HuntDash - stripe

Target Policy

https://hackerone.com/stripe?type=team

Structured Scope

Asset Identifier

Asset Type

Max Severity
*.recko.io

URL

critical
Stripe Climate

Docs: https://docs.stripe.com/climate

OTHER

critical
*.indiehackers.com

We only offer a bounty for Critical severity reports, but continue to accept Low, Medium, and High severity reports.

URL

critical
*.payable.com

**Only Critical vulnerabilities on this asset are eligible for reward.**

URL

critical
Stripe Payment Links

Docs: https://docs.stripe.com/payment-links

OTHER

critical
*.reckostaging.com

URL

critical
*.getbouncer.com

URL

none
http://*.billflow.io

Only critical severity submissions will be accepted on this asset.

WILDCARD

critical
Stripe Treasury

Docs: https://docs.stripe.com/treasury

OTHER

critical
Stripe SDKs

Official API libraries

URL: https://stripe.com/docs/libraries
Terminal SDKs: https://stripe.com/docs/terminal/payments/setup-integration

OTHER

critical
www.stripe.partners

URL

critical
Stripe Atlas

Startup incorporation

Docs: https://stripe.com/docs/atlas

OTHER

critical
api.taxjar.com

URL

critical
Stripe Financial Connections

https://docs.stripe.com/financial-connections

OTHER

critical
app.taxjar.com

URL

critical
api.stripe.com

https://stripe.com/docs/api

URL

critical
Stripe Capital

Docs: https://docs.stripe.com/capital/how-stripe-capital-works

OTHER

critical
Stripe Identity

Docs: https://docs.stripe.com/identity

OTHER

critical
Stripe Revenue Recognition

Docs: https://docs.stripe.com/revenue-recognition

OTHER

critical
Stripe Radar

Fraud and risk management

Docs: https://stripe.com/docs/radar

OTHER

critical
Stripe Issuing

Card creation

Docs: https://stripe.com/docs/issuing

OTHER

critical
978516833

Stripe iOS Dashboard App
App Store URL: https://apps.apple.com/us/app/stripe-dashboard/id978516833

APPLE_STORE_APP_ID

critical
com.stripe.android.dashboard

Google Play Store URL: https://play.google.com/store/apps/details?id=com.stripe.android.dashboard&hl=en_US&pli=1

GOOGLE_PLAY_APP_ID

critical
Stripe for Visual Studio Code

OTHER

critical
*.stripe.com

URL

critical
Stripe Tax

Docs: https://docs.stripe.com/tax

OTHER

critical
js.stripe.com

https://stripe.com/docs/js

Sample Stripe.js application: https://github.com/stripe-samples/accept-a-card-payment

URL

critical
Tap to Pay (Android)

URL: https://stripe.com/terminal/tap-to-pay
Docs: https://docs.stripe.com/terminal/payments/setup-reader/tap-to-pay?platform=android

OTHER

critical
Stripe Dashboard

A user interface to operate and configure your Stripe account.

URL: https://dashboard.stripe.com
Docs: https://stripe.com/docs/dashboard

OTHER

critical
Stripe Sigma

Custom reports

Docs: https://stripe.com/docs/sigma

OTHER

critical
Stripe Data Pipeline

Docs: https://docs.stripe.com/stripe-data/access-data-in-warehouse

OTHER

critical
Stripe Elements

Secure frontend UI component

Docs: https://stripe.com/docs/stripe-js

Sample Stripe Elements application: [stripe/elements-examples](https://github.com/stripe/elements-examples): Stripe Elements examples

OTHER

critical
Stripe Billing

Subscriptions and invoicing

Docs: https://stripe.com/docs/billing

Sample Billing applications:
* [stripe-samples/subscription-use-cases](https://github.com/stripe-samples/subscription-use-cases): Create subscriptions with fixed prices or usage based billing.
* [stripe-samples/checkout-single-subscription](https://github.com/stripe-samples/checkout-single-subscription): Learn how to combine Checkout and Billing for fast subscription pages

OTHER

critical
Stripe Payments

Online payments

Docs: https://stripe.com/docs/payments

Sample Payments application: [stripe-samples/accept-a-card-payment](https://github.com/stripe-samples/accept-a-card-payment): Learn how to accept a basic card payment on web, iOS, Android

OTHER

critical
Stripe Terminal

In-person and omnichannel payments

Docs: https://stripe.com/docs/terminal

Sample Terminal application: [stripe/stripe-terminal-js-demo](https://github.com/stripe/stripe-terminal-js-demo): Demo app for the Stripe Terminal JS SDK

OTHER

critical
Stripe Invoicing

Docs: https://docs.stripe.com/invoicing

OTHER

critical
*.lemonsqueezy.com

Lemon Squeezy is the all-in-one platform for running your SaaS business. Payments, subscriptions, global tax compliance, fraud prevention, multi-currency support, failed payment recovery, PayPal integration and more.

Lemon Squeezy was acquired by Stripe in July 2024. As an acquisition, Lemon Squeezy pays out at the rate schedule listed on our [program page](https://hackerone.com/stripe?type=team#:~:text=In%2Dscope%20acquisition%20bounty%20ranges%20(e.g.%2C%20TaxJar%2C%20Recko%2C%20Bouncer%2C%20Lemon%20Squeezy)).

