Responsible Disclosure

NOTE: It is important to read the following section prior to test and/or report a vulnerability on any of the PayDock software solutions.

As every piece of code written by a human being is prone to issues, we are not exempt. We try our best to reduce the presence of such security bugs in our technologies but we also know that our resources are limited and acknowledge there are others intelligent individuals out there. Therefore, we are open to hear from them and their willingness to help to secure the digital era.

In order to achieve such a big but amazing goal, here is the information you need to be aware of when getting in contact with us.

Eligibility

In order for PayDock to consider your submission the following criteria will apply:

1. Violation of any law that applies to regions involved in the submission.
2. If you are considered to be a minor in either of the countries involved in the submission, you must get parent’s or minder’s approval.
3. The only compensation provided is through public recognition so please refrain from other types.

Scope

URLs

The following links cover our web presence

• api.paydock.com
• app.paydock.com
• *.paydock.com

The following software is also covered by this policy:

• Officially supported SDKs

Regarding the vulnerabilities that are in scope, these may include but are not limited to the following:

• Server-side or remote code execution (RCE)
• Authentication or authorization flaws, including insecure direct object references and authentication bypass
• Injection vulnerabilities, including SQL and XML injection
• Directory traversal
• Significant security misconfiguration with a verifiable vulnerability

The following vulnerabilities will be also considered for web sites:

• Disclosure of sensitive or personally identifiable information
• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF) for sensitive functions in a privileged context

Out of scope

Any software in the form of application, either web or mobile, and/or services that are not described in the above section are considered to be outside of the scope of this policy. Therefore, any activity identified on them will be rejected and considered a breach of policy, treated as an illegal conduct, and reported to the relevant parties for prosecution.

How to contact us

In order for us to receive and accept your reports you need to use the following information

Email

Send any communications to [email protected] with all the relevant information regarding the vulnerability identified. Remember that all the information presented is used for verification purposes so the more detailed you provide the better for us to consider your report.

The following considerations should be in place for all parties involved in the disclosure:

• Respect merchant’s and their customers’ privacy.
• Be transparent and open

No other forms of reporting will be considered under this policy and any public interaction over other channels (e.g. Facebook, twitter, etc.) will not be considered formal and tolerated.

You can encrypt communications to [email protected] with our PGP Key.

Terms and conditions

An individual participating in the responsible disclosure process is voluntarily and any report will be considered for review. No monetary recognition will be given to the reporters for their voluntary work, but we will be happy to provide public recognition for their hard work and invaluable input.