GoCardless Bug Bounty Program icon GoCardless Bug Bounty Program HackerOne

Target Policy
https://hackerone.com/gocardless_bbp?type=team
Structured Scope
  • Asset Identifier
    Asset Type
    Max Severity
  • www.gocardless.com

    Our public-facing content, without authenticated access to sensitive information related to merchants or payers.

    URL
    medium
  • pay-sandbox.gocardless.com

    Sandbox for the API used to process billing requests, related to the Merchant Dashboard application.

    URL
    critical
  • manage-sandbox.gocardless.com

    Sandbox version of the Merchant Dashboard application. Includes user management for the GC4X application (xero.gocardless).

    URL
    critical
  • auth0.gocardless.com

    The auth0 authentication endpoint for `bankaccountdata.gocardless.com` - redirected automatically upon visiting. The criticality is capped at `Medium`, because Auth0 is a third-party service and configurable by us only to an extent. If you have found a vulnerability in Auth0, please report it to them first.

    URL
    medium
  • *.gocardless-cicd.io

    Non-production environment for infrastructure services.

    WILDCARD
    medium
  • https://ob-sandbox.gocardless.io

    This is an API endpoint that is used in the Account Information Services (AIS) end-user flow when Bank Account Data APIs are used to create a Requisition and visit the created (Requisition link)[ https://developer.gocardless.com/bank-account-data/quick-start-guide/#step-4-build-a-link] to authorise consent for a Merchant to use data from the end-user's bank.

    This is the Sandbox version of `ob.gocardless.com`. The AIS PSU flow cannot be started for it, because there is no Sandbox version of `bankaccountdata.gocardless.com`; However, unauthenticated testing and infrastructure testing that cannot be performed on the Production instance can be carried out on this Sandbox instance.

    API
    medium
  • payer-details-sandbox.gocardless.com

    This is our new `payer-details` service that allows Payers to update their bank details. It is part of a workflow that is initiated from the Merchant Dashboard (`manage-sandbox.gocardless.com`) by the Merchant to send the Payer a URL that will take them through the `payer-details` workflow to update their details.

    URL
    high
  • bankaccountdata.gocardless.com

    !Note that this is a production instance, so you must avoid denial of service, data corruption, and any other destructive or disruptive actions. No automated scanning allowed - manual testing only!
    This is our Bank Account Data dashboard application and Open Banking API endpoint meant for partners and developers who wish to integrate with our Open Banking APIs.

    OTHER
    high
  • ob.gocardless.com

    This is the PRODUCTION endpoint for Account Information Services (AIS) user-facing flow (Bank Account Data (BAcD) and Instant Bank Payments (IBP)). Only gentle manual testing of the workflow can be performed using this instance. No DoS or other destructive testing, no attacks on the infrastructure.

    This is an API endpoint that is used in the Account Information Services (AIS) end-user flow when Bank Account Data APIs are used to create a Requisition and visit the created (Requisition link)[ https://developer.gocardless.com/bank-account-data/quick-start-guide/#step-4-build-a-link] to authorise consent for a Merchant to use data from the end-user's bank.
    Steps:
    Register at https://bankaccountdata.gocardless.com
    Create a secret pair - note down the secret_key and secret_id values
    Get the BAcD Postman collection: https://developer.gocardless.com/bank-account-data/postman
    Use the secret_key and secret_id values to get an access token via the /api/v2/token/new endpoint
    Create an End-User Agreement (EUA) via the /api/v2/agreements/enduser/ endpoint using one of the sandbox institutions: https://developer.gocardless.com/bank-account-data/sandbox
    Use the EUA ID to create a requisition via the /api/v2/requisitions endpoint
    Use the "link" returned in the requisition response to start the Open Banking (OB) payment service user (PSU) flow, which is in scope

    URL
    medium
  • xero-sandbox.gocardless.com

    GoCardless integration with Xero (GC4X). Users and permissions are managed through the Dashboard application (manage.gocardless). ReadOnly users cannot access GC4X; ReadWrite and Admin users have the same level of access on GC4X.

    URL
    none
  • *.gocardless.io,*.gocardless-banking.io

    Internal infrastructure and tools (e.g., performance dashboards).

    WILDCARD
    high
  • *.gocardless-staging.io

    Staging environment for GoCardless applications, APIs, and internal tools being developed or supported. Commonly used for testing and development, is identical to the Sandbox environment, in which we prefer the testing to be done.

    WILDCARD
    medium
  • oauth-sandbox.gocardless.com

    The authentication component for GoCardless for Xero (GC4X).

    URL
    high
  • *.gocardless-lab.io

    Testing and experimentation environment for internal tools with no live data.

    WILDCARD
    low
  • api-sandbox.gocardless.com

    Sandbox version of the Merchant Dashboard API component - used to power the Merchant Dashboard (manage.gocardless) and to provide functionality for customers who wish to integrate their services with ours.

    URL
    critical
  • *.gocardless.com

    Public GoCardless assets unrelated to authenticated access to sensitive merchant and payer information.

    WILDCARD
    medium
  • ob.gocardless.com

    This is the endpoint of our Open Banking APIs.
    !Note that this is a production instance, so you must avoid denial of service, data corruption, and any other destructive or disruptive actions. No automated scanning allowed - manual testing only!

    URL
    medium
  • bankaccountdata.gocardless.com

    This is our Bank Account Data dashboard application meant for partners and developers who wish to integrate with our Open Banking APIs.
    !Note that this is a production instance, so you must avoid denial of service, data corruption, and any other destructive or disruptive actions. No automated scanning allowed - manual testing only!

    URL
    medium
  • bankaccountdata.gocardless.com, ob.gocardless.com

    !Note that this is a production instance, so you must avoid denial of service, data corruption, and any other destructive or disruptive actions. No automated scanning allowed - manual testing only!
    This is our Bank Account Data dashboard application and Open Banking API endpoint meant for partners and developers who wish to integrate with our Open Banking APIs.

    OTHER
    medium
  • connect-sandbox.gocardless.com

    Sandbox version of the Merchant Dashboard OpenID authentication component.

    URL
    high
Target Scope Domains
  • api-sandbox.gocardless.com
  • auth0.gocardless.com
  • bankaccountdata.gocardless.com
  • connect-sandbox.gocardless.com
  • gocardless-cicd.io
  • gocardless-lab.io
  • gocardless-staging.io
  • gocardless.com
  • gocardless.io,gocardless-banking.io
  • manage-sandbox.gocardless.com
  • oauth-sandbox.gocardless.com
  • ob.gocardless.com
  • pay-sandbox.gocardless.com
  • payer-details-sandbox.gocardless.com
  • www.gocardless.com
Tech Stack
Last Finished Scan:
Scan Name
Fleet
Finished
State
auto-dnsenum-threaded
allsubs
2 weeks ago
Finished
auto-dnsenum-threaded
  • Fleet: allsubs
  • Duration: 4.35 Minutes
  • Finished: 2 weeks ago