Programs E-Commerce PayKickstart (paykickstart.com)

Active Program $5,000 flat · validated critical Full platform surface · no exclusions

PayKickstart (paykickstart.com) Bug Bounty: $5,000 Each Validated Critical — Full Scope, Kill Chain Required

This program covers the PayKickstart all-in-one shopping cart & affiliate management platform in full. All web applications, APIs, checkout pages, recurring billing, subscription management, affiliate dashboard, CRM, and API integrations are in scope. For each critical flaw validated, hunters earn exactly $5,000 USD. Special bounty: $10,000+ for successful production user database extraction. Reports must include a narrative attack chain plus credible proof of successful exploitation.

Scope Details

Web application — all public-facing and authenticated pages
Shopping cart & checkout page infrastructure
Recurring billing & subscription management
Affiliate dashboard & commission tracking
CRM & customer management systems
API integrations & webhook handlers
Customer account portals — registration, login, profile
Authentication & session management
Database access — SQL injection, direct exposure
Backend infrastructure — proven exploitation only

Reward Structure

Critical

$5,000

RCE, SQL injection with data extraction, authentication bypass, admin takeover, payment manipulation.

Special — DB Extraction

$10,000+

Successful extraction of production user database. Tiered: $10,000 partial dump, $15,000 full dump with PII/financial data. Live extraction evidence required.

Submission Requirements

Clear written narrative: entry → exploitation chain → impact
Replayable PoC: script, cURL commands, or equivalent
Proof of impact: logs, screenshots, minimized data samples
Do not exfiltrate more data than necessary to prove the vulnerability
Do not destroy, modify, or permanently delete production data

Safe Harbor

Research under this program is authorized. We will not pursue claims against good-faith researchers who comply with the requirements above. Rewards are paid after validation.