PayPal

target_in_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
*.paydiant.com URL critical
*.paypal.com URL critical
*.venmo.com URL critical
*.xoom.com URL critical
com.paypal.android.carica GOOGLE_PLAY_APP_ID critical
com.paypal.android.claro GOOGLE_PLAY_APP_ID critical
com.paypal.android.p2pmobile GOOGLE_PLAY_APP_ID critical
com.paypal.android.telcel GOOGLE_PLAY_APP_ID critical
com.paypal.carica APPLE_STORE_APP_ID critical
com.paypal.claro APPLE_STORE_APP_ID critical
com.paypal.here GOOGLE_PLAY_APP_ID critical
com.paypal.here APPLE_STORE_APP_ID critical
com.paypal.herehd APPLE_STORE_APP_ID critical
com.paypal.merchant APPLE_STORE_APP_ID critical
com.paypal.merchant.client GOOGLE_PLAY_APP_ID critical
com.paypal.telcel APPLE_STORE_APP_ID critical
com.venmo GOOGLE_PLAY_APP_ID critical
com.xoom.android.app GOOGLE_PLAY_APP_ID critical
com.xoom.app APPLE_STORE_APP_ID critical
com.yourcompany.PPClient APPLE_STORE_APP_ID critical
net.kortina.labs.Venmo APPLE_STORE_APP_ID critical
paypal.me URL critical
paypalobjects.com URL critical
py.pl URL critical
sandbox.braintreegateway.com URL critical
www.paypal-*.com URL critical
PayPal's Partner Sites (www.paypal-__.com) are mainly marketing based sites that are not part of the core PayPal customer domains (.paypal.com) and are managed by hosting vendor companies. They have variable timelines and are often decommissioned. A listing of these sites designated for deprecation will not be publically maintained due to frequent changes. When researching bugs on these sites, please keep this in mind as bug Submissions for sites on schedule for deprecation will not be honored. Submissions of bugs relating to services or domains not referenced above or for sites on schedule for deprecation are ineligible for the Bug Bounty Program and will not be eligible for a Bounty Payment.
*.braintree-api.com URL critical
For testing and account creation, please use *.sandbox.braintree-api.com rather than production.
*.braintreegateway.com URL critical
For testing and account creation, please use *.sandbox.braintreegateway.com rather than production.
*.braintreepayments.com URL critical
For testing and account creation, please use *.sand.braintreepayments.com rather than production.
*.braintree.tools URL critical
Please note, this is a development environment that is constantly in flux. Accordingly, vulnerabilities found on this asset will generally have lower impact and payouts.
decision.swiftfinancial.com URL critical
We are aware that the root URL of this domain returns an error, the API is functioning correctly.
partner.swiftfinancial.com URL critical
We are aware that the root URL of this domain returns an error, the API is functioning correctly.
pigeon.swiftfinancial.com URL critical
We are aware that the root URL of this domain returns an error, the API is functioning correctly.
prequal.swiftfinancial.com URL critical
We are aware that the root URL of this domain returns an error, the API is functioning correctly.
scrutiny.swiftfinancial.com URL critical
We are aware that the root URL of this domain returns an error, the API is functioning correctly.
api.loanbuilder.com URL critical
api.swiftfinancial.com URL critical
loanbuilder.com URL critical
my.loanbuilder.com URL critical
my.swiftfinancial.com URL critical
swiftcapital.com URL critical
swiftfinancial.com URL critical
www.loanbuilder.com URL critical
www.swiftcapital.com URL critical
www.swiftfinancial.com URL critical

target_out_of_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity