iPaidThat values the work done by security researchers in improving the security of our products and service offerings. We are committed to working with this community to verify, reproduce, and respond to legitimate reported vulnerabilities.

We will investigate legitimate reports and make every effort to quickly correct any vulnerability. To encourage responsible reporting, we will not take legal action against you nor ask law enforcement to investigate you provided you comply with the following Responsible Disclosure Guidelines:

PLEASE DO NOT RUN ANY AUTOMATIC SCAN AGAINST OUR INFRASTRUCTURE. IF YOU'RE USING TOOLS LIKE REPEATER ON BURP SUITE, PLEASE CONFIGURE YOUR THROTTLE TO SIMULATE A USER USAGE.

  • Create an account with the following phone number: +336 13371337

  • Use a valid address mail so we can get in touch with you in case you make to much "noise"

  • Do not create more than 5 accounts.

  • Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC).

  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.

  • Do not modify or access data that does not belong to you.

  • Give iPaidThat a reasonable time to correct the issue before making any information public, and ask for our approval before making any disclosure.

Endpoint

We are primarily interested in hearing about the following vulnerability categories:

  • Sensitive Data Exposure – Cross Site Scripting (XSS) Stored, SQL Injection (SQLi), etc.

  • Authentication or Session Management related issues

  • Remote Code Execution

  • Particularly clever vulnerabilities or unique issues that do not fall into explicit categories

Out of Scope

The following vulnerability categories are considered out of scope of our responsible disclosure program and should be avoided by researchers.

  • Any other iPaidThat subdomains

  • Denial of Service (DoS) – Either through network traffic, resources exhaustion or others

  • Issues only present in old browsers/old plugins/end-of-life software browsers

  • Phishing or social engineering of iPaidThat employees, users or clients

  • User enumeration

  • TLS cookie without secure flag set

  • Privilege escalation between member of the same organisation

  • Missing CSRF token on some endpoint (we are aware of some issue and are working on it).

  • Systems or issues that relate to Third-Party technology used by iPaidThat

  • Disclosure of known public files and other information disclosures that are not a material risk (e.g.: robots.txt)

  • Any attack or vulnerability that hinges on a user’s computer first being compromised

  • Miss of rate limits

  • Report from automated tools or scans

  • DNSSEC

  • Relating to HSTS

  • Missing security headers which do not lead directly to a vulnerability

  • Physical attack on the infrastructure

  • Browser that support "Content Security Pocily" tag

  • Theoretical attacks

  • Breaking of SSL/TLS trust

  • Compromising of browser/device (ex. computer sharing, physical access to a user's device, ...)

  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms

  • Outdated DNS record pointing to system which does not belong to iPaidThat

  • Access to content via means of CDN / Content Delivery Networks / Network caches

  • Clickjaking

  • Email verification

  • Password policy

  • HyperLink injection on Email

Vulnerability Rewards

Level

Examples

Reward

Critical

Remote code execution

SQL Injection

Data leak

Server Access

500$+

High

Privilege Escalation to Super Admin accounts

Access to unauthorized private data

200$+

Medium

XSS

Security missconfiguration

100$+

Low

Vulnerability may result in limited risk or require the presence of multiple additional vulnerabilities to become exploitable. Examples include overly verbose error messages, and detailed banner information disclosure.

25$-75$

Informative

Finding does not have a direct security impact but represents an opportunity to add an additional layer of security, is a deviation from best practices, or is a security-relevant observation that may lead to exploitable vulnerabilities in the future. Examples include vulnerable yet unused source code and missing HTTP security headers. DMARC / DKIM / SPF missconfiguration

0

Vulnerability rating is based on CVSS and at the appreciation of iPaidThat team.

On top of this reward, we will also list you here in the Special Thanks session (if you accept)

Reporting a Security Vulnerability

Submit your finding to security@ipaidthat.io.

Please include:

  • A summary of the problem

  • A proof-of-concept or a stepwise breakdown


Special Thanks

2020

Avez-vous trouvé votre réponse?