It is a worldwide platform for ethical hackers to identify and report vulnerabilities in a company’s system or software in exchange for rewards or monetary compensation.
We encourage more people to find and report security bugs in our products, so that we can make our products even more secure than they already are.
If you don't work for M-pesa Africa or its subsidiaries and are not among the creators or reviewers of the code in which the bug was found - Yes.
ELIGIBLE SOFTWARE
The primary applications we offer bounties for are the most recent version of web apps; mobile app for Android, and mobile app for iOS. Bounties may be awarded for other non-Beta non-End-of-Life products offered by M-pesa Africa which are included in the Web bug bounty program; however, whether a bounty is awarded and the amount will be subject to the committee.
No. We have decided to use our limited resources to focus on our end-user products, as opposed to the other software produced and used by VCL Financial Services. However, we do offer a Web Bug Bounty for the M-pesa Africa web sites and services we run for M-pesa Africa for our users.
In general we mean the nightly release available for download on the Play/App store at the time the bug was reported. However we will also consider paying rewards for security bugs as discussed in the questions and answers below.
In general bugs found in earlier releases are eligible for a reward only if we can reproduce the problem using the most recent version.
However as an exception we will typically also pay a reward for bugs found in the latest versions of our other channels (Release, Beta, and Extended Support Release channels) if the bugs are not present in their most recent version but were never recognized and fixed as security bugs. (For example, the bug might be in code associated with a feature that was removed and/or heavily modified in the most recent version, and might have been "fixed" solely as a byproduct of other unrelated changes.)
Yes, if the bug can be reproduced in an official M-pesa Africa release and otherwise meets the published guidelines.
Yes, if the operating system is officially supported by the most recent version of the product for which you're reporting the bug. (For a list of supported operating systems and hardware configurations see the system requirements for Web & mobile apps or iOS / Android)
Ultimately, the reward is determinate on the sec rating assigned (sec-high or sec-moderate/low.) If the preference is exposed via our Preferences Page; we consider that to be a supported configuration for applications. If the preference is enabled by default in a current Firefox channel (e.g. Nightly or Beta) it is also considered supported. If the preference must be configured via about: config or requires other non-standard Operating System configuration, that is typically not considered a supported configuration. Those vulnerabilities will typically not be rated sec-high, and will be evaluated accordingly for a bounty.
ELIGIBLE BUGS
Reproducible security bugs that are determined to be rated critical or above are eligible. In general we consider high severity security bugs to be those that allow execution of arbitrary code on users' systems or allow access to users' confidential information. In the latter case we consider bugs to be sec-high only if they potentially expose high-value personal information (e.g., passwords, credit card numbers, and the like); in the context of the bug bounty program we do not consider bugs to be sec-high if they potentially expose only lower-value information (e.g., browsing history) or information that would be useful primarily for other exploits (e.g., the names of files or directories on the user's system).
Finally, in general we do not consider bugs that permit only denial of service attacks to be eligible in the sense described above.
Because DoS bugs are generally less serious than other security bugs (e.g., they typically do not lead to corruption or destruction of user data, much less theft of data), and in many cases a DoS attack does not involve an actual bug but simply misuse of standard product features (e.g., putting up a web site with an excessive number of graphics, sending excessively long mail messages, etc.). We have decided to concentrate our limited resources on rewarding people who find what we consider to be more serious security problems.
Bug reporting, etc.
Depending on the manner in which it was published, and the details that were disclosed, it may be possible; however typically we do not pay bounties in situations where developers need to drop existing work to respond to an urgent fix needed due to a public disclosure.
We encourage people to report bugs directly to the M-pesa Africa hackerone project, in order to ensure that the bug is made known as soon as possible to the people who can fix it.
Sometimes, yes. For example, if you find a M-pesa application exploit in the wild that uses a previously unknown vulnerability and report it, you can be eligible for a bounty for that vulnerability even though you didn't discover the vulnerability itself.
No. We're rewarding you for finding a bug, not trying to buy your silence. However, if you report the bug through the standard M-pesa Africa process and haven't already published information about it then we do ask that you follow the guidelines set forth in the official policy on handling M-pesa Africa security bugs. Under this policy security-sensitive bug reports in our hackerone system may be kept private for a limited period of time to give us a chance to fix the bug before the bug is made public, with an option for the bug reporter (or others) to open the bug to public view earlier whenever circumstances warrant it (e.g., if your bug report is being completely ignored).
Yes. Again, we're rewarding you for finding a vulnerability, not trying to buy your cooperation. However we invite you to work together with us to resolve the issue; and doing so can increase the reward that is ultimately paid. You'll also get the opportunity to work as a full member of the team fixing your bug and see "from the inside" exactly how Mozilla security bugs get resolved.
