logo

Responsible Disclosure

INTRODUCTION

At (Website name), safeguarding our users and maintaining a secure environment is of utmost importance. We value the input of security researchers in identifying vulnerabilities within our systems and consider it an ongoing effort to ensure system security.

We encourage skilled security researchers to participate in our vulnerability disclosure program to help us maintain the integrity of our services. Our Responsible Disclosure Policy outlines the guidelines for reporting any security vulnerabilities associated with (Website name).

POLICY

To uphold the security of our systems, (Website name) requests security researchers and members of the security community adhere to the following rules when reporting security vulnerabilities:

  • Researchers must report vulnerabilities to (Website name)'s security team via email at (mention Email id)
  • We acknowledge receipt of submissions within 24 hours.
  • The severity and exploitability of reported issues are evaluated within 3 to 5 days.
  • Researchers should refrain from accessing sensitive information, performing actions that may impact other users, or sending automated reports.
  • Vulnerabilities should not be exploited or disclosed publicly until they have been resolved.
  • (Website name) commits to publicly acknowledging and recognizing responsible disclosures.

REPORTING GUIDELINES

When reporting a vulnerability, please include the following details in your report:

  • Description of the vulnerability and its potential impact.
  • Step-by-step instructions for reproducing the vulnerability.
  • Screenshots and video proofs of concept, if available.
  • Your preferred name or handle for recognition as a Security Researcher.

TARGET SCOPE

To evaluate security vulnerabilities, researchers are advised to investigate the following areas:

Exclusion of Third-Party Software:

(Website name) incorporates third-party software to deliver services to its clientele. Any bugs or vulnerabilities discovered in third-party software will not be deemed valid within this program. Vulnerabilities reported to (Website name) may be conveyed to the respective third-party service provider.

In-Scope Vulnerabilities Overview:

  • Remote Code Execution (RCE)
  • Payment flow circumvention
  • Account Takeover Attacks (ATOs)
  • Price manipulation resulting in successful transactions (transaction ID requirement)
  • Injection of SQL/XXE and commands
  • Stored cross-site scripting attacks and impactful reflected XSS attacks
  • Server-Side Request Forgery (SSRF)
  • Misconfigurations in servers and applications
  • Horizontal and vertical escalation of authentication and authorization vulnerabilities
  • Cross-Site Request Forgery (CSRF)
  • Leakage of sensitive information and Insecure Direct Object References (IDOR)
  • Domain takeover vulnerabilities
  • Potential vulnerabilities in (Website name) Brand, User (Customer/Merchant) data, and financial transactions

Out-of-Scope Vulnerabilities:

  • Social engineering attacks targeting (Website name) employees or contractors (including phishing)
  • Distributed Denial of Service (DDoS) attacks
  • Missing cookies with non-sensitive flags due to X-Frame-Options
  • Security headers missing direct vulnerability impact (unless a proof-of-concept is provided)
  • Exposure to version (unless a working exploit is demonstrated)
  • Publicly readable directory listings
  • Injection of HTML and self-XSS
  • Non-vulnerability-related information (e.g., stack traces, application errors, robots.txt, etc.)
  • Use of known-vulnerable libraries like OpenSSL without proof of exploitation
  • Lack of enforcement of account lockout and login brute force on forgotten passwords and login pages
  • Locking of user accounts to deny service to an application
  • Scanned or automated reports
  • Issues are only exploitable through clickjacking
  • Missing/weak/bypassed CAPTCHA
  • Weak/insecure cipher suites, BEAST, BREACH, renegotiation attacks, and SSL best practice deficiencies
  • Enablement of HTTP TRACE or OPTIONS
  • Login/logout CSRF
  • Open ports without a proof-of-concept to demonstrate vulnerability
  • Demonstration of reflected XSS impact through a proof of concept
  • Injection of formulas or CSVs
  • Retention of EXIF data in images
  • Rate limiting
  • Cookies without security headers and flags
  • SPF/DKIM/DMARC issues in email
  • Enumeration of user email addresses
  • (Website name) reserves the right to augment this list of exclusions as necessary.

ACKNOWLEDGMENTS

We appreciate the efforts of security researchers in identifying and reporting vulnerabilities. Your contributions help us maintain a secure environment for all our users, and we aim to resolve reported issues promptly.

Thank you for your assistance and cooperation in ensuring the security of (Website name)'s services.

We empower businesses and individuals to navigate the world of finance effortlessly, ensuring a reliable and innovative payment experience for everyone.

Menu

Payments

Banking

Support

Policies

Reach Us

Copyright © Wegofin Digital Solutions Pvt. Ltd. All Rights Reserved.

×