PayKun Security Vulnerabilities
PayKun makes non-stop efforts to make sure that our environment is safe and secure for everyone to use. The security of our data and system is of great importance to us. We appreciate you disclosing the security vulnerabilities to PayKun in a responsible manner that you have discovered in any of PayKun services.
When you report the vulnerabilities to PayKun as per this Responsible Disclosure Policy, we will engage with you as external security researcher (the Researcher).
Responsible Disclosure Policy
Given that a Researcher when reporting the security vulnerabilities to PayKun abides by the rules prescribed in this Responsible Disclosure Policy unless specified otherwise by the law or the payment scheme practices, PayKun commits to:
- acknowledge the receipt of the vulnerability report immediately and work with the researcher to understand and attempt to fix the issue expeditiously;
- validate and verify, respond and fix that vulnerability in accordance with our commitment to privacy and security. We will inform you when the issue is resolved;
- not proceed or take legal action against you or the person who reported such security vulnerability unless specified otherwise by the law;
- not stop, suspend or hold the access to the PayKun services if you are a merchant and not to stop, suspend or hold the access of the merchants to the PayKun services to which you represent, if you are an agent;
- acknowledge and appreciate you disclosing the vulnerabilities to PayKun in a responsible manner in our Hall of Fame.
In scope of this Policy
Any of the PayKun services, iOS or Android-based apps, which process, store, transfer or use in one way or personal or sensitive personal information, such as card data and authentication data.
In particular, Web service vulnerabilities are classified using OWASP Top-10. Mobile application vulnerabilities are classified using OWASP Mobile Top-10.
Out of scope
Any services hosted by 3rd party providers and services not provided by PayKun.
Testing
To perform any testing or research, a Researcher can use their own merchant accounts and do not access the account or data of which they are not the owner.
A Researcher testing the merchant account can be the account owner or an agent approved by the account owner. The Researcher, in no case, is authorized or granted access to the merchant account or can download or modify the data in any other account, the account that does not belong to the Researcher, or try to do any such activities.
The Researcher must not infringe any applicable laws or regulations.
The test types are excluded explicitly from the scope and testing for the best interests of the safety of our merchants, users, employees, the internet at large, and you as a Researcher - any findings from physical testing (office access, tailgating, open doors) or DOS or DDOS vulnerabilities.
Identifying any spelling mistakes or any UI and UX bugs are excluded from this responsible disclosure.
Rules
The Researchers must abide by the below terms and conditions:
- Must not violate the privacy policy, the user and merchant experience should not be impacted in any way, must not interrupt with or deny services to any user, must not disturb our production system, and must not delete, compromise or misuse data during testing.
- Most not actually exploit a vulnerability, you could only show or explain that it could be exploited.
- Must not incur the loss of funds that are not your own.
- Must not try to have access, download, copy, delete, compromise or misuse others’ data, account, or personal information.
- Must use your own email ID and other information for the account sign up to report such vulnerability information to PayKun.
- Must keep such vulnerability information confidential between you and PayKun. Must not reveal the information, discovery, or the contents of such vulnerability publicly, to any third parties without PayKun’s prior written approval. PayKun will take a reasonable time to solve the vulnerability (approximately 1 month as a minimum) depending on the nature of the vulnerability and regulatory compliance by PayKun.
- Must not make any attack that could impact the integrity, reliability and our service delivery. DDoS/SPAM attacks are strictly not allowed.
- Must not use automated tools or scanners to find vulnerabilities (noisy and your account and IP address will be suspended automatically).
- By reporting the vulnerability, the Researcher grant PayKun and its affiliates a permanent, irrevocable, worldwide, royalty-free, transferable, sublicensable right to use, copy, adapt, develop, create derivative work from or share your submission for any purpose. You waive all claims, including breach of contract or implied-in-fact contract, or quasi-contract arising out of your submission.
- Must not attack in no-technical manner such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
Report
The Researcher need to report us the detailed steps and description to enable us to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us). They must include their email address.
They need to email us at [email protected]
Recognition
This Responsible Disclosure Policy is non compliant to the monetary requests or demands for the identified or alleged vulnerability.
Paykun appreciates your help to keep our environment safe and secure by identifying and reporting the security vulnerabilities in a responsible manner. And so, as a result of the report once the vulnerability is verified and fixed we would like to express our gratitude by putting your name on our Hall of Fame page.
Policy Compliance and Consequences
PayKun will not take complaint to law or take any civil action for the accidental violation of this policy happened in good faith. We take the activities undertaken in consistence with this policy to represent “authorized” conduct under the Computer Fraud and Abuse Act. We will not bring a Digital Millennium Copyright Act (DMCA) claim against you for bypassing the technological measure used to protect the applications in subject.
Penalty
If a third party initiates any legal action against you and you have aided by the PayKun Responsible Disclosure Policy, PayKun will take steps to let it be known that the Research and actions were taken complying with this policy.
Public NonDisclosure
PayKun Security Vulnerability Program is a “Public NonDisclosure” Mode, which means that by default as per this policy, under this program one must not make the information about the vulnerabilities public or they are liable for legal penalties.
Small Print
PayKun can make changes to the terms in this program or may terminate it at any time. The changes to this program terms will not be retroactive.PayKun employees and their family members are not eligible for bounties.
