Responsible Disclosure Policy
KwikPaisa (JIDF) takes the security of our systems and its data very seriously. We are continuously striving to maintain and ensure that our environment is safe and secure for everyone to use. If you’ve discovered any security vulnerabilities associated with any of our KwikPaisa (JIDF) services, we do appreciate your help in disclosing it to us in a responsible manner.
KwikPaisa (JIDF) will engage with you as external security researchers (the Researcher) when vulnerabilities are reported to us in accordance with this Responsible Disclosure Policy.
If a Researcher follows the rules set out in this Responsible Disclosure Policy when reporting a security vulnerability to us, unless prescribed otherwise by law or the payment scheme rules, we commit to:
Any of the KwikPaisa (JIDF) services iOS, Android or Web apps, which process, store, transfer or use in one way or personal or sensitive personal information, such as card data and authentication data.
Automated tools or scripts ARE STRICTLY PROHIBITED, and any POC submitted to us should have a proper step-by-step guide to reproduce the issue. Abuse of any vulnerability found shall be liable for legal penalties
1. Price manipulation WITHOUT SUCCESSFUL TRANSACTION
2. Any services hosted by 3rd party providers and services not provided by KwikPaisa (JIDF)
3. Any service that is not mentioned in the In Scope domains section
4. IDOR references for objects that you have permission to access
5. Duplicate submissions that are being remediated
6. Known issues
7. Rate limiting (Unless it implies severe threat to data, business loss)
8. Multiple reports for the same vulnerability type with minor differences (only one will be rewarded)
9. Open redirects
10. Click jacking and issues only exploitable through click jacking
11. Only session cookies needed http and secure flags. Apart from these, for other cookies we won’t consider as vulnerability
12. Issues without clearly identified security impact such as missing security headers.
13. Vulnerabilities requiring physical access to the victim's unlocked device.
14. Formula Injection or CSV Injection
15. DOM Based Self-XSS and issues exploitable only through Self-XSS.
System and Infrastructure Related
16. Patches released within the last 30 days
17. Networking issues or industry standards
18. Password complexity
19. Email related:
20. Information Leakage:
21. Cacheable SSL pages
Login and Session Related
22. Forgot Password page brute force and account lockout not enforced
23. Lack of Captcha
24. Presence of application or web browser ‘auto complete’ or ‘save password’ functionality
25. Session Timeouts
A Researcher can test only against a merchant account if they are an account owner or an agent authorised by the account owner to conduct such testing.
As a Researcher, in no event are you permitted to access, download or modify data residing in any other account or that does not belong to you or attempt to do any such activities.
In the interest of the safety of our merchants, users, employees, the Internet at large and you as a Researcher, the following test types are expressly excluded from scope and testing: any findings from physical testing (office access, tailgating, open doors) or DOS or DDOS vulnerabilities. A responsible disclosure also does not include identifying any spelling mistakes, or any UI and UX bugs.
We require that all Researchers must:
Remember that you must never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
Please include the following information with your report:
The identified bug shall have to be reported to our security team by sending us a mail from their registered email address email@example.com ( SUBJECT: SUSPECTED VULNERABILITY ON KWIKPAISA (JIDF)) (without changing the subject line else the mail shall be ignored and not eligible for bounty). The mail should strictly follow the format below:
Any Publicly Identifiable profile(LinkedIn, Github etc.):
Name of the Vulnerability:
Detailed steps to reproduce (transaction id’s can also be provided here):
We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.
If legal action is initiated by a third party against you and you have complied with KwikPaisa (JIDF)’s VDP, KwikPaisa (JIDF) will take steps to make it known that your actions were conducted in compliance with this policy.
By default, this program is in “ PUBLIC NONDISCLOSURE” mode which means:
"THIS PROGRAM DOES NOT ALLOW PUBLIC DISCLOSURE. ONE SHOULD NOT RELEASE THE INFORMATION ABOUT VULNERABILITIES FOUND IN THIS PROGRAM TO PUBLIC, FAILING WHICH SHALL BE LIABLE FOR LEGAL PENALTIES!”
We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. KwikPaisa (JIDF) employees and their family members are not eligible for bounties.