iPaidThat values the work done by security researchers in improving the security of our products and service offerings. We are committed to working with this community to verify, reproduce, and respond to legitimate reported vulnerabilities.
We will investigate legitimate reports and make every effort to quickly correct any vulnerability. To encourage responsible reporting, we will not take legal action against you nor ask law enforcement to investigate you provided you comply with the following Responsible Disclosure Guidelines:
PLEASE DO NOT RUN ANY AUTOMATIC SCAN AGAINST OUR INFRASTRUCTURE. IF YOU'RE USING TOOLS LIKE REPEATER ON BURP SUITE, PLEASE CONFIGURE YOUR THROTTLE TO SIMULATE A USER USAGE.
Create an account with the following phone number: +336 13371337
Use a valid address mail so we can get in touch with you in case you make to much "noise"
Do not create more than 5 accounts.
Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC).
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
Do not modify or access data that does not belong to you.
Give iPaidThat a reasonable time to correct the issue before making any information public, and ask for our approval before making any disclosure.
Website related endpoints on https://ipaidthat.io
API related endpoints on ipaidthat.io
We are primarily interested in hearing about the following vulnerability categories:
Sensitive Data Exposure – Cross Site Scripting (XSS) Stored, SQL Injection (SQLi), etc.
Authentication or Session Management related issues
Remote Code Execution
Particularly clever vulnerabilities or unique issues that do not fall into explicit categories
Out of Scope
The following vulnerability categories are considered out of scope of our responsible disclosure program and should be avoided by researchers.
Any other iPaidThat subdomains
Denial of Service (DoS) – Either through network traffic, resources exhaustion or others
Issues only present in old browsers/old plugins/end-of-life software browsers
Phishing or social engineering of iPaidThat employees, users or clients
TLS cookie without secure flag set
Privilege escalation between member of the same organisation
Missing CSRF token on some endpoint (we are aware of some issue and are working on it).
Systems or issues that relate to Third-Party technology used by iPaidThat
Disclosure of known public files and other information disclosures that are not a material risk (e.g.: robots.txt)
Any attack or vulnerability that hinges on a user’s computer first being compromised
Miss of rate limits
Report from automated tools or scans
Relating to HSTS
Missing security headers which do not lead directly to a vulnerability
Physical attack on the infrastructure
Browser that support "Content Security Pocily" tag
Breaking of SSL/TLS trust
Compromising of browser/device (ex. computer sharing, physical access to a user's device, ...)
Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
Outdated DNS record pointing to system which does not belong to iPaidThat
Access to content via means of CDN / Content Delivery Networks / Network caches
HyperLink injection on Email
Remote code execution
Privilege Escalation to Super Admin accounts
Access to unauthorized private data
Vulnerability may result in limited risk or require the presence of multiple additional vulnerabilities to become exploitable. Examples include overly verbose error messages, and detailed banner information disclosure.
Finding does not have a direct security impact but represents an opportunity to add an additional layer of security, is a deviation from best practices, or is a security-relevant observation that may lead to exploitable vulnerabilities in the future. Examples include vulnerable yet unused source code and missing HTTP security headers. DMARC / DKIM / SPF missconfiguration
Vulnerability rating is based on CVSS and at the appreciation of iPaidThat team.
On top of this reward, we will also list you here in the Special Thanks session (if you accept)
Reporting a Security Vulnerability
Submit your finding to email@example.com.
A summary of the problem
A proof-of-concept or a stepwise breakdown