The Block’s security policies and practices seek to ensure compliance with all applicable laws, regulations, and our contractual obligations. Our policies and practices also seek to ensure the confidentiality and integrity of our data as well as the availability of the services we provide.
The Block’s security policies apply to all employee (full or part time,) interns, and contractors. All policies are approved by leadership committee and are scheduled to be reviewed yearly. We have a variety of policies in place to cover topics such as change management, third party vendors, acceptable use, and risk management.
All user accounts require both complex passwords (minimum of 10 characters) and MFA.
Access to resources is based on the principle of least privilege and is granted through a change management process. Access that is not needed long term is reversed.
All new hires receive an initial security training. All employees receive monthly security micro-trainings on rotating topics. Educational phishing simulations are run on a monthly basis. Other trainings are held on a rolling basis.
Testing and production environments are logically separated. Corporate users have no access to testing or production. Each boundary is protected by a firewall that limits the ports and services to those required. Access to various environments is based on business need.
All changes to production and sensitive access grants go through a change management process. Separation of duties is enforced during change management process. All requests are reviewed regardless of approval status. An emergency process for after-hour urgent changes is also in place.
An email firewall is in place to scan for malware in attachments and block suspicious emails. Email server will attempt to negotiate encryption if sender’s server also supports encryption. Email is equipped with a “report phishing” button that allows employees to alert Security Team to any phishing emails that made it past firewall.
Production infrastructure is scanned on a monthly basis. Identified vulnerabilities are addressed based on criticality level.
All data of confidential or above is encrypted at rest (AES-256) and in transit (TLS 1.2 or above.)
Vendors that store, process, or transmit confidential or above data receive a risk evaluation by Security Team.
Vendor security posture, terms of service, and privacy practices are evaluated.
The Block welcomes security researchers who are able to help us improve our security posture. Please read this page fully before engaging in any testing to ensure you remain within our acceptable guidelines for such testing as violation of these rules of engagement will result in an IP block. The Block reserves the right to withhold payment if the guidelines herein are not followed.
These are the only domains that should be tested. No subdomains or other domains belonging to The Block should be tested.
The scope of this bug bounty program is for bugs that impact our security posture. Non-security bugs are not eligible for payment.
Bugs that are not security related.
Vulnerabilities that are not on the scoped websites. (For example, vulnerabilities on our Facebook page.)
Vulnerabilities in third parties we use.
In cases where one underlying issue causes multiple vulnerabilities, a reward is issued for the underlying issue, not the individual vulnerabilities.
Previously known vulnerabilities (found by us or found by another researcher) or vulnerabilities that we deem “informative.” These are vulnerabilities that we’re aware of and don’t deem a security threat to us.
Vulnerabilities that would require our employees’ interaction (e.g., installing software, navigating to a site, clicking on a malicious link, etc.)
We will confirm receipt of a complete report within 1 business day. We then request 5 business days for us to validate the vulnerability. Payment will be made once vulnerability is closed and subsequently confirmed by the reporter or within 30 days, whichever comes first.
Our pay range is between $50 and $1,000 depending upon how severely we feel we are impacted by the vulnerability. The more severe the vulnerability, the higher the payment.
Once we’ve had time to review your submission, we will respond to you with the amount award, if applicable. Please submit an invoice to us for the specified amount. Payments are issued in USD (US dollars) via bank to bank transfer.
You will be asked to provide us with your full name, your country of residence, and a short summary of your security credentials.
We are unable to issue rewards to individuals who are on sanctions lists, or who reside in countries (e.g., Cuba, Iran, North Korea, Syria, Crimea, and the so-called Donetsk People's Republic and Luhansk People's Republic) on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter the program depending upon your local laws.
This is not a competition, but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion.
Your testing must not violate any law, or disrupt or compromise any data that is not your own.
To avoid potential conflicts of interest, we will not grant rewards to people employed by The Block or The Block Partner companies who develop software covered by this program.
Last updated: February 10, 2023