Responsible Disclosure Policy

Responsible Disclosure Policy

  1. Introduction

KwikPaisa (JIDF) takes the security of our systems and its data very seriously. We are continuously striving to maintain and ensure that our environment is safe and secure for everyone to use. If you’ve discovered any security vulnerabilities associated with any of our KwikPaisa (JIDF) services, we do appreciate your help in disclosing it to us in a responsible manner.

KwikPaisa (JIDF) will engage with you as external security researchers (the Researcher) when vulnerabilities are reported to us in accordance with this Responsible Disclosure Policy.

If a Researcher follows the rules set out in this Responsible Disclosure Policy when reporting a security vulnerability to us, unless prescribed otherwise by law or the payment scheme rules, we commit to:

  • Promptly acknowledging receipt of your vulnerability report and work with the researcher to understand and attempt to resolve the issue quickly;
  • Validating, responding and fixing such vulnerability in accordance with our commitment to security and privacy. We will notify you when the issue is fixed
  • Unless prescribed by law otherwise, not pursue or take legal action against you or the person who reported such security vulnerabilities;
  • Not suspend or terminate access to our service/services if you are a merchant. If you are an agent, not suspend or terminate merchants access to our services to which the agent represents;
  1. In Scope of this Policy

Any of the KwikPaisa (JIDF) services iOS, Android or Web apps, which process, store, transfer or use in one way or personal or sensitive personal information, such as card data and authentication data.

Domains

Focus Areas

Automated tools or scripts ARE STRICTLY PROHIBITED, and any POC submitted to us should have a proper step-by-step guide to reproduce the issue. Abuse of any vulnerability found shall be liable for legal penalties

  • Able to bypass payment flow
  • Price manipulation with a successful transaction (transaction id required)
  • SQL Injections
  • Remote Code Execution (RCE) vulnerabilities
  • Shell Upload vulnerabilities (only upload basic backend script that just prints some string, preferably try printing the hostname of the server and stop there ! YES STOP THERE ! )
  • Authentication and Authorization vulnerabilities including horizontal and vertical escalation. (Use 2 different test accounts created by you)
  • Domain take-over vulnerabilities
  • Stored XSS
  • Bulk user sensitive information leak
  • Descriptive error messages (e.g. Stack Traces, application or server errors)
  • Any vulnerability that can affect the KwikPaisa (JIDF) Brand, User (Customer/Merchant) data and financial transactions
  • Out of Scope
  • General

    1. Price manipulation WITHOUT SUCCESSFUL TRANSACTION

    2. Any services hosted by 3rd party providers and services not provided by KwikPaisa (JIDF)

    3. Any service that is not mentioned in the In Scope domains section

    4. IDOR references for objects that you have permission to access

    5. Duplicate submissions that are being remediated

    6. Known issues

    7. Rate limiting (Unless it implies severe threat to data, business loss)

    8. Multiple reports for the same vulnerability type with minor differences (only one will be rewarded)

    9. Open redirects

    10. Click jacking and issues only exploitable through click jacking

    11. Only session cookies needed http and secure flags. Apart from these, for other cookies we won’t consider as vulnerability

    12. Issues without clearly identified security impact such as missing security headers.

    13. Vulnerabilities requiring physical access to the victim's unlocked device.

    14. Formula Injection or CSV Injection

    15. DOM Based Self-XSS and issues exploitable only through Self-XSS.

    System and Infrastructure Related

    16. Patches released within the last 30 days

    17. Networking issues or industry standards

    18. Password complexity

    19. Email related:

    • SPF or DMARC records
    • Gmail "+" and "." acceptance
    • Email bombs
    • Unsubscribing from marketing emails

    20. Information Leakage:

    • HTTP 404 codes/pages or other HTTP non-200 codes/pages
    • Fingerprinting / banner disclosure on common/public services
    • Disclosure of known public files or directories, (e.g. robots.txt)

    21. Cacheable SSL pages

    Login and Session Related

    22. Forgot Password page brute force and account lockout not enforced

    23. Lack of Captcha

    24. Presence of application or web browser ‘auto complete’ or ‘save password’ functionality

    25. Session Timeouts

    1. Testing

    A Researcher can test only against a merchant account if they are an account owner or an agent authorised by the account owner to conduct such testing.

