POPO-payouts | Stripe Developers | Page 1

buoyant patrol Sep 27, 2021, 7:00 PM

#

Do you mind sharing details about the bug here?

frigid vine Sep 27, 2021, 7:02 PM

#

Who i'm talking too ?
Someone that's envolved with the team ?

#

involved*

sterile girder Sep 27, 2021, 7:03 PM

#

Yes, @buoyant patrol and I work at Stripe

#

Hello! We actually try to keep personal info like names out of this chat so I will remove that last message

frigid vine Sep 27, 2021, 7:05 PM

#

done,

#

The bug let you withdraw money, without even confirming transactions, it requires some fake info!

#

#

As you can see over there, i've withdrawn the money now Stripe can't have it back

#

Due to bank restrictions applied to those type of transactions

#

if used by someone with bad intentions can create a loss of millions to the company

#

Got there all the procedures, and the method was discovered by me.

sterile girder Sep 27, 2021, 7:12 PM

#

Can you tell me how to reproduce this?

frigid vine Sep 27, 2021, 7:14 PM

#

As I said before I need to talk with someone who's inside bug bounty program if you got any, or I need something more formal so I can report the problem

buoyant patrol Sep 27, 2021, 7:15 PM

#

We don't have a bug bounty program, but you're welcome to write into support (https://support.stripe.com/contact) if you're not comfortable going into detail here

Stripe: Help & Support

Find help and support for Stripe. Our support center provides answers on all types of situations, including account information, charges and refunds, and subscriptions information. Get your questions answered and find international support for Stripe.

sterile girder Sep 27, 2021, 7:17 PM

#

https://hackerone.com/stripe

HackerOne

Stripe - Bug Bounty Program | HackerOne

The Stripe Bug Bounty Program enlists the help of the hacker community at HackerOne to make Stripe more secure. HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited.

#

We have a Bug Bounty program through HackerOne please report there

frigid vine Sep 27, 2021, 7:18 PM

#

It's considered Critical ?

sterile girder Sep 27, 2021, 7:18 PM

#

Sorry for the confusion. Let me know if you have any further questions

frigid vine Sep 27, 2021, 7:20 PM

#

It's okay, didn't want to do directly with hackerone. Wanted something more easier to do, just a simple talk or an email that I can contact directly the department responsible for that

sterile girder Sep 27, 2021, 7:24 PM

#

Let me check if we have alternatives. HackerOne submissions go directly to that team, they prefer it to help triage and address those issues

#

You can directly email our security team but for bug bounty reports they will still try to redirect you to HackerOne

#POPO-payouts