1. INTRODUCTION
At PAYSTRAX AB (hereinafter referred to as the PAYSTRAX, we or us) we consider the security of our services a top priority, and we value the security community. But no matter how much effort we put into the security of our services, there can still be vulnerabilities present. The disclosure of security vulnerabilities helps us ensure the security of our services and privacy of our customers.
We are undertaking this program to give you as a Security Researcher a point of contact so you can in a responsible manner directly disclose your research findings to us, which then can be remediated in a prioritized and efficient way.
2. RESPONSIBLE DISCLOSURE RULES
Please note that this Policy should not be construed as encouragement or permission to hack, penetrate, or otherwise attempt to gain unauthorized access to PAYSTRAX services or data. To avoid any confusion between good-faith reporting and a malicious attack, we ask that you, as Security Researcher:
- Report any suspected or confirmed vulnerability you’ve discovered promptly;
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
- Perform research only within the scope set out below;
- If a vulnerability provides unintended access to data: cease testing and submit a report immediately (e.g., if you encounter any user data during testing, such as Personal data/Personally identifiable information, payment card data, or proprietary information) – you are not authorized to access any PAYSTRAX data;
- Provide us with a reasonable amount of time to remediate vulnerabilities;
- Keep the details of any discovered vulnerabilities confidential;
- Use the identified communication channels to report vulnerability information to us;
- Only interact with accounts you own or with explicit permission from the account holder;
- Do not violate any national and/or international laws and/or regulations.
If you follow these rules when reporting an issue to us, we commit to:
- Not pursue or support any legal action related to your research;
- Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 hours of submission);
- After triage, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it;
- An open dialog to discuss issues;
- Notification when the vulnerability analysis has completed each stage of our review;
- Recognize your contribution on our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.
If we are unable to resolve communication issues or other problems, PAYSTRAX may bring in a neutral third party (such as National Cyber Security Centre in Lithuania, or the relevant regulator) to assist in determining how best to handle the vulnerability.
3. SCOPE
*.paystrax.com
4. OUT OF SCOPE
Any services hosted by 3rd party providers and services not provided by PAYSTRAX are excluded from scope.
In the interest of the safety of our customers, users, employees, the Internet at large and you as a Security Researcher, the following test types are clearly excluded from scope and testing:
- Findings from physical testing such as office access (e.g. open doors, tailgating);
- Findings derived primarily from social engineering (e.g. phishing, vishing);
- Findings from applications or systems not listed in the “Scope” section;
- UI and UX bugs and spelling mistakes;
- Network level Denial of Service (DoS/DDoS) vulnerabilities;
- Missing Cookie flags on non-session cookies or 3rd party cookies;
- Email spoofing, SPF, DMARC & DKIM;
- Scanner output or scanner-generated reports, including any automated or active exploit tool;
- Cross Site Request Forgery;
- Banner or version disclosures;
- Any vulnerability that relies upon an outdated browser.
Things we do not want to receive:
- Personal data/Personally identifiable information;
- Payment card data.
5. LEGAL POSTURE
We openly accept reports for the in scope listed systems and services. We agree not to pursue legal action against Security Researchers who:
- Engage in research without harming PAYSTRAX, its customers and employees;
- Engage in vulnerability testing within the scope of this Policy and avoid testing against Out of Scope services;
- Test without affecting customers;
- Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.
Should legal action be initiated by a third party against Security Researchers for activities that were conducted in accordance with this Policy, we will inform third party (if needed) about authorization provided to Security Researchers in this Policy.
6. VULNERABILITY REPORTING
If you believe you’ve found a security vulnerability in our service, please send it to us by emailing security@paystrax.com. Please include the following details with your report:
- Detailed summary of the vulnerability;
- Description of the location and potential impact of the vulnerability, including the exploitability;
- A detailed description of all steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us);
- Tools and artifacts used during discovery;
- IP address used during the testing;
- Your name/handle and a link for recognition in our Hall of Fame;
- Any potential remediation;
- Please include any plans or intentions for public disclosure.
7. PREFERENCE, PRIORITIZATION, AND ACCEPTANCE CRITERIA
We will use the following criteria to prioritize and triage submissions.
What we would like to see from you:
- Well-written reports in English or Lithuanian will have a higher chance of resolution;
- Reports that include proof-of-concept code equip us to better triage;
- Reports that include only crash dumps or other automated tool output may receive lower priority;
- Reports that include products not on the initial scope list may receive lower priority.
8. COMPENSATION
We do not offer compensation to researchers for identifying potential or confirmed security vulnerabilities, and requests for monetary compensation will be treated as a breach of this Policy.
9. SECURITY RESEARCHER HALL OF FAME
PAYSTRAX would like to acknowledge and thank the following people for helping us to improve our security: