PayFi has great concern for the security of its platform, application, and services which we are offering to our customers. If you are a security researcher and have discovered a security vulnerability in one of our services, we appreciate your help in disclosing it to us in a responsible manner, we will validate and fix vulnerabilities in accordance with our policies, PayFi reserves all its legal rights in the event of any noncompliance to the applicable laws and regulations.

Reporting

If you discover a vulnerability, we would like to know about it, so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems.

Please provide the following information with your report:

  1. E-mail your findings to risk@payfi.co.in The researcher should report to us the detail step and description to reproduce the vulnerability (This includes screenshot, scripts, video, simple text instruction).
  2. Encrypt and share your findings to prevent this critical information from falling into the wrong hands, the encryption and sharing mechanism will be provided once the email contents are validated.

The encryption will involve a PGP key to encrypt the contents and a file hash has to be provided to verify the shared data integrity. The data will be shared only on our official email address mentioned above.

Rules for finding Security Vulnerabilities

  • Take responsibility and act with extreme care and caution.
  • When investigating the matter, only use methods or techniques that are compliant with the law and necessary in order to find or demonstrate the weaknesses without limiting the generality of the foregoing.
  • Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people’s data.
  • Not allowed to reveal the bug/vulnerability on online or physical platform or anywhere else until it has been resolved and prior written approval from PayFi.
  • Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties.
  • Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.
  • You represent and warrant that you have the right, title and interest to disclose any vulnerability found and to submit any information, including documents, codes, among others, in connection therewith. You agree that, once you inform a vulnerability, you grant PayFi, its subsidiaries and/or affiliates an irrevocable, worldwide, royalty-free, transferable, sublicensable right to use in any way PayFi deems appropriate for any purpose including but not limited to reproduction, modification, distribution, adaptation among other uses, the information related with the vulnerabilities. Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure accepted by PayFi.

The following are excluded from the Responsible Disclosure Policy (note that this list is not exhaustive):

  • Taking any action that will negatively affect PayFi or its agents.
  • Retaining any personally identifiable information discovered, in any medium. Any personally identifiable information discovered must be permanently destroyed or deleted from your device and storage.
  • Disclosing any personally identifiable information discovered to any third party.
  • Destruction or corruption of data, information or infrastructure, including any attempt to do so.
  • Discovery was dependent on social engineering techniques of any kind (any verbal or written interaction with anyone affiliated with or working for PayFi.
  • Any exploitation actions, including accessing or attempting to access PayFi data or information, beyond what is required for the initial Proof of vulnerability. This means your actions to obtain and validate the Proof of Vulnerability must stop immediately after initial access to the data or a system.
  • Attacks on third-part services.
  • Denial of Service attacks or Distributed Denial of Services attacks.
  • Any attempt to gain physical access to PayFi property or data centers or planting ransomware, malware, spam, cyptominers, zero-day vulnerabilities, etc.
  • Use of assets that you do not own or are not authorized or licensed to use when discovering a vulnerability.
  • Violation of any laws or agreements in the course of discovering or reporting any vulnerability.

Out of scope vulnerabilities

  • Vulnerabilities identified with automated tools (including web scanners) that do not include proof-of-concept code or a demonstrated exploit.
  • Third-party applications, websites or services that integrated with or link PayFi.
  • Discovery of any in-use service (vulnerable third-party code, for example) whose running version includes known vulnerabilities without demonstrating an existing security impact.
  • Known issues.

Examples of vulnerabilities include, inter alia:

  • Authentication flaws
  • Circumventing of platform and/or privacy permissions
  • Privilege escalations
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • Server-Side request Forgery (XSRF)
  • Injection Attacks (SQL, XML, Json, etc.)
  • Business logic Bypass
  • Arbitrary redirect
  • Server-side code execution (RCE)

In any event, please refrain from the following:

  • Do not use weaknesses you discover for purposes other than your own investigation.
  • Do not use social engineering to gain access to a system.
  • Do not install any back doors not even to demonstrate the vulnerability of a system.
  • Back doors will weaken the system’s security.
  • Do not alter or delete any information in the system. If you need to copy information for your investigation never copy more than you need. If one record is sufficient, do not go any further.
  • Do not alter the system in any way.
  • Do not share access or details of any vulnerable system with others.
  • Do not use brute force techniques, such as repeatedly entering passwords, to gain access to systems.

