Triple-A Bug Bounty Program


No technology is perfect, and Triple-A believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you’ve found a security issue in our product or service, we encourage you to notify us. We welcome you to work with us in resolving the issue promptly. Please review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.

Triple-A looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.

Contact address

Please contact us at


The following domains and applications are within the scope of this program:

  • *
  • *
  • WooCommerce plugin (provided via WordPress plugins directory)
  • OpenCart plugin (provided via Opencart plugins directory)

Out of scope of this program:

  • (www.) website,
  • any WordPress or any prototype or test instances that may temporarily be reachable.

If a third-party application is hosted on a subdomain, it is eligible for our program. However, we only accept severe vulnerabilities that affect our users, service, or infrastructure. Other vulnerabilities will be reported or forwarded to the third-party vendor.

Disclosure Policy

  • Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
  • Give us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
  • Vulnerabilities that are exposed publicly as a part of putting together a proof of concept (e.g. website defacement, stored XSS on a public site) are not eligible for a bounty.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
  • If any sensitive information is accessed as a part of exploitation, it must not be stored, transferred or otherwise processed after the initial discovery. All copies of sensitive information must be returned to Triple-A and may not be retained
  • Always limit exploitation to minimal proof of concept required to demonstrate the vulnerability. Do not attempt to access Triple-A or users’ accounts or data or post-exploitation of other vulnerabilities. Stop and report what you have found and request additional testing permission

Report format

Please follow this report format when submitting vulnerabilities:

  • Title: A brief and descriptive title of the vulnerability
  • Description: A detailed explanation of the vulnerability, its impact, and its root cause
  • Severity: A rating of the severity of the vulnerability based on the CVSS v3.1 scoring system
  • Impact: A description of how the vulnerability affects Triple-A or its users, service, or infrastructure
  • Steps to reproduce: A clear and step-by-step guide on how to reproduce the vulnerability
  • Proof of concept: A demonstration of the vulnerability using code, screenshots, video, etc.
  • Mitigation: A suggestion on how to fix or prevent the vulnerability


  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact
  • Reports that include clear steps to reproduce and proof of concept code will be more likely to be accepted


While researching, we’d like to ask you to refrain from:

  • Denial of service to Triple-A services or our merchants’ and partners’ services
  • Degrading performance or service of Triple-A services or our merchants’ and partners’ services
  • Spamming (even self-spamming)
  • Social engineering (including phishing) of any Triple-A staff or contractors
  • Any physical attempts against Triple-A or Triple-A merchants’ and partners’ property or data centers
  • Accessing private information of Triple-A merchants and partners


In order to be eligible for a bounty, you must meet the following requirements:

  • You must be the first reporter of the vulnerability
  • Vulnerability must be associated with a domain or application listed above and not applicable to the above exclusions
  • You must not publicly disclose the vulnerability without our prior discretion
  • Vulnerability must have a clearly identified security impact and presented with enough information for investigation and reproduction by Triple-A staff

Any vulnerabilities reported with the following criteria are not eligible for a bounty:

  • Affecting an ineligible scope
  • Bugs caused by a third-party website that our JS client is embedded on
  • Only affecting outdated browsers/platforms
  • Only affecting the executing user (self-XSS and similar)
  • Caused by misbehaving third-party software/website
  • Applicable only through social engineering
  • Pretense being you already have access to affected account (or user’s browser)
  • Vulnerabilities considered by Triple-A to be of low severity

Tool outputs are not enough. Scanners and automation tools are common trade practice in the security community. They often produce many results for further investigation and can yield many false positives. Reports from automated tools or scans must include additional analysis to demonstrate the exploitability of the vulnerability to be eligible for bounty awards.


  • When duplicates occur, we only award the first report that we receive
  • If a vulnerability is fixed in the beta version we will consider it as duplicate
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty

Category Minimum Up to
Remote Code Execution (RCE) $250 $1500
Injection (SQLi or equivalent) $200 $1000
Local/Remote File Inclusion (LFI, RFI) $200 $1000
Account Takeover (depends on the complexity of user interaction) $200 $1000
Sensitive Data Disclosure or Manipulation (IDOR, memory leak, etc.) $200 $1000
Server Side Request Forgery (SSRF), non-blind $200 $1000
Server Side Request Forgery (SSRF), blind $75 $250
Corp Admin Stored Cross Site Scripting, blind $75 $250
Stored Cross Site Scripting $50 $200
Reflected/Other Cross Site Scripting $50 $150
Cross Site Request Forgery (CSRF) $50 $100
Self Cross Site Scripting $50 $100

Safe harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you.

Fine Print

Triple-A will determine at its own discretion whether a reward should be granted and the amount of the reward. Depending on their impact, not all reported issues qualify for a monetary reward. However, all reports are reviewed on a case-by-case basis.

You must comply with all applicable laws in connection with your participation in this program. 

Thank you for helping keep Triple-A and our users safe!