This repository adheres to the PayPal Vulnerability Reporting Policy.
If you think you have found a vulnerability in this repository, please report it to us through coordinated disclosure.
Please do not report security vulnerabilities through public issues, discussions, or pull requests.
Instead, report it using one of the following ways:
- Email the PayPal Security Team at security@paypal.com
- Submit through the PayPal Bug Bounty Program on HackerOne
- Report a vulnerability directly via private vulnerability reporting on GitHub
Please include the following in your report:
- The type of issue and affected version(s)
- Step-by-step instructions to reproduce the issue
- Impact of the issue and how an attacker might exploit it
Only the latest release series receives patches and new versions in the case of a security issue. See our deprecation policy for details.
For severe security issues, we will provide new versions as above. Additionally, the last major release series may receive patches at our discretion. Severity classification is determined by the Braintree SDK team.
| Platform | Supported Versions |
|---|---|
| Android | Most widely used versions at the time of SDK release |
For details on supported platform versions, see our deprecation policy.
We are committed to working with security researchers in good faith. To support responsible disclosure, our team will:
- Acknowledge your report in a timely manner
- Keep you informed of our progress toward a fix
- Notify you before any public disclosure
We ask that you:
- Do not publicly disclose the issue before it has been resolved
- Avoid accessing, modifying, or deleting data that does not belong to you
- Make a good faith effort to avoid disruption to production systems
We appreciate responsible disclosure and your efforts to keep Braintree SDK users safe.