BCBGMAXAZRIA BCBGMAXAZRIA Casual BCBGMAXAZRIA Dress Dress Casual Selling Selling Selling Casual r6qI16

  • $100 – $3,000 per vulnerability
  • Managed by Bugcrowd

Program stats

208 vulnerabilities rewarded

Validation within 2 days
75% of submissions are accepted or rejected within 2 days

$744.44 average payout (last 3 months)

Latest hall of famers


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

MasterCard is a technology company in the global payments industry. We operate the world’s fastest payments processing network, connecting consumers, financial institutions, merchants, governments and businesses in more than 210 countries and territories. MasterCard products and solutions make everyday commerce activities – such as shopping, traveling, running a business and managing finances – easier, more secure and more efficient for everyone. For nearly half a century, MasterCard has been a leader in safety and security. As payment methods continue to evolve, MasterCard is committed to advancing digital security, which includes rigorous testing for potential vulnerabilities. You can help us make our products and services even safer and earn rewards by reporting potential vulnerabilities.

PLEASE NOTE: Rewards will be facilitated through Payoneer ONLY (Setup payment methods)


In scope

The above targets are explicitly in scope and confirmed vulnerabilities found on these targets will be eligible for a reward.

BCBGMAXAZRIA Casual Selling BCBGMAXAZRIA BCBGMAXAZRIA Selling Dress Casual Dress Selling Casual Out of Scope

Dress Casual BCBGMAXAZRIA BCBGMAXAZRIA Dress Selling Casual Casual Selling BCBGMAXAZRIA Selling The following targets are explicitly out of scope and any submissions reported will be marked out of scope.

  • www.priceless.com/golf
  • www.priceless.com/travel
  • www.priceless.com/standup

All vulnerabilities discovered and reported on other targets (including subdomains) will be accepted, but are not eligible for a reward at this time. These submissions will be marked "Not Applicable" to prevent negative ratings.

Known Issue: The Mastercard Payment Gateway Virtual Payment Client (VPC) API that uses the MD5 based cryptogram to provide an integrity check of request parameters contains a critical vulnerability that allows limited modification of those parameters without causing a change in the cryptogram value. This vulnerability is remotely exploitable and does not require authentication. Mastercard has assessed the severity as CVSS 7.5. Mastercard recommends all customers to update their integration to use the HmacSHA256 based cryptogram, which is not vulnerable to parameter tampering. We thank Yohanes Nugroho for his support to identify this security vulnerability to protect our customers.

Additional information

Simplify Commerce
Simplify Commerce is a uniquely versatile, highly scalable and incredibly simple cloud-based payments platform from MasterCard. It works for card brands that the acquirer supports. Designed with the small business owner in mind, it’s a simple, easily integrated and dynamic platform that makes it a strong choice for businesses of all sizes.

  • DO NOT register a new merchant account or attempt to accept real payments as this will involve parties which are out of scope. We have ensured the sandbox has the same functionality needed for testing
  • Testing is limited to the developer sandbox environment
  • To create your account register as a developer. Accounts can be self-provisioned by using your @bugcrowdninja email and the test numbers are available here.
  • If a link goes outside the www.simplify.com or sandbox.simplify.com domains it is no longer in scope and should not be tested.
  • Simplify has two live partners Priority Payment Systems, EVO Payment Systems which are explicitly out of scope.

Casual Selling BCBGMAXAZRIA Casual Casual BCBGMAXAZRIA BCBGMAXAZRIA Selling Selling Dress Dress priceless.com
Priceless Cities is a core tenet of MasterCard’s world-renowned 18 year-old Priceless marketing platform that is currently available in 112 countries and 53 languages. The platform provides exclusive curated experiences and special access in over 35 cities marketed in over 52 countries.

