1. Introduction

    At Tazapay, we take system security very seriously and continuously work to maintain a safe and secure environment for all users. However, ensuring system security is an ongoing process, and we welcome any reports of security vulnerabilities associated with our Tazapay services.

    Tazapay invites skilled security researchers to participate in our Vulnerability Disclosure Program. As external security researchers, you can engage with Tazapay by reporting any vulnerabilities to us in accordance with our Responsible Disclosure Policy. Tazapay reserves the right to validate the reports' validity based on the impact of the vulnerability.

  2. Policy

    Tazapay genuinely values the assistance of security researchers and others in the security community to help keep our systems secure. However, we insist that researchers follow the rules set out in this Responsible Disclosure Policy when reporting a security vulnerability to us.

    • Reach out to security@tazapay.com if you have found any potential vulnerabilities in our product and infrastructure that meet the criteria mentioned in the policy below.
    • Our security team will acknowledge your submission within 24 hours.
    • Tazapay will define the severity of the issue based on its impact and ease of exploitation.
    • We may take 3 to 5 days to validate the reported issue.
    • Please refrain from accessing sensitive information (by using a test account and/or system), performing actions that may negatively affect other Tazapay users (such as denial of service), or sending reports from automated tools.
    • You must not exploit a security vulnerability that you discover for any reason.
    • Perform research only within the scope set out below.
    • As a researcher, you are not permitted to access, download, or modify data residing in any other account that does not belong to you or attempt to do any such activities.
    • Keep information about any vulnerability confidential until the issue is resolved. Do not publicly disclose details of a security vulnerability that you have reported without Tazapay's permission.
    • Tazapay commits to publicly acknowledge and recognize your responsible disclosure on our Hall of Fame page.
    • Tazapay determines recognition in the Hall of Fame based on a variety of factors, including (but not limited to) impact, ease of exploitation, and quality of the report. Note that extremely low-risk vulnerabilities may not qualify for the Hall of Fame at all.
    • In the event of duplicate reports, we give recognition to the first person to submit a vulnerability. (Tazapay determines duplicates and may not share details on the other reports).
  3. Reporting Guidelines

    To register yourself after identifying a vulnerability, please send an email to security@tazapay.com with the details.

    After registration, please only use the registered email ID when interacting with the Tazapay security team. Do not use personal emails, social media accounts, or other private connections to contact a member of the security team regarding vulnerabilities or any program-related issues, unless instructed to do so.

    In your report, please provide the following details:

    • Description and potential impact of the vulnerability;
    • A detailed description of the steps required to reproduce the vulnerability;
    • Screenshots and video POC, if available;
    • Your preferred name/handle for recognition in our Security Researcher Hall of Fame.
  4. Target Scope

    Only the following domains are included in the scope of this program, and researchers are recommended to look for security vulnerabilities within them:

    • *.tazapay.com
    Exclusion of Third-Party Software:

    As part of providing services to its customers, Tazapay uses integrations with various third-party software. This program does not extend to any such third-party software, and bugs or vulnerabilities detected in such third-party software will not be considered a valid find. Nonetheless, any such vulnerabilities communicated to Tazapay may be further transmitted/informed to the third-party service provider.

  5. In-Scope Vulnerabilities

    • Remote code execution (RCE)
    • Able to bypass payment flow
    • Account takeover attack (ATO)
    • Price manipulation with a successful transaction (transaction id required)
    • SQL/XXE Injection and Command injection
    • Stored Cross-Site Scripting and impactful Reflected XSS
    • Server-side request forgery (SSRF)
    • Misconfiguration issues on servers and application
    • Authentication and Authorization vulnerabilities including horizontal and vertical escalation
    • Cross-site request forgeries (CSRF)
    • Sensitive information leak and IDOR
    • Domain take-over vulnerabilities
    • Any vulnerability that can affect the Tazapay Brand, User (Customer/Merchant) data, and financial transactions
  6. Out-of-Scope Vulnerabilities

    • Social engineering (including phishing) with any Tazapay staff or contractors
    • Denial of Service, Distributed-DoS
    • X-Frame-Options related, missing cookie flags on non-sensitive cookies;
    • Missing security headers that do not lead directly to a vulnerability (unless you deliver a PoC)
    • Version exposure (unless you deliver a PoC of working exploit)
    • Directory listing with already publicly readable content
    • HTML injection and Self-XSS
    • Information disclosure not associated with a vulnerability, i.e.: stack traces, application or server errors, robots.txt, etc
    • Use of known-vulnerable libraries without proof of exploitation such as OpenSSL
    • Log-in or forgotten password page brute forcing and account lockout not being enforced
    • Application denial of service by locking user accounts
    • Reports from automated scripts or scanners
    • Clickjacking and issues only exploitable through clickjacking
    • No / weak captcha/captcha bypass
    • SSL issues such as BEAST, BREACH, renegotiation attack, forward secrecy not enabled, weak/insecure cipher suites, and missing best practices
    • HTTP TRACE or OPTIONS methods enabled
    • Login/logout CSRF
    • Open ports without an accompanying proof-of-concept demonstrating vulnerability
    • Reflected XSS (unless you deliver a PoC showing impact)
    • Formula Injection or CSV Injection
    • EXIF data not stripped on images
    • Rate limiting
    • Missing HTTP security headers and cookie flags on insensitive cookies
    • Email - issues related to SPF/DKIM/DMARC
    • User email enumeration

    Tazapay reserves its right to expand this list and includes additional exclusions when required.

  7. Acknowledgments

    We do not offer a bounty or cash reward program for security disclosures, but we express our gratitude to security researchers publicly. As a gesture of appreciation and goodwill, we will add your name to our Hall of Fame.

    If you want to be recognized, please provide us with your name, Twitter handle, or LinkedIn profile as you wish it to be displayed on our Hall of Fame page.

  8. Hall of Fame