M-PESA BUG BOUNTY POLICY


If you believe you have found a security vulnerability on any of our M-Pesa products or services, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem.

You must email findings to bugbounty@m-pesa.africa. Be aware we do not permit any reports to be publicly disclosed. Should your submission be valid and impactful, you may be invited to join our private Bug Bounty Program on HackerOne. If you feel you are eligible to be a member in our program we also advise for you to send an email with your hackerone ID to the above mentioned Email addresses this shall be reviewed and accepted if the reputation is considerable

Thank you.


  1. Bug Bounty Program Rules
    1. You must provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
    2. Submit one vulnerability per the report, unless you need to chain vulnerabilities to provide impact.
    3. When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
    4. Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
    5. Social engineering (e.g., phishing, vishing, smishing) is prohibited.
    6. Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
    7. Only interact with accounts you own or where you have the explicit permission of the account holder.
    8. Any tests done that violate the above conditions will not be eligible for a bounty reward.

    You are free to report a vulnerability for any of our assets that are out of scope, but they may not be eligible for a bounty. However, we will review them on a case-by-case basis.

    Employees and Contractors (or former employees\contractors who have not completed 3 years after leaving the organization) of Safaricom, Vodacom, and Vodafone Markets are not eligible to participate in the bug bounty program. However, they can disclose the vulnerabilities to bugbounty@m-pesa.africa

  2. Out-of-Scope Subdomains
    When reporting vulnerabilities please exclude the flowing subdomains
    1. Uat
    2. Oat
    3. Mat
    4. Dev
    5. Jenkins
    6. Sandpit
    7. Nonprodss
    8. Test

  3. Out-of-scope vulnerabilities
    When reporting vulnerabilities, please consider (1) the attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:
    1. Any activity that could lead to the disruption of our service e.g., denial of service attacks.
    2. Clickjacking / UI Redressing attacks on pages with no sensitive actions.
    3. Unauthenticated/logout/login CSRF.
    4. Attacks requiring MITM or physical access to a user's device.
    5. Previously known vulnerable libraries without a working Proof of Concept.
    6. Comma Separated Values (CSV) injection without demonstrating a vulnerability. Missing best practices in SSL/TLS configuration.
    7. Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
    8. Issues in third-party services/platforms that are beyond our control.
    9. Vulnerabilities as reported by automated tools without additional analysis as to how they are an issue. If an IP address is discovered to use automated tools persistently and constantly, that IP address shall be blocked.
    10. All brute-force attacks.
    11. Self-XSS and XSS that affects only outdated browsers.
    12. Host header and banner-grabbing issues.
    13. Missing HTTP security headers and cookie flags on insensitive cookies.
    14. Open redirects - unless they can be used for actively stealing tokens.
    15. User enumeration such as User email, User ID, etc.
    16. Phishing / Spam (including issues related to SPF/DKIM/DMARC).
    17. Missing security best practices (e.g., account lockout, captcha.).
    18. Session fixation and session timeout.
    19. Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end-user interactions to be exploited.
    20. Any bugs or issues related to third parties or vendors e.g., Cisco, Oracle, Microsoft, etc... Domains.
    21. Self-XSS involving a payload in headers or in the body of the request.
    22. Vulnerabilities that are disclosed to any party other than MPESA, including vulnerability brokers, will not qualify for the reward. This includes both public disclosure and limited private release.

    How to report a vulnerability.
    Please help us by providing as much information as possible about the problem you have discovered. If you have not yet done so, please remember to review our rules and guidelines previously announced before submitting the information here (A link will be provided by the hacker one team)