  • As a highly integrated application please note that www.priceless.com/travel and www.priceless.com/golf extend to partners and are* not* in scope.
  • Accounts can be self-provisioned by using your @bugcrowdninja email.
  • Selling Casual BCBGMAXAZRIA BCBGMAXAZRIA Casual Casual Dress Selling Dress Selling BCBGMAXAZRIA When you register you will be prompted for the first 8 numbers of your credit card. Please use 5458 3282 or 5420 9238 for those fields.

Mastercard Regional Websites
The regional MasterCard sites are the company’s external websites, which include public information available to unauthenticated users. The sites include outbound links to resources not hosted on the www.mastercard.com domain. Only the core MasterCard domain is in scope and open to testing. Please be mindful of which domain / sub domain you are testing.


Please create an account on your own using your @bugcrowdninja.com email address. Your 'bugcrowdninja' email address is your username@bugcrowdninja.com. All emails will go to the email address associated with your account.

Focus Areas

  • Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • Insecure direct object references
  • Injection Vulnerabilities
  • Authentication Vulnerabilities
  • Server-side Code Execution
  • Privilege Escalation
  • Significant Security Misconfiguration (when not caused by user)
  • Any out of the box issues which could lead to compromise or leakage of data and directly affect the confidentiality or integrity of user data of which affects user privacy.

Prohibited Testing

  • Do NOT conduct non-technical attacks such as social engineering, phishing or unauthorized access to infrastructure are not allowed.
  • Do NOT test the physical security of MasterCard offices, employees, equipment, etc.
  • Selling BCBGMAXAZRIA Selling Casual Casual BCBGMAXAZRIA Dress BCBGMAXAZRIA Casual Selling Dress Do NOT perform any attack that could harm our services (E.g.: DDoS/Spam)
  • Casual BCBGMAXAZRIA Casual Selling Casual Dress BCBGMAXAZRIA Selling Selling Dress BCBGMAXAZRIA Do NOT attack, in any way, our end users, or engage in trade of stolen user credentials.
  • Do NOT use automated scanners and tools to find vulnerabilities are strictly not allowed.
  • Do NOT Perform automated/scripted testing of web forms, especially "Contact Us" forms that are designed for customers to contact our support team.
  • You may investigate or target vulnerabilities against your own or test accounts, but testing must not disrupt or compromise any data or data access that is not yours.

The following finding types are specifically excluded from the bounty:

  • Email spoofing
  • Missing or incorrect SPF/DMARC/DKIM records of any kind
  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Selling BCBGMAXAZRIA Casual Casual BCBGMAXAZRIA Selling Casual Dress BCBGMAXAZRIA Dress Selling Fingerprinting / banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
  • Lack of Security Speedbump when leaving the site.
  • Casual Casual Selling BCBGMAXAZRIA Dress Casual BCBGMAXAZRIA Selling BCBGMAXAZRIA Dress Selling BCBGMAXAZRIA BCBGMAXAZRIA Selling Dress Casual Casual BCBGMAXAZRIA Dress Selling Casual Selling Weak Captcha / Captcha Bypass
  • Forgot Password page brute force and account lockout not enforced.
  • OPTIONS HTTP method enabled
  • Username / email enumeration
    • via Login Page error message
    • via Forgot Password error message
  • Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
    • Strict-Transport-Security
    • X-Frame-Options
    • X-XSS-Protection
    • Dress Casual BCBGMAXAZRIA Selling Casual BCBGMAXAZRIA Dress Selling Casual Selling BCBGMAXAZRIA X-Content-Type-Options
    • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
    • Content-Security-Policy-Report-Only
  • SSL Issues, e.g.
    • SSL Attacks such as BEAST, BREACH, Renegotiation attack
    • SSL Forward secrecy not enabled
    • SSL weak / insecure cipher suites
  • Vulnerabilities affecting users of outdated browsers or
    • IE < 9
    • Chrome < 40
    • Firefox < 35
    • Safari < 7
    • Opera < 13


Rewards will be facilitated through Payoneer ONLY (Setup payment methods)

Program Rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.