Rapyd Launches Bug Bounty Program: Earn Rewards for Finding Security Vulnerabilities

“If the wall is breached, Helm’s Deep will fall”- Sauruman, LOTR: The Two Towers, 2002. In the movie The Lord of the Rings: The Two Towers by: Peter Jackson, even the greatest fortified stronghold is breached by the evil orcs exposing a weak point in the sewer drain of the wall. It is hard to believe anything so strong could be vulnerable to attacks, but we often see breaches of known companies in the news: Twitter, Facebook/Meta, Linkedin, LastPass, Crypto.com, Coinbase, the list goes on.

Nir Rothenberg, CISO at Rapyd says “Security is an endless practice…It’s changing, it’s shifting, there’s always new attacks…someone is getting hacked right now. It’s better if it’s not you…if you focus on a few simple things, the attackers are going to focus on somebody else.”

Rapyd has been a leader in API security and IT maintenance. As a fintech as a service, Rapyd provides one API integration to accept, hold, and disburse funds in various currencies. The Rapyd API has multiple layers of protection against interception and tampering. Previously, Rapyd has worked with developers to test API security privately for a set time with Hacker0ne and Bugcrowd. Now Rapyd is looking to empower developers directly to openly test the Rapyd API and platforms, and directly report any vulnerabilities.

On April 12, 2023, Rapyd is opening up its bounty to pressure test the API, its security and systems. You can sign up in the Client Portal, grab your API keys to begin any integration, and start hacking. Different testing tiers of importance are explained further on the project page on Bugcrowd. The tiers developers are testing are separated between the Rapyd API, Rapyd Hosted Solutions, Rapyd platforms and portals. This includes Rapyd Checkout, Rapyd Verify Hosted Page, and the Client Portal Dashboard.

For each API call, Rapyd uses a signature calculation, or combination of a chain of strings. This signature process helps secure requests by verifying authorized users, protecting data in transition, and rejecting unauthorized persons.

Begin testing the API, where you can find all endpoints at docs.rapyd.net/reference

  • https://sandboxapi.rapyd.net/v1
  • https://api.rapyd.net/v1

Hosted Pages can be found at the following API calls:

Rapyd is on mission to liberate global commerce with all the tools you need for payments, payouts and business everywhere. To learn more about rewards and guidelines, go to https://bugcrowd.com/rapyd-og.

Please read the Scope and Reward section on the Bugcrowd page above and note that community.rapyd.net is an Out of Scope Target.


Our out-of-scope policy assets are ones hosted by a 3rd party, such as the described targets but not limited to.

Automation/scripts from any kind against support forms are completely out of scope.

2 Likes