Responsible disclosure policy

• What to do:

  • Please send us an email to responsibledisclosure@adyen.com and encrypt this message using our public PGP key

  • Give enough detail to enable us to reproduce the flaw so that it can be remedied as soon as possible. The computer’s IP address or ICT system’s URL and a description of the security flaw is usually sufficient. The more complicated the flaw, the more detail we will require.

  • Leave your contact details so that we can contact you later. At least an email address or telephone number.

  • Report the flaw as soon as possible after discovering it.

  • Do not share any information about the flaw with others until it has been remedied.

  • Deal responsibly with the information in your possession. Do nothing beyond what is necessary to demonstrate the security flaw.

• What not to do:

  • Send malware;

  • Copy, change, or delete data in the ICT system concerned (as an alternative, you can create a directory listing of the system);.

  • Change the system;

  • Repeatedly visit the system or share access with others;

  • Use ‘brute force’ to open the system;

  • Try denial of service or social engineering.

• What to expect

  • When you report the security flaw, check that you comply with the conditions described above. If you do so, Adyen will not attach any legal consequences to your notification.

  • Adyen treats the notifications it receives confidentially. It will not share your personal details with third parties without your permission unless required to do so by law or a court order.

  • Adyen can, if you wish, mention your name as the one who discovered the security flaw in our Hall of Fame.

  • Adyen will send you an acknowledgement of receipt within 72 hours.

  • Adyen will respond to your notification within three working days. Its response will contain an assessment of your notification and the date on which it expects to remedy the flaw.

  • Adyen will keep you – as the one who discovered the flaw – informed of the progress made in remedying it.

  • Adyen will remedy the flaw as soon as possible, certainly no later than 60 days after receiving the notification. Adyen will work with you to determine whether and, if so, how the flaw reported is to be made public. It will not be made public until after it has been remedied.

  • Adyen will give you an appreciation as acknowledgement of your work.

• Excluded Vulnerabilities

  We value the responsible disclosure of vulnerabilities to ensure the security of our systems and users. However, to help streamline our bug bounty and responsible disclosure process, we have identified certain types of findings that we do not consider security risks or impactful to our platform. Generally, this is because we have other controls in place or employ a defense-in-depth approach. As a result, we will not accept or award bounties for the following:

  DNS Certification Authority Authorization (CAA) Records: o Findings related to the absence or misconfiguration of DNS CAA records will not be accepted. DNS CAA records are used to define which certificate authorities (CAs) are allowed to issue certificates for a domain, but their presence or absence does not directly expose any security vulnerabilities within our systems. Domain Name System Security Extensions (DNSSEC): o Reports regarding the absence or improper configuration of DNSSEC will not be considered. While DNSSEC is an additional layer of security that helps prevent DNS spoofing, its absence or misconfiguration does not constitute a critical vulnerability affecting our platform's core security. Absence or Misconfiguration of HTTP Security Headers: o Reports related to missing or misconfigured HTTP security headers (such as X-Frame-Options, X-Content-Type-Options, Content-Security-Policy, Strict-Transport-Security, etc.) will not be accepted unless they directly lead to a security vulnerability that can be exploited, such as clickjacking, XSS, or other tangible security risks.