BlackHat 2014: Square Launches Bug Bounty Program

Ever order, say, a snow cone from a beach vendor, or bought a hat from a kiosk in the mall, and been given the option to pay by credit card? Chances are they’re using Square, the tiny mobile card swiper that plugs into a smartphone and uses an on-board app-server configuration for credit card processing. Square has largely created the market for the very small business to move away from cash-only transactions, but some consumers remain leery of the technology from a security perspective.

Square is aiming to boost its security profile by reaching out to the security research community with a paid bug bounty program. Minimum payment is $250, but the company has awarded as much as $1,500 per bug so far.

Dino Dai Zovi announced the move on a BlackHat panel about the future of responsible disclosures, and Neal Harris, application security team lead for the company, gave further details in a blog.

“We’re very excited to announce our security bug bounty with HackerOne,” Harris said. “We recognize the important contributions the security research community can make when it comes to finding bugs, and we’re asking for your help.”

The program, housed at HackerOne, is particularly focused on uncovering problems with Square’s payment flow. If an issue is found (and as of publication 10 flaws have been closed so far), the company wants detailed steps on reproducing the bug, including any screenshots, links clicked, pages visited, etc., with a report focusing on technical details and precise explanations. It also is asking for concrete attack scenarios.

To encourage responsible disclosure and maximum exposure to the help of the hacking community, the company said that it pledges to not to bring legal action against researchers who share the full details of any problem found and fulfill a laundry list of fairly standard “do nots”: do not disclose the issue to others until Square has had reasonable time to address it; do not intentionally harm the experience or usefulness of the service to others; never attempt to view, modify or damage data belonging to others; do not attempt a denial-of-service attack; and do not perform any research or testing in violation of law.

The bounty approach may be new, but that’s not to say that the company wasn’t focused on security before.

“With so many sellers relying on Square to run and grow their business, we’ve made protecting them a priority,” Harris said. “We monitor every transaction from swipe to payment, innovate in fraud prevention and adhere to industry-leading standards to manage our network and secure our web and client applications. We protect our sellers like our own business depends on it — because it does.”

What’s Hot on Infosecurity Magazine?