Bug Bounty Program Rules

Airwallex is committed to building a strong relationship with the information security community. In order to reward the best external contributions that help us keep our users safe, we maintain a Bug Bounty Program for Airwallex owned web properties.

Issues submitted to bugbounty@airwallex.com will be handled based on priority.

Services in scope

Any Airwallex owned web service that handles reasonably sensitive user data is intended to be in scope. This includes virtually all the content in the *.airwallex.com domain.

Qualifying vulnerabilities 

Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. The program is limited to technical vulnerabilities in Airwallex owned / used web applications. 

Please do not attempt to carry out DoS or DDoS attacks, social engineering, spamming or do other similarly questionable things.

The following finding types are specifically excluded from the bounty

- The use of automated scanners is strictly prohibited.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- CSRF on forms that are available to anonymous users (e.g. the contact form).
- CSRF attacks that require knowledge of the CSRF token (e.g. attacks involving a local machine).
- Logout Cross-Site Request Forgery (logout CSRF).
- Content Spoofing.
- Login or Forgot Password page brute force and account lockout not enforced.
- OPTIONS HTTP method enabled.
- Username / email enumeration.
- Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
        - Strict-Transport-Security; X-Frame-Options; X-XSS-Protection; X-Content-Type-Options; Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP; Content-Security-Policy-Report-Only; Cache-Control and Pragma.
- HTTP/DNS cache poisoning.
- SSL/TLS Issues,
        - e.g. SSL Attacks such as BEAST, BREACH, Renegotiation attack; SSL Forward secrecy not enabled; SSL weak/insecure cipher suites.
- Self-XSS reports will not be accepted.
        - Similarly, any XSS where local access is required (i.e. User-Agent Header injection) will not be accepted. The only exception will be if you can show a working off-path MiTM attack that will allow for the XSS to trigger.
- Missing or incorrect SPF records of any kind.
- Missing or incorrect DMARC records of any kind.
- Source code disclosure vulnerabilities.
- Information disclosure of non-confidential information
- Email bombing/flooding/rate limiting

Non-qualifying vulnerabilities

Depending on their impact, some of the reported issues may not qualify if they do not present a considerable amount of risk to the business.

Reward amounts for security vulnerabilities

Our monetary rewards are loosely consistent with other known reward programs and the final amount is always chosen at the discretion of our reward panel. In particular, we may decide to pay higher rewards for unusually clever or severe vulnerabilities or pay lower rewards for vulnerabilities that require unusual user interaction. We may also decide a single report actually constitutes multiple bugs or that multiple reports are so closely related that they only warrant a single reward. Airwallex rewards bug bounty hunters on a first-come, first-served basis - the first comprehensive report for the same bug will be awarded any bounty.

Investigating and reporting bugs

When investigating a vulnerability, please only ever target your own accounts. Never attempt to access anyone else's data and do not engage in any activity that would be disruptive or damaging to the users or to Airwallex.

Please bear in mind we are interested in bugs, not user data. If you come across user information during the course of your research, do not save, store, copy, transfer, disclose, or otherwise retain this information and please report it immediately to us.

Note that we are only able to answer technical vulnerability reports. Non-security bugs and queries about problems with your account should be instead directed to our customer support team.

Please perform your research in good faith. Please don’t publicly disclose a vulnerability without our consent and review. Our pledge to you is to respond promptly and fix bugs in a sensible timeframe - and in exchange, we ask for a reasonable advance notice. Reports that go against this principle will usually not qualify, but we will evaluate them on a case-by-case basis.

Legal points

We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law.

This is not a competition, but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion. Airwallex rewards bug bounty hunters on a first come, first served basis so if you find a vulnerability that has just been reported we will not reward you.

Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own.

To contact our information security team, please email bugbounty@airwallex.com.