media, non-public domain names, etc.)
Vulnerabilities for which current, documented controls exist (eg doctors/conventional/PayPal-bills-standard/integration-guide/encryptedwebpayments/)
know more about the disadvantages of paypal
Clicking on a PayPal-owned URL at once leads to a redirect, and/or
Redirection consequences in lack of sensitive information (e.G. Consultation token, PII, and so forth.)
Host header injection without a conspicuous, performant effect
Vulnerabilities are located thru DDoS or unsolicited mail assaults. If you notice a vulnerability and believe it can cause DoS (as an instance, a logical flaw or known CVE), please post it and we are able to evaluate it on a case-by means of-case basis. Do now not strive or perform DDoS assaults.
Self-XSS, which incorporates any payload entered by the victim
Any vulnerability that requires vital and unlikely interplay with the aid of the sufferer, which includes disabling browser controls
Login/Logout CSRF
Content spoofing without embedding outside links or JavaScript
Infrastructure vulnerabilities, together with:
SSL certificates problems
DNS configuration troubles
Server configuration issues (inclusive of open ports, TLS variations, and many others.)
Most of the vulnerabilities in our sandbox, lab, or staging environment, except Braintree.
Vulnerabilities affecting only users of older, unpatched, or unsupported browsers and structures, along with any version of Internet Explorer
Vulnerabilities that have an effect on only one browser might be considered on a case-by-case foundation and can be closed as informative due to the low attack surface
Public or non-covered information (eg code in a public repository, server banners, and so forth.), or statistics disclosed out of doors PayPal’s manipulated (eg a non-public, non-employee repository; a listing from a previous infodump; and so on.) information disclosure. ,
Exposed credentials which are both now not valid, or do no longer pose a hazard to a scoped asset
Any XSS that requires Flash. Flash is disabled by means of default in most cutting-edge browsers, hence greatly reducing the attack floor and associated threat.
Any other submission decided to be low hazard based totally on unlikely or theoretical assault vectors, requiring huge consumer interaction, or ensuing in minimal effect
Vulnerabilities on 1/3 party libraries without showing the specific effect on course application (eg CVE without making the most)
Mobile Software Scope
in-scope vulnerabilities
In addition to the in-scope gadgets cited above, certain extra vulnerability sorts will be considered in-scope for cell applications. This includes:
man-in-the-middle assault
Attacks requiring physical get right of entry to the mobile tool
Certain vulnerabilities with running evidence of concept on some of our Android mobile apps can be eligible for an additional reward through the Google Play Security Rewards application. To see which apps and vulnerabilities may be eligible for a bounty, please offer the scope and vulnerability standards of the Google Play Security Rewards Program.
Out-Of-Scope Vulnerabilities
The following cell vulnerabilities are out-of-scope and will not be time-honored:
Vulnerabilities requiring a rooted, jailbroken, or otherwise changed device
Username enumeration on patron dealing with structures (i.E. The use of server responses to decide whether or not a given account exists)
Vulnerabilities requiring widespread personal interaction
Exposure of non-sensitive facts to the tool
Vulnerabilities on 1/3 party libraries without showing unique impact to the target utility (e.G. A CVE with no make the most)