Stripe icon Stripe HackerOne

Target Policy
https://hackerone.com/stripe?type=team
Structured Scope
  • Asset Identifier
    Asset Type
    Max Severity
  • *.indiehackers.com

    We only offer a bounty for Critical severity reports, but continue to accept Low, Medium, and High severity reports.

    URL
    critical
  • *.payable.com

    **Only Critical vulnerabilities on this asset are eligible for reward.**

    URL
    critical
  • Stripe Payment Links

    Docs: https://docs.stripe.com/payment-links

    OTHER
    critical
  • *.getbouncer.com
    URL
    none
  • api.stripe.com

    https://stripe.com/docs/api

    URL
    critical
  • *.reckostaging.com
    URL
    critical
  • *.recko.io
    URL
    critical
  • Stripe Climate

    Docs: https://docs.stripe.com/climate

    OTHER
    critical
  • http://*.billflow.io

    Only critical severity submissions will be accepted on this asset.

    WILDCARD
    critical
  • Stripe Dashboard

    A user interface to operate and configure your Stripe account.

    URL: https://dashboard.stripe.com
    Docs: https://stripe.com/docs/dashboard

    OTHER
    critical
  • Stripe Revenue Recognition

    Docs: https://docs.stripe.com/revenue-recognition

    OTHER
    critical
  • Stripe Treasury

    Docs: https://docs.stripe.com/treasury

    OTHER
    critical
  • com.stripe.android.dashboard

    Google Play Store URL: https://play.google.com/store/apps/details?id=com.stripe.android.dashboard&hl=en_US&pli=1

    GOOGLE_PLAY_APP_ID
    critical
  • www.stripe.partners
    URL
    critical
  • api.taxjar.com
    URL
    critical
  • Stripe Atlas

    Startup incorporation

    Docs: https://stripe.com/docs/atlas

    OTHER
    critical
  • Stripe Tax

    Docs: https://docs.stripe.com/tax

    OTHER
    critical
  • 978516833

    Stripe iOS Dashboard App
    App Store URL: https://apps.apple.com/us/app/stripe-dashboard/id978516833

    APPLE_STORE_APP_ID
    critical
  • Stripe Invoicing

    Docs: https://docs.stripe.com/invoicing

    OTHER
    critical
  • Stripe Capital

    Docs: https://docs.stripe.com/capital/how-stripe-capital-works

    OTHER
    critical
  • app.taxjar.com
    URL
    critical
  • Stripe Sigma

    Custom reports

    Docs: https://stripe.com/docs/sigma

    OTHER
    critical
  • Stripe Identity

    Docs: https://docs.stripe.com/identity

    OTHER
    critical
  • Stripe Financial Connections

    https://docs.stripe.com/financial-connections

    OTHER
    critical
  • Stripe for Visual Studio Code
    OTHER
    critical
  • Stripe Radar

    Fraud and risk management

    Docs: https://stripe.com/docs/radar

    OTHER
    critical
  • *.lemonsqueezy.com

    WILDCARD
    critical
  • *.stripe.com
    URL
    critical
  • Stripe Issuing

    Card creation

    Docs: https://stripe.com/docs/issuing

    OTHER
    critical
  • js.stripe.com

    https://stripe.com/docs/js

    Sample Stripe.js application: https://github.com/stripe-samples/accept-a-card-payment

    URL
    critical
  • Stripe Billing

    Subscriptions and invoicing

    Docs: https://stripe.com/docs/billing

    Sample Billing applications:
    * [stripe-samples/subscription-use-cases](https://github.com/stripe-samples/subscription-use-cases): Create subscriptions with fixed prices or usage based billing.
    * [stripe-samples/checkout-single-subscription](https://github.com/stripe-samples/checkout-single-subscription): Learn how to combine Checkout and Billing for fast subscription pages

    OTHER
    critical
  • Stripe Checkout

    Prebuilt, Stripe hosted checkout page

    URL: https://checkout.stripe.com/
    Docs: https://stripe.com/docs/payments/checkout

    Sample Checkout applications:
    * [stripe-samples/checkout-subscription-and-add-on](https://github.com/stripe-samples/checkout-subscription-and-add-on): Uses Stripe Checkout to create a payment page that starts a subscription for a new customer.
    * [stripe-samples/checkout-one-time-payments](https://github.com/stripe-samples/checkout-one-time-payments): Use Checkout to quickly collect one-time payments.

