Cipherpay
VULNERABILITY DISCLOSURE PROGRAM

This Privacy Policy is effective as of 1st August, 2022.

System security is a top priority at CipherPay. Regardless of the amount of effort any Company puts into its system security, ensuring a safe and secure environment is a continuous process. CipherPay believes that working with skilled security researchers across the globe is crucial in identifying any weaknesses in its systems, and in ensuring that its security is maintained. CipherPay hence invites all skilled security researchers to participate in its Vulnerability Disclosure Program (the ‘Program’)
CipherPay will engage with you as an external security researcher (the Researcher) when vulnerabilities are reported to us in compliance with the below Responsible Disclosure Policy.
If a Researcher follows the rules set out in this Responsible Disclosure Policy when reporting a security vulnerability to us, unless prescribed otherwise by law or the payment scheme rules, we commit to:

  • Promptly acknowledge the receip of your vulnerability report and work with you, the researcher, to understand and resolve the issue quickly;
  • Validate, respond and fix such vulnerability in accordance with our commitment to security and privacy. We will notify you when the issue is fixed;
  • Unless prescribed by law otherwise, not pursue or take legal action against you or the person who reported such security vulnerabilities;
  • Not suspend or terminate access to our service/services if you are a merchant or representative for a merchant;
  • Publicly acknowledge and recognize your responsible disclosure in our Hall of Fame page.
I. Scope of the Program:
  • Only the below-listed domains are included in the scope of this program and researchers are recommended to look for security vulnerabilities under the same:
  • https://www.cipherpay.in
  • Third-Party Softwares are excluded:

    • As part of providing services to its customers, CipherPay uses integrations with various third-party software. This Program does not extend to any such third-party software and bugs or vulnerabilities detected in such third-party software will not be considered as a valid find. Notwithstanding the above, any such vulnerabilities communicated to CipherPay may further be transmitted/informed to the third-party service provider.

II. Terms of Registration:

These terms govern the terms of your access and participation in the CipherPay Vulnerability Disclosure Program and you deem to agree and undertake to abide by these terms while participating in the Program and submitting your reports. By agreeing to participate in the Program, you agree to abide by the terms hereunder.

  • Researchers should notify us as soon as they find any potential security issue on the notified e-mail id.
  • The researchers are advised to stick to this policy and shall not be allowed to disclose details of the vulnerability to any third party or expose it to any agencies.
  • Researchers will be required to use official communication channels only. Do not use personal emails, social media accounts, or other private connections to contact a member of the security team in regard to vulnerabilities or any program related issues, unless you have been instructed to do so.
  • Any unauthorized attempts of social engineering, phishing, or physical attacks against CipherPay’s employees, users, or impersonation of a CipherPay employee through a third party, another hacker, or a security team will not be tolerated.
  • esearchers should not gain unauthorized access or destroy any user's data.
  • Any unauthorized attempts of social engineering, phishing, or physical attacks against CipherPay’s employees, users, or impersonation of a CipherPay employee through a third party, another hacker, or a security team will not be tolerated.
  • Researchers shall be strictly prohibited from exploiting any of the vulnerabilities found.
  • Researchers will make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
IV. How to Report:

1. Drop us an email at info@cipherpay.in (SUBJECT: SUSPECTED VULNERABILITY ON CIPHERPAY) with the details of the vulnerability identified to register yourself.

2. Once registered, you shall only use the registered email Id to interact with CipherPay security team. Do not use personal emails, social media accounts, or other private connections to contact a member of the security team in regard to vulnerabilities or any program-related issues, unless you have been instructed to do so.

