Responsible Disclosure

1. INTRODUCTION 

At PAYSTRAX UAB (hereinafter referred to as the PAYSTRAX, we or us) we consider the security of our services a top priority, and we value the security community. But no matter how much effort we put into the security of our services, there can still be vulnerabilities present. The disclosure of security vulnerabilities helps us ensure the security of our services and privacy of our customers. 

We are undertaking this program to give you as a Security Researcher a point of contact so you can in a responsible manner directly disclose your research findings to us, which then can be remediated in a prioritised and efficient way.  

2. RESPONSIBLE DISCLOSURE RULES 

Please note that this Policy should not be construed as encouragement or permission to hack, penetrate, or otherwise attempt to gain unauthorised access to PAYSTRAX services or data. To avoid any confusion between good-faith reporting and a malicious attack, we ask that you, as Security Researcher: 

• Report any suspected or confirmed vulnerability you’ve discovered promptly; 
• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing; 
• Perform research only within the scope set out below; 
• If a vulnerability provides unintended access to data: cease testing and submit a report immediately (e.g., if you encounter any user data during testing, such as Personal data/Personally identifiable information, payment card data, or proprietary information) – you are not authorised to access any PAYSTRAX data; 
• Provide us with a reasonable amount of time to remediate vulnerabilities; 
• Keep the details of any discovered vulnerabilities confidential; 
• Use the identified communication channels to report vulnerability information to us; 
• Only interact with accounts you own or with explicit permission from the account holder; 
• Do not violate any national and/or international laws and/or regulations. 

Anyone investigating security issues in PAYSTRAX shall not:

• Access unnecessary amounts of data. Only access the amount of data necessary to demonstrate the vulnerability to PAYSTRAX
• During testing, any personal or confidential information, such as Personally Identifiable Information (PII), payment card information, must not be disclosed, copied, modified, or interfered with in any way
• Attempt to introduce malware or malicious code or programs
• Delete, destroy or modify any data on PAYSTRAX Platforms, Systems or Services
• All personal data accessed during your testing must be treated as strictly confidential, and handled appropriately.

If you follow these rules when reporting an issue to us, we commit to: 

• Not pursue or support any legal action related to your research; 
• Work with you to understand and resolve the issue;
• After triage, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it; 
• Recognise your contribution on our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue. 

If we are unable to resolve communication issues or other problems, PAYSTRAX may bring in a neutral third party (such as National Cyber Security Centre in Lithuania, or National Cyber Security Centre in UK, or the relevant regulator) to assist in determining how best to handle the vulnerability. 

3. SCOPE 

*.paystrax.com 

4. OUT OF SCOPE 

Any services hosted by 3rd party providers and services not provided by PAYSTRAX are excluded from scope.  

In the interest of the safety of our customers, users, employees, the Internet at large and you as a Security Researcher, the following test types are clearly excluded from scope and testing: 

• Findings from physical testing such as office access (e.g. open doors, tailgating); 
• Findings derived primarily from social engineering (e.g. phishing, vishing); 
• Findings from applications or systems not listed in the “Scope” section; 
• UI and UX bugs and spelling mistakes; 
• All type Denial of Service (DoS/DDoS) vulnerabilities;
• Missing Cookie flags on non-session cookies or 3rd party cookies;
• Email spoofing, SPF, DMARC & DKIM;
• Scanner output or scanner-generated reports, including any automated or active exploit tool;
• Cross Site Request Forgery;
• Banner or version disclosures on common/public services;
• Disclosure of known public files or directories, (e.g. robots.txt);
• Clickjacking and issues only exploitable through clickjacking;
• Any non-technical vulnerabilities (e.g., organisational policies);
• Any vulnerability that relies upon an outdated browser.

Things we do not want to receive: 

• Personal data/Personally identifiable information; 
• Payment card data. 

5. LEGAL POSTURE 

Security researchers should understand that the authorisations provided in this Policy apply only to the activity described here. Any other activity not described in this Policy and noncompliance with all applicable laws and regulations is prohibited and may result in legal action. Security Researchers should not attempt to monetise any vulnerability or disclose it to any unauthorised third party.

We openly accept reports for the in scope listed systems and services. We agree not to pursue legal action against Security Researchers who:

• Engage in research without harming PAYSTRAX, its customers and employees; 
• Engage in vulnerability testing within the scope of this Policy and avoid testing against Out of Scope services; 
• Test without affecting customers; 
• Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires. 

Should legal action be initiated by a third party against Security Researchers for activities that were conducted in accordance with this Policy, we will inform third party (if needed) about authorisation provided to Security Researchers in this Policy. 

6. VULNERABILITY REPORTING 

If you believe you’ve found a security vulnerability in our service, please send it to us by emailing security@paystrax.com. Please include the following details with your report: 

• Detailed summary of the vulnerability, including when it was discovered and any relevant timeline information;
• Description of the location and potential impact of the vulnerability, including the exploitability;
• A detailed description of all steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us);
• The specific component or feature that the vulnerability affects;
• Any potential attack vectors or scenarios that could be exploited;
• Tools and artifacts used during discovery;
• IP address used during the testing. This will enable us to view logs related to your testing;
• Your name/handle and a link for recognition in our Hall of Fame;
• Any potential remediation;
• How you prefer to be contacted;
• Please include any plans or intentions for public disclosure.

7. PREFERENCE, PRIORITISATION, AND ACCEPTANCE CRITERIA  

We will use the following criteria to prioritise and triage submissions.  

What we would like to see from you:  

• Well-written reports in English will have a higher chance of resolution;
• Reports that include proof-of-concept code equip us to better triage;
• Reports that include only crash dumps or other automated tool output may receive lower priority;
• Reports that include products not on the initial scope list may receive lower priority.

8. COMPENSATION 

We do not offer compensation to researchers for identifying potential or confirmed security vulnerabilities, and requests for monetary compensation will be treated as a breach of this Policy. 

9. SECURITY RESEARCHER HALL OF FAME 

PAYSTRAX would like to acknowledge and thank the following people for helping us to improve our security.