    OTHER
    critical
  • Stripe Terminal

    In-person and omnichannel payments

    Docs: https://stripe.com/docs/terminal

    Sample Terminal application: [stripe/stripe-terminal-js-demo](https://github.com/stripe/stripe-terminal-js-demo): Demo app for the Stripe Terminal JS SDK

    OTHER
    critical
  • Tap to Pay (Android)

    URL: https://stripe.com/terminal/tap-to-pay
    Docs: https://docs.stripe.com/terminal/payments/setup-reader/tap-to-pay?platform=android

    OTHER
    critical
  • Stripe Elements

    Secure frontend UI component

    Docs: https://stripe.com/docs/stripe-js

    Sample Stripe Elements application: [stripe/elements-examples](https://github.com/stripe/elements-examples): Stripe Elements examples

    OTHER
    critical
  • Stripe Open Source

    Open source projects authored or maintained by Stripe. Only non-archived and non-demo/non-sample projects are in scope. Projects forked from upstream sources are not in scope unless the reported functionality is used by Stripe.

    URL: https://github.com/stripe

    OTHER
    critical
  • Stripe Data Pipeline

    Docs: https://docs.stripe.com/stripe-data/access-data-in-warehouse

    OTHER
    critical
  • Stripe Connect

    Payments for platforms and marketplaces

    Docs: https://stripe.com/docs/connect

    Sample Connect applications:
    * [stripe/stripe-demo-connect-kavholm-marketplace](https://github.com/stripe/stripe-demo-connect-kavholm-marketplace): Demo app for Global Marketplace using Stripe Connect
    * [stripe/stripe-connect-rocketrides](https://github.com/stripe/stripe-connect-rocketrides): Sample on-demand platform built on Stripe: Connect onboarding for pilots, iOS app for passengers to request rides.

    OTHER
    critical
  • Sandboxes

    Description: Sandboxes is the default testing tool offered by Stripe. Sandboxes now has support for all Stripe products (including Stripe Apps, Sigma, and BaaS products). They allow a merchant to now have multiple, isolated ephemeral testing environments rather than the 1:1 model of test mode and its live account.

    Documentation: https://docs.stripe.com/sandboxes

    Threat Model:
    * Safely copying data from Sandbox to live mode (and vice versa)
    * Do testing activities impact the livemode account? (Excluding intentional copying of data to livemode)
    * Do sandbox-only roles only give access to Sandboxes?

    OTHER
    critical
  • Stripe SDKs

    Official API libraries

    URL: https://stripe.com/docs/libraries
    Terminal SDKs: https://stripe.com/docs/terminal/payments/setup-integration

    OTHER
    critical
  • Stripe Payments

    Online payments

    Docs: https://stripe.com/docs/payments

    Sample Payments application: [stripe-samples/accept-a-card-payment](https://github.com/stripe-samples/accept-a-card-payment): Learn how to accept a basic card payment on web, iOS, Android

    OTHER
    critical
  • Stripe Apps

    Vulnerabilities found in third party apps and their backend infrastructure should be reported to the responsible developer.
    Reporters should only report vulnerabilities in Stripe third party apps to Stripe under this program if they do not receive a satisfactory response from the responsible developer. These types of reports are not eligible for a bounty.

    OTHER
    critical
  • Tap to Pay (iOS)

    URL: https://stripe.com/terminal/tap-to-pay
    Docs: https://docs.stripe.com/terminal/payments/setup-reader/tap-to-pay?platform=ios

    OTHER
    critical
  • *.link.co

    Link is a simple and secure way to pay in one click on tens of thousands of sites. Save your payment information with Link the first time you check out. Link will autofill your saved card details and shipping addresses for all future purchases on Link-supported sites. Users can manage their saved information on the link.co website.

    Landing page: https://link.com
    Main application: https://app.link.com
    Support page: https://support.link.com

    URL
    critical
  • Organizations

    Organizations is a new grouping entity where Stripe users can group multiple business accounts. With an Organization, users can:
    - Search for resources across all the business accounts in an Organization
    - Download consolidated reports that aggregates across all business accounts.
    - Manage access for other users across all business accounts including creating a role for users at the Organization and inherit access to all business accounts.
    - Users can also add and remove business accounts where they are the owner or invite accounts where they are an admin.
    - (Coming Soon) Manage Single Sign-On at the Organization and apply to all business accounts.

    Documentation: https://docs.stripe.com/payments/account/orgs

    OTHER
    critical
  • *.touchtechpayments.com

    **Only Critical vulnerabilities on this asset are eligible for reward.**

    URL
    critical
  • *.reckoproduction.com
    URL
    critical
Target Scope Domains
  • api.stripe.com
  • api.taxjar.com
  • app.taxjar.com
  • billflow.io
  • indiehackers.com
  • js.stripe.com
  • lemonsqueezy.com
  • link.co
  • payable.com
  • recko.io
  • reckoproduction.com
  • reckostaging.com
  • stripe.com
  • touchtechpayments.com
  • www.stripe.partners
Tech Stack
Last Finished Scan:
Scan Name
Fleet
Finished
State
auto-gausubs-2-kxss
allkxss
2 weeks, 5 days ago
Finished
auto-gausubs-2-kxss
  • Fleet: allkxss
  • Duration: 18.02 Minutes
  • Finished: 2 weeks, 5 days ago