These Responsible Disclosure Policy were last modified on 22nd February, 2021
PayKun makes non-stop efforts to make sure that our environment is safe and secure for everyone to use. The security of our data and system is of great importance to us. We appreciate you disclosing the security vulnerabilities to PayKun in a responsible manner that you have discovered in any of PayKun services.
When you report the vulnerabilities to PayKun as per this Responsible Disclosure Policy, we will engage with you as external security researcher (the Researcher).
Given that a Researcher when reporting the security vulnerabilities to PayKun abides by the rules prescribed in this Responsible Disclosure Policy unless specified otherwise by the law or the payment scheme practices, PayKun commits to:
Any of the PayKun services, iOS or Android-based apps, which process, store, transfer or use in one way or personal or sensitive personal information, such as card data and authentication data.
In particular, Web service vulnerabilities are classified using OWASP Top-10. Mobile application vulnerabilities are classified using OWASP Mobile Top-10.
Any services hosted by 3rd party providers and services not provided by PayKun.
To perform any testing or research, a Researcher can use their own merchant accounts and do not access the account or data of which they are not the owner.
A Researcher testing the merchant account can be the account owner or an agent approved by the account owner. The Researcher, in no case, is authorized or granted access to the merchant account or can download or modify the data in any other account, the account that does not belong to the Researcher, or try to do any such activities.
The Researcher must not infringe any applicable laws or regulations.
The test types are excluded explicitly from the scope and testing for the best interests of the safety of our merchants, users, employees, the internet at large, and you as a Researcher - any findings from physical testing (office access, tailgating, open doors) or DOS or DDOS vulnerabilities.
Identifying any spelling mistakes or any UI and UX bugs are excluded from this responsible disclosure.
The Researchers must abide by the below terms and conditions:
The Researcher need to report us the detailed steps and description to enable us to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us). They must include their email address.
They need to email us at firstname.lastname@example.org
This Responsible Disclosure Policy is non compliant to the monetary requests or demands for the identified or alleged vulnerability.
Paykun appreciates your help to keep our environment safe and secure by identifying and reporting the security vulnerabilities in a responsible manner. And so, as a result of the report once the vulnerability is verified and fixed we would like to express our gratitude by putting your name on our Hall of Fame page.
PayKun will not take complaint to law or take any civil action for the accidental violation of this policy happened in good faith. We take the activities undertaken in consistence with this policy to represent “authorized” conduct under the Computer Fraud and Abuse Act. We will not bring a Digital Millennium Copyright Act (DMCA) claim against you for bypassing the technological measure used to protect the applications in subject.
If a third party initiates any legal action against you and you have aided by the PayKun Responsible Disclosure Policy, PayKun will take steps to let it be known that the Research and actions were taken complying with this policy.
PayKun Security Vulnerability Program is a “Public NonDisclosure” Mode, which means that by default as per this policy, under this program one must not make the information about the vulnerabilities public or they are liable for legal penalties.