    As a Researcher, in no event are you permitted to access, download or modify data residing in any other account or that does not belong to you or attempt to do any such activities.

    In the interest of the safety of our merchants, users, employees, the Internet at large and you as a Researcher, the following test types are expressly excluded from scope and testing: any findings from physical testing (office access, tailgating, open doors) or DOS or DDOS vulnerabilities. A responsible disclosure also does not include identifying any spelling mistakes, or any UI and UX bugs.

    1. Rules

    We require that all Researchers must:

    • Make every effort to avoid privacy violations, degradation of user or merchant experience, disruption to production systems, and destruction of data during security testing.
    • Not attempt to gain access to any other persons account, data or personal information.
    • Use their real email address to signup and report any vulnerability information to us.
    • Keep information about any vulnerabilities you’ve discovered confidential between yourself and KwikPaisa (JIDF). KwikPaisa (JIDF) will take a reasonable time to remedy such vulnerability (approximately 1 month as a minimum but this is dependent on the nature of the security vulnerability and regulatory compliance by KwikPaisa (JIDF)). The Researcher shall not publicly disclose the bug or vulnerability on any online or physical platform before it is fixed and prior written approval to publicly disclose from KwikPaisa (JIDF).
    • Not perform any attack that could harm the reliability, integrity and capacity of our Services. DDoS/spam attacks are STRICTLY not allowed
    • Not use scanners or automated tools to find vulnerabilities (noisy and we may automatically suspend your account and ban your IP address)
    • As a Researcher, you represent and warrant that you have the right, title and interest to disclose any vulnerability found and to submit any information, including documents, codes, among others, in connection therewith. Once you inform a vulnerability, you grant KwikPaisa (JIDF), its subsidiaries and affiliates an irrevocable, worldwide, royalty-free, transferable, sublicensable right to use in any way KwikPaisa (JIDF) deems appropriate for any purpose, such as: reproduction, modification, distribution, adaptation among other uses, the information related with the vulnerabilities. Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure accepted by KwikPaisa (JIDF).

    Remember that you must never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.

    Please include the following information with your report:

    • Detailed description of the steps required to help us reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us)
    • Your email address.
  • Report Template
  • The identified bug shall have to be reported to our security team by sending us a mail from their registered email address tosecurity@kwikpaisa.com ( SUBJECT: SUSPECTED VULNERABILITY ON KWIKPAISA (JIDF)) (without changing the subject line else the mail shall be ignored and not eligible for bounty). The mail should strictly follow the format below:

    Individual Details:

    Full Name:

    Mobile Number:

    Any Publicly Identifiable profile(LinkedIn, Github etc.):

    Bug Details:

    Name of the Vulnerability:

    Areas affected:

    Impact:

    Detailed steps to reproduce (transaction id’s can also be provided here):

    1. Consequences of Complying with This Policy

    We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.

    If legal action is initiated by a third party against you and you have complied with KwikPaisa (JIDF)’s VDP, KwikPaisa (JIDF) will take steps to make it known that your actions were conducted in compliance with this policy.

    1. Public Disclosure Policy:

    By default, this program is in “ PUBLIC NONDISCLOSURE” mode which means:

    "THIS PROGRAM DOES NOT ALLOW PUBLIC DISCLOSURE. ONE SHOULD NOT RELEASE THE INFORMATION ABOUT VULNERABILITIES FOUND IN THIS PROGRAM TO PUBLIC, FAILING WHICH SHALL BE LIABLE FOR LEGAL PENALTIES!”

    1. The Fine Print

    We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. KwikPaisa (JIDF) employees and their family members are not eligible for bounties.