3. Upon detection of a vulnerability/bug, you shall immediately report it to the CipherPay team and such bug/vulnerability report shall include:

  • Details that must be included in the report:
  • Description and potential impact of the vulnerability.
  • Information about the researcher including organization name and contact name.
  • Products or solutions and versions affected.
  • Proof-of-Concept URL and the information of affected parameters.
  • Supporting technical details (such as system configuration, traces, description of exploit/attack code).
  • Information about known exploits/attacks.
  • Detailed steps of reproducing the vulnerability
  • Screenshots to show Proof-of-Concept
  • Details of the system where the tests were conducted
  • Video recording of the Proof-of-Concept (If Possible.)

However, CipherPay reserves the right to refuse your request if any of the above-mentioned details are not provided by you to CipherPay.

V. Exclusions:

While researching, you shall strictly refrain from indulging in:

  • Social engineering (including phishing) with any CipherPay staff or contractors;
  • Any physical attempts against CipherPay property, data centers or infrastructure;
  • Denial of Service, Distributed-DoS;
  • X-Frame-Options related, missing cookie flags on non-sensitive cookies;
  • Missing security headers which do not lead directly to a vulnerability (unless you deliver a PoC);
  • Version exposure (unless you deliver a PoC of working exploit);
  • Directory listing with already public readable content;
  • Content spoofing on error pages or text injection;
  • Information disclosure not associated with a vulnerability, i.e.: stack traces, application or server errors, robots.txt etc;
  • Use of known-vulnerable libraries without proof of exploitation such as OpenSSL;
  • Vulnerabilities affecting end of life browsers or platforms;
  • Login or forgotten password page brute forcing and account lockout not being enforced;
  • Application denial of service by locking user accounts;
  • Password or account recovery policies, such as reset link expiration or password complexity;
  • Reports from automated scripts or scanners;
  • Findings from physical testing such as office access (e.g. open doors, tailgating);
  • Findings derived primarily from social engineering (e.g. phishing, vishing, smishing);
  • Functional, UI and UX bugs and spelling mistakes;
  • Logged out cross-site request forgery (logout CSRF);
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality;
  • Options / trace HTTP method being enabled (unless you deliver a PoC of working exploit);
  • Modification of headers, URLs, POST body content, server responses by man-in-the-middle attacks;
  • Fingerprinting / banner disclosure on common / public services;
  • Clickjacking and issues only exploitable through clickjacking;
  • No / weak captcha / captcha bypass;
  • SSL issues such as BEAST, BREACH, renegotiation attack, forward secrecy not enabled, weak / insecure cipher suites.

CipherPay reserves its right to expand this list and include additional exclusions when required.

VI. Additional Terms:

1. You must abide by the law and intimation of vulnerability shall be as per the law.

2. CipherPay reserves the right to discontinue the Program with prior intimation to registered researchers.

3. By submitting information about a potential vulnerability, you are agreeing to these terms and conditions and granting CipherPay a worldwide, royalty-free, non-exclusive license to use your submission for the purpose of addressing vulnerabilities.

4. CipherPay reserves the right to hold you responsible and liable for any consequences arising out of your breach of these terms or breach of confidentiality.. You hereby undertake to indemnify and keep indemnified CipherPay and its directors, officers, employees and consultants against all losses, damages, claims or liabilities that they incur due to any Fraud, Willful Misconduct, Gross Negligence, breach of confidentiality or due to breach of personal confidential information.

VII. Public Disclosure Policy:

By default, this program is in “PUBLIC NON-DISCLOSURE” mode which means:

"This program does not allow public disclosure. One should not release the information about vulnerabilities found in this program to public, failing which shall be liable for legal penalties!”

VIII. Consequences of Complying with This Policy

We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope. If legal action is initiated by a third party against you and you have complied with Cipherpay’s will take steps to make it known that your actions were conducted in compliance with this policy.

Governing Law and Jurisdiction:

These terms shall be governed by the Laws of India and the courts at New Delhi, India shall have exclusive jurisdiction to try any disputes that may arise out of this Program.

Last Updated on 1st August 2022 at 11:00 AM

Copyright @2022 Cipherpay | CipherSquare Payment Solutions Pvt Ltd. All Rights Reserved