PayZrr makes non-stop efforts to make sure that our environment is safe and secure for everyone to use. The security of our data and system is of great importance to us. We appreciate you disclosing the security vulnerabilities to PayZrr in a responsible manner that you have discovered in any of PayZrr services. When you report the vulnerabilities to PayZrr as per this Responsible Disclosure Policy, we will engage with you as external security researcher (the Researcher).
Responsible Disclosure Policy
Given that a Researcher when reporting the security vulnerabilities to PayZrr abides by the rules prescribed in this Responsible Disclosure Policy unless specified otherwise by the law or the payment scheme practices, PayZrr commits to:
- Acknowledge the receipt of the vulnerability report immediately and work with the researcher to understand and attempt to fix the issue expeditiously;
- Validate and verify, respond and fix that vulnerability in accordance with our commitment to privacy and security. We will inform you when the issue is resolved;
- Not proceed or take legal action against you or the person who reported such security vulnerability unless specified otherwise by the law;
- Not stop, suspend or hold the access to the PayZrr services if you are a merchant and not to stop, suspend or hold the access of the merchants to the PayZrr services to which you represent, if you are an agent;
- acknowledge and appreciate you disclosing the vulnerabilities to PayZrr in a responsible manner in our Hall of Fame.
In scope of this Policy
Any of the PayZrr services, iOS or Android-based apps, which process, store, transfer or use in one way or personal or sensitive personal information, such as card data and authentication data. In particular, Web service vulnerabilities are classified using OWASP Top-10. Mobile application vulnerabilities are classified using OWASP Mobile Top-10.
Out of scope
Any services hosted by 3rd party providers and services not provided by PayZrr.
To perform any testing or research, a Researcher can use their own merchant accounts and do not access the account or data of which they are not the owner. A Researcher testing the merchant account can be the account owner or an agent approved by the account owner. The Researcher, in no case, is authorized or granted access to the merchant account or can download or modify the data in any other account, the account that does not belong to the Researcher, or try to do any such activities. The Researcher must not infringe any applicable laws or regulations. The test types are excluded explicitly from the scope and testing for the best interests of the safety of our merchants, users, employees, the internet at large, and you as a Researcher – any findings from physical testing (office access, tailgating, open doors) or DOS or DDOS vulnerabilities Identifying any spelling mistakes or any UI and UX bugs are excluded from this responsible disclosure.
The Researchers must abide by the below terms and conditions:
2. Most not actually exploit a vulnerability, you could only show or explain that it could be exploited.
3. Must not incur the loss of funds that are not your own.
4. Must not try to have access, download, copy, delete, compromise or misuse others’ data, account, or personal information.
5. Must use your own email ID and other information for the account sign up to report such vulnerability information to PayZrr.
6. Must keep such vulnerability information confidential between you and PayZrr. Must not reveal the information, discovery, or the contents of such vulnerability publicly, to any third parties without PayZrr’s prior written approval. PayZrr will take a reasonable time to solve the vulnerability (approximately 1 month as a minimum) depending on the nature of the vulnerability and regulatory compliance by PayZrr.
7. Must not make any attack that could impact the integrity, reliability and our service delivery. DDoS/SPAM attacks are strictly not allowed.
8. Must not use automated tools or scanners to find vulnerabilities (noisy and your account and IP address will be suspended automatically).
9. By reporting the vulnerability, the Researcher grant PayZrr and its affiliates a permanent, irrevocable, worldwide, royalty-free, transferable, sublicensable right to use, copy, adapt, develop, create derivative work from or share your submission for any purpose. You waive all claims, including breach of contract or implied-in-fact contract, or quasi-contract arising out of your submission.
10. Must not attack in no-technical manner such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
The Researcher need to report us the detailed steps and description to enable us to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us). They must include their email address.
They need to email us at email@example.com
This Responsible Disclosure Policy is non compliant to the monetary requests or demands for the identified or alleged vulnerability.
PayZrr appreciates your help to keep our environment safe and secure by identifying and reporting the security vulnerabilities in a responsible manner. And so, as a result of the report once the vulnerability is verified and fixed we would like to express our gratitude by putting your name on our Hall of Fame page.
Policy Compliance and Consequences
PayZrr will not take complaint to law or take any civil action for the accidental violation of this policy happened in good faith. We take the activities undertaken in consistence with this policy to represent “authorized” conduct under the Computer Fraud and Abuse Act. We will not bring a Digital Millennium Copyright Act (DMCA) claim against you for bypassing the technological measure used to protect the applications in subject.
If a third party initiates any legal action against you and you have aided by the PayZrr Responsible Disclosure Policy, PayZrr will take steps to let it be known that the Research and actions were taken complying with this policy.
PayZrr Security Vulnerability Program is a “Public NonDisclosure” Mode, which means that by default as per this policy, under this program one must not make the information about the vulnerabilities public or they are liable for legal penalties.