Basis Theory has a bug bounty program aimed at Ethical “Whitehat” hackers or security researchers who discover security exploits and vulnerabilities on our platform. Basis Theory will offer cash awards to researchers for exploits based on the potential security risk and impact of the exploit.

Submission Process

1. Researcher reaches out to Basis Theory via [email protected] with an exploit or security vulnerability
2. The security researcher provides evidence such as a video or screenshots of them demonstrating the exploit. A step by step methodology must be shared as well. The support must be clear and concise enough for Basis Theory engineer(s) to recreate the exploit. The researcher must be willing to share their method of the exploit. Submissions without this support will not be considered for a cash award.
3. Upon review, Basis Theory will contact the researcher for follow-up if necessary or to inquire about the preferred payment method for the cash bounty.

Rules & Scope

The Scope of the program is limited to the Basis Theory Customer Portal and APIs:

• https://portal.basistheory.com/getting-started
• https://developers.basistheory.com/docs/api/

We do not accept submissions on the following domains:

• www.basistheory.com or basistheory.com
• echo.basistheory.com

We do not accept submissions on the following systems:

• Email servers
• Customer Support portal

We do not accept submissions for rate limits / DDOS on authenticated endpoints as:

• We have rate limits in place globally.
• False positive submissions claiming DDOS when in reality it is a separate non-security related bug, or known performance issue, etc.

All submissions must include the following information to be accepted:

• Date and Time of the exploit