Basis Theory has a bug bounty program aimed at Ethical “Whitehat” hackers or security researchers who discover security exploits and vulnerabilities on our platform. Basis Theory will offer cash awards to researchers for exploits based on the potential security risk and impact of the exploit.

Submission Process

1. Researcher reaches out to Basis Theory via [email protected] with an exploit or security vulnerability
2. The security researcher provides evidence such as a video or screenshots of them demonstrating the exploit. A step by step methodology must be shared as well. The support must be clear and concise enough for Basis Theory engineer(s) to recreate the exploit. The researcher must be willing to share their method of the exploit. Submissions without this support will not be considered for a cash award.
3. Upon review, Basis Theory will contact the researcher for follow-up if necessary or to inquire about the preferred payment method for the cash bounty.

Rules & Scope

We do not accept submissions on the following domains:

• www.basistheory.com
• basistheory.com
• echo.basistheory.com

We do not accept submissions for rate limits / DDOS on Authenticated endpoints as

• We have rate limits in place globally.
• False positive submissions claiming DDOS when in reality it is a separate nonsecurity related bug, or known performance issue, etc.

All submissions must include the following information to be accepted:

• Date and Time of the exploit
• Full HTTP Response Body, including headers
• URL Endpoint(s) tested against
• Screenshots of exploit
• Steps to reproduce
• Tools used in testing exploit