WILDCARD

critical
Organizations

Organizations is a new grouping entity where Stripe users can group multiple business accounts. With an Organization, users can:
- Search for resources across all the business accounts in an Organization
- Download consolidated reports that aggregates across all business accounts.
- Manage access for other users across all business accounts including creating a role for users at the Organization and inherit access to all business accounts.
- Users can also add and remove business accounts where they are the owner or invite accounts where they are an admin.
- (Coming Soon) Manage Single Sign-On at the Organization and apply to all business accounts.

Documentation: https://docs.stripe.com/payments/account/orgs

OTHER

critical
Sandboxes

Description: Sandboxes is the default testing tool offered by Stripe. Sandboxes now has support for all Stripe products (including Stripe Apps, Sigma, and BaaS products). They allow a merchant to now have multiple, isolated ephemeral testing environments rather than the 1:1 model of test mode and its live account.

Documentation: https://docs.stripe.com/sandboxes

Threat Model:
* Safely copying data from Sandbox to live mode (and vice versa)
* Do testing activities impact the livemode account? (Excluding intentional copying of data to livemode)
* Do sandbox-only roles only give access to Sandboxes?

OTHER

critical
*.bridge.xyz

Stripe [acquired](https://stripe.com/ae/newsroom/news/stripe-completes-bridge-acquisition) Bridge in February 2025.

Bridge does not currently have a self-service sign-up option. Scope for the bug bounty program is limited to researchers testing api.bridge.xyz ([documentation](https://apidocs.bridge.xyz/docs/api-summary)) or Dashboard ([login](https://dashboard.bridge.xyz/)) without credentials at this time. Because of this, the program is interested in potential authentication bypasses or vulnerabilities that surface without valid credentials. In the future, the program may expand to include credentialed testing.

Other static content domains like Bridge's [marketing](https://www.bridge.xyz/) or [docs](https://apidocs.bridge.xyz/) site are out-of-scope.

WILDCARD

critical
Stripe Apps

Vulnerabilities found in third party apps and their backend infrastructure should be reported to the responsible developer.
Reporters should only report vulnerabilities in Stripe third party apps to Stripe under this program if they do not receive a satisfactory response from the responsible developer. These types of reports are not eligible for a bounty.

OTHER

critical
Stripe Connect

Payments for platforms and marketplaces

Docs: https://stripe.com/docs/connect

Sample Connect applications:
* [stripe/stripe-demo-connect-kavholm-marketplace](https://github.com/stripe/stripe-demo-connect-kavholm-marketplace): Demo app for Global Marketplace using Stripe Connect
* [stripe/stripe-connect-rocketrides](https://github.com/stripe/stripe-connect-rocketrides): Sample on-demand platform built on Stripe: Connect onboarding for pilots, iOS app for passengers to request rides.

OTHER

critical
Tap to Pay (iOS)

URL: https://stripe.com/terminal/tap-to-pay
Docs: https://docs.stripe.com/terminal/payments/setup-reader/tap-to-pay?platform=ios

OTHER

critical
Stripe Open Source

Open source projects authored or maintained by Stripe. Only non-archived and non-demo/non-sample projects are in scope. Projects forked from upstream sources are not in scope unless the reported functionality is used by Stripe.

URL: https://github.com/stripe

OTHER

critical
Stripe Checkout

Prebuilt, Stripe hosted checkout page

URL: https://checkout.stripe.com/
Docs: https://stripe.com/docs/payments/checkout

Sample Checkout applications:
* [stripe-samples/checkout-subscription-and-add-on](https://github.com/stripe-samples/checkout-subscription-and-add-on): Uses Stripe Checkout to create a payment page that starts a subscription for a new customer.
* [stripe-samples/checkout-one-time-payments](https://github.com/stripe-samples/checkout-one-time-payments): Use Checkout to quickly collect one-time payments.

OTHER

critical
*.link.co

Link is a simple and secure way to pay in one click on tens of thousands of sites. Save your payment information with Link the first time you check out. Link will autofill your saved card details and shipping addresses for all future purchases on Link-supported sites. Users can manage their saved information on the link.co website.

Landing page: https://link.com
Main application: https://app.link.com
Support page: https://support.link.com

URL

critical
*.touchtechpayments.com

**Only Critical vulnerabilities on this asset are eligible for reward.**

URL

critical
*.reckoproduction.com

URL

critical

Target Scope Domains

api.stripe.com
api.taxjar.com
app.taxjar.com
billflow.io
bridge.xyz
indiehackers.com
js.stripe.com
lemonsqueezy.com
link.co
payable.com
recko.io
reckoproduction.com
reckostaging.com
stripe.com
touchtechpayments.com
www.stripe.partners

Tech Stack

Last Finished Scan:

Scan Name

Fleet

Finished

State

auto-gausubs-2-kcrlf

allkxss

1 month, 1 week ago

Finished

auto-gausubs-2-kcrlf

Fleet: allkxss
Duration: 29 Seconds
Finished: 1 month, 1 week ago

Stripe HackerOne

Target Policy

Structured Scope

Asset Identifier

Asset Type

Max Severity

Target Scope Domains

Tech Stack

Last Finished Scan: