At Tazapay, we take system security very seriously and continuously work to maintain a safe and secure environment for all users. However, ensuring system security is an ongoing process, and we welcome any reports of security vulnerabilities associated with our Tazapay services.
Tazapay invites skilled security researchers to participate in our Vulnerability Disclosure Program. As external security researchers, you can engage with Tazapay by reporting any vulnerabilities to us in accordance with our Responsible Disclosure Policy. Tazapay reserves the right to validate the reports' validity based on the impact of the vulnerability.
Tazapay genuinely values the assistance of security researchers and others in the security community to help keep our systems secure. However, we insist that researchers follow the rules set out in this Responsible Disclosure Policy when reporting a security vulnerability to us.
Reach out to [email protected] if you have found any potential vulnerabilities in our product and infrastructure that meet the criteria mentioned in the policy below.
Our security team will acknowledge your submission within 24 hours.
Tazapay will define the severity of the issue based on its impact and ease of exploitation.
We may take 3 to 5 days to validate the reported issue.
Please refrain from accessing sensitive information (by using a test account and/or system), performing actions that may negatively affect other Tazapay users (such as denial of service), or sending reports from automated tools.
You must not exploit a security vulnerability that you discover for any reason.
Perform research only within the scope set out below.
As a researcher, you are not permitted to access, download, or modify data residing in any other account that does not belong to you or attempt to do any such activities.
Keep information about any vulnerability confidential until the issue is resolved. Do not publicly disclose details of a security vulnerability that you have reported without Tazapay's permission.
Tazapay commits to publicly acknowledge and recognize your responsible disclosure on our Hall of Fame page.
Tazapay determines recognition in the Hall of Fame based on a variety of factors, including (but not limited to) impact, ease of exploitation, and quality of the report. Note that extremely low-risk vulnerabilities may not qualify for the Hall of Fame at all.
In the event of duplicate reports, we give recognition to the first person to submit a vulnerability. (Tazapay determines duplicates and may not share details on the other reports).
To register yourself after identifying a vulnerability, please send an email to [email protected] with the details.
After registration, please only use the registered email ID when interacting with the Tazapay security team. Do not use personal emails, social media accounts, or other private connections to contact a member of the security team regarding vulnerabilities or any program-related issues, unless instructed to do so.
In your report, please provide the following details:
Description and potential impact of the vulnerability;
A detailed description of the steps required to reproduce the vulnerability;
Screenshots and video POC, if available;
Your preferred name/handle for recognition in our Security Researcher Hall of Fame.
Only the following domains are included in the scope of this program, and researchers are recommended to look for security vulnerabilities within them:
*.tazapay.com
https://wcdev.tazapay.com
As part of providing services to its customers, Tazapay uses integrations with various third-party software. This program does not extend to any such third-party software, and bugs or vulnerabilities detected in such third-party software will not be considered a valid find. Nonetheless, any such vulnerabilities communicated to Tazapay may be further transmitted/informed to the third-party service provider.
Remote code execution (RCE)
Able to bypass payment flow
Account takeover attack (ATO)
Price manipulation with a successful transaction (transaction id required)
SQL/XXE Injection and Command injection
Stored Cross-Site Scripting and impactful Reflected XSS
Server-side request forgery (SSRF)
Misconfiguration issues on servers and application
Authentication and Authorization vulnerabilities including horizontal and vertical escalation
Cross-site request forgeries (CSRF)
Sensitive information leak and IDOR
Domain take-over vulnerabilities
Any vulnerability that can affect the Tazapay Brand, User (Customer/Merchant) data, and financial transactions
Social engineering (including phishing) with any Tazapay staff or contractors
Denial of Service, Distributed-DoS
X-Frame-Options related, missing cookie flags on non-sensitive cookies;
Missing security headers that do not lead directly to a vulnerability (unless you deliver a PoC)
Version exposure (unless you deliver a PoC of working exploit)
Directory listing with already publicly readable content
HTML injection and Self-XSS
Information disclosure not associated with a vulnerability, i.e.: stack traces, application or server errors, robots.txt, etc
Use of known-vulnerable libraries without proof of exploitation such as OpenSSL
Log-in or forgotten password page brute forcing and account lockout not being enforced
Application denial of service by locking user accounts
Reports from automated scripts or scanners
Clickjacking and issues only exploitable through clickjacking
No / weak captcha/captcha bypass
SSL issues such as BEAST, BREACH, renegotiation attack, forward secrecy not enabled, weak/insecure cipher suites, and missing best practices
HTTP TRACE or OPTIONS methods enabled
Login/logout CSRF
Open ports without an accompanying proof-of-concept demonstrating vulnerability
Reflected XSS (unless you deliver a PoC showing impact)
Formula Injection or CSV Injection
EXIF data not stripped on images
Rate limiting
Missing HTTP security headers and cookie flags on insensitive cookies
Email - issues related to SPF/DKIM/DMARC
User email enumeration
Tazapay reserves its right to expand this list and includes additional exclusions when required.
We do not offer a bounty or cash reward program for security disclosures, but we express our gratitude to security researchers publicly. As a gesture of appreciation and goodwill, we will add your name to our Hall of Fame.
If you want to be recognized, please provide us with your name, Twitter handle, or LinkedIn profile as you wish it to be displayed on our Hall of Fame page.