Also refrain from:

  • Accessing, Downloading, or Modifying data residing in an account that does not belong to you or attempting to do any of the foregoing
  • Executing or attempting to execute any Denial of Service attack
  • Posting, transmitting, uploading, linking to, sending, or storing any malicious software
  • Testing in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, pyramid schemes, or other forms of duplicative or unsolicited messages
  • Testing in manner that would degrade the operation of any Payfi properties; or testing third-party applications, websites, or services that integrate with or link to Payfi properties.
  • Issues with out-dated or unpatched browsers
  • Lack of the secure flag on non-sensitive cookies
  • Lack of the HTTP only flag on non-sensitive cookies
  • Security vulnerabilities in third-party websites and applications that integrate with issues
  • Vulnerabilities requiring a potential victim to install nonstandard software or otherwise take steps to become susceptible to attack
  • Social engineering of vulnerabilities requiring very unlikely user interactions
  • Findings primarily from social engineering (e.g. phishing, vishing)
  • Findings from physical testing such as office access (e.g. open doors, tailgating)
  • UI/UX bugs and spelling mistakes
  • Spamming
  • Disclosure of known public files or directories, (e.g. robots.txt)
  • Click-jacking and issues only exploitable through click-jacking
  • CSRF on forms that are available to anonymous users (e.g. the contact form)
  • Logout Cross-Site Request Forgery (logout CSRF)
  • Presence of application or web browser autocomplete or save password functionality
  • SSL Attacks such as BEAST, BREACH, Renegotiation attack
  • SSL Forward secrecy not enabled
  • SSL Insecure cipher suites
  • The Anti-MIME-Sniffing header X-Content-Type-Options
  • Missing HTTP security headers

Points to keep in mind

  • Do not put any customer or PayFi data at risk, degrade any of our systems performance.
  • If your actions are intrusive or an attack on our system, we may act against the same including reporting them to law enforcement agencies.
  • PayFi reserves its right to initiate legal action against any person and/or report to relevant authorities of such person who conduct any Tests or investigations which are prohibitive or not in compliance with law or not as per this Policy.
  • Keep information about any vulnerabilities you’ve discovered confidential between yourself and PayFi. We are free not to pursue legal action against individuals or companies who submit vulnerability reports through our requested channel and who comply with the requirements of this policy unless we are compelled to do so by a regulatory authority, other third party, or applicable laws.

Indemnification

The Researcher shall fully indemnify, hold harmless and defend (collectively “indemnify” and “indemnification”) PayFi, its subsidiaries and affiliates, its directors, officers, employees, agents, and stockholders (collectively, “indemnified Parties”) from and against all claims, demands, actions, suits, damages, liabilities, losses, settlements, judgments, costs and expenses (including but not limited to reasonable attorney’s fees and costs), whether or not involving a third party claim, which arise out of or relate to:

  • Any breach of any representation or warranty contained in this Responsible Disclosure Policy made by the researcher;
  • Any breach or violation of the terms of this Responsible Disclosure Policy or any obligation/ duty of researcher referred therein or under applicable law;
  • Any misuse of data, including personal data;
  • Any breach of confidentiality or any waiver granted;
  • Any attempt to contact Payfi’s clients, users or third parties to disclose the existence of the vulnerability, which found including but not limited to any reference or message in social media making reference to the finding;

If any attempt to bring direct or indirect claims, demands, actions judgments, or lawsuits against PayFi or any other Indemnified Party, in each case whether or not caused by the negligence of PayFi or any other Indemnified Party and whether or not the relevant claim has merit.

We do not publicly announce the vulnerability found under this program, failing which shall be liable for legal penalty. We appreciate to get in touch with us and giving us the time to examine the issue. The safety of our customers’ information and assets is our top priority. Therefore, we encourage anyone, who has discovered a vulnerability in our systems to act instantly and help us improve and strengthen the safety of our sites and systems.

Our Recognition

We currently do not provide any compensation or gifts for reporting vulnerabilities. However, we are glad to express our gratitude for genuine and ethical disclosures, we would be glad to publicly acknowledge your responsible disclosure. We also try to make the confidential issue public after the vulnerability is announced. Further, Demand for monetary Track Transaction Status compensation will not comply with this Responsible Disclosure Policy.

If you identify a valid security vulnerability in compliance with this Responsible Disclosure Policy, PayFi shall –

  • Acknowledge receipt of your vulnerability report
    • Work with you to understand and validate the issue
    • Address the risk as deemed appropriate by Payfi team
    • Work together to prevent cyber-crime

PayFi will review the submission to determine if the finding is valid and has not been previously reported. Publicly disclosing the submission details of any identified or alleged vulnerability without express written consent from PayFi will deem the submission as noncompliant with this Responsible Disclosure Policy

PayFi reserves all of its rights, especially regarding vulnerability discoveries that are not in compliance with this Responsible Disclosure Policy.