Passquare

Passquare Bug Bounty

Version 2.0.1

We invite security researchers to participate in the Passquare Bug Bounty Program.
We appreciate the contribution of researchers and reward valid vulnerabilities that improve the security of our ecosystem.

How to Join
To participate in the program, send an email to hello@passquare.com with the following information:

Your first name, last name, and contact phone number;
The IP address from which testing will be performed, or a request to authorize the X-Bug-Bounty header;
A profile on any specialized platform (if available), such as hackerone.com, bugcrowd.com, intigriti.com, and others.

Allowed Vulnerability Types
Critical

RCE
SQLi / NoSQLi
SSRF with access to internal resources
Full authentication bypass
Privilege escalation

High

XXE
Stored XSS
Broken Access Control
Insecure file upload
MITM
Session management issues
Subdomain takeover

Medium

Reflected XSS
IDOR
Business logic vulnerabilities
Misconfigurations with medium impact
Open redirect

Low

Informational disclosures without impact
Cache-related issues
Minor configuration issues

Social engineering and phishing are allowed only with prior approval.
DoS/DDoS attacks are strictly prohibited.
If you plan to test a vulnerability type that is not listed above, please request approval in advance.

Testing Scope
Allowed domains:

*.passquare.com
*.passhook.com

If a vulnerability is found outside the listed scope, prior approval is required.

Reporting Requirements
Reports should be sent to hello@passquare.com and must include:

A detailed reproduction scenario;
The script or tool used for exploitation;
The execution log file;
A screen recording demonstrating the exploitation.

After testing, the system must be returned to its original state.

Participation Rules

Current and former Passquare employees are not eligible to participate.
Public disclosure of vulnerabilities is prohibited, including after they have been resolved.
Rewards are not guaranteed if program rules are violated.