Basis Theory has a bug bounty program aimed at ethical “Whitehat” hackers or security researchers who discover security exploits and vulnerabilities on our platform. Basis Theory will offer cash awards to researchers for exploits based on the potential security risk and impact of the exploit.

<aside> ℹ️

Note: the scope and rules of the Bug Bounty program have recently changed to focus research on areas of higher value to Basis Theory. Please make sure to review the in-scope services and eligible vulnerability categories.

</aside>

Submission Process

1. Researcher reaches out to Basis Theory via [email protected] with an exploit or security vulnerability.
2. The report should contain a concise explanation of the vulnerability and steps to reliably reproduce the issue. The instructions must be clear enough for Basis Theory engineers to understand and recreate the issue. The reporter must be willing to share details of their testing methodology or answer questions should they arise. Submissions without this necessary support will not be eligible for a cash award.
3. Upon review, Basis Theory will contact the researcher for follow-up if necessary or to inquire about the preferred payment method for the cash bounty.

In-Scope Services

The Scope of the program is limited to the Basis Theory Customer Portal and APIs, i.e.

• https://portal.basistheory.com
• https://api.basistheory.com

Qualifying Vulnerabilities

Any vulnerability that substantially affects the confidentiality or integrity of customer data is likely to be in scope for the program. Common examples include:

• Unauthorized Access and Privilege Escalation
  • Vulnerabilities that allow attackers to access unauthorized resources or take unauthorized actions.
  • Examples: Account takeover, API key misuse, session hijacking, insecure token issuance, IDOR.
• Cross-Tenant Isolation Vulnerabilities
  • Implementation bugs that compromise the complete logical and data separation between tenants or customers.
  • Examples: cross-tenant data leakage.
• Sensitive Data Exposure or Exfiltration
  • Bugs that allow tokenized, encrypted, or masked data to be improperly revealed.
  • Examples: unintended unmasked values exposed via APIs, UI, or logs.
• Execution or Processing Environment Escapes
  • Vulnerabilities that compromise the integrity of the compute platform, or escapes from the sandboxed code execution environments. Examples: Reactor sandbox escapes, unauthorized code execution, SSRF through Proxies, command injection.
• Content Injection Vulnerabilities
  • Examples: Cross-site scripting, SQL/NoSQL injection.
• Cross-site Request Forgery
• Server-Side Request Forgery
• Other logic flaws or implementation bugs that leak customer information or bypass significant security controls