Disclosure Policy

Webtopia Pay Financial Technologies Private Limited (hereinafter referred to as "Webtopia Pay”) construes the security of its products and services as an essential representation of its business practice. To maintain this practice, we encourage security researchers (“Participant(s)”) to make responsible disclosures of any security vulnerabilities that they identify in the Webtopia Pay’s systems. This reporting shall enable Webtopia Pay to strengthen the security of its systems in order to keep its businesses and customers safe. This Responsible Disclosure Policy ("Policy”) is a guide for the Participants for conducting responsible vulnerability discovery activities and the manner in which it should be submitted to us .

If a Participant believes to have found a real or potential security vulnerability in any Webtopia Pay-owned systems or software, we urge that you report it to us as soon as possible on the above provided ‘Submit Report’ tab. We would appreciate your efforts in helping us provide enhanced quality products and services to our customers. Wherever the context requires, Webtopia Pay and the Participant are hereinafter collectively referred to as “Parties” and individually as “Party”.

If the following guidelines are followed by a Participant while reporting a security vulnerability to Webtopia Pay, Unless prescribed otherwise by law or the payment scheme rules, Webtopia Pay shall adheres to:

• promptly acknowledge receipt of the vulnerability report and work with the Participant to understand and attempt to resolve the issue quickly;
• validate, respond and fix such vulnerability in accordance with Webtopia Pay’s commitment to security and privacy. Webtopia Pay shall notify the Participant when the issue is fixed.
• unless prescribed by law or otherwise, not to pursue or take legal action against the Participant or the person who reported such security vulnerabilities;
• not suspend or terminate access to Webtopia Pay’s service/services if the Participant is a merchant. If the Participant is an agent of a merchant, Webtopia Pay shall not suspend or terminate the merchant’s access to Webtopia Pay services;

RESPONSE TARGETS:

On a best efforts basis, Webtopia Pay shall endeavour to meet the following SLAs for Participants engaging in our program:

Time for Resolution - Depends on the severity and complexity of the security vulnerability reported.

Webtopia Pay shall aim to keep the Participant informed on the progress at each stage of the aforementioned process.

DISCLOSURE POLICY:

The identified vulnerability shall be reported to our security team by sending an email from the registered email address to security@bankWebtopia Pay.co with the below details and the subject prefixed with "Bug Bounty". The mail shall strictly follow the specified format.

Note: Webtopia Pay’s security team shall review the submission and revert to the researcher within 3 business days

PROGRAM RULES:

The Participant should provide a detailed report on the security vulnerability with reproducible steps. If Webtopia Pay identifies the report not to be detailed enough to reproduce the security vulnerability, the vulnerability shall not be eligible for a reward.

• The participant should submit one report per security vulnerability, unless the security vulnerabilities need to be clubbed together to demonstrate a collective impact.
• When a duplication occurs or multiple reports are submitted on the same security vulnerability, Webtopia Pay shall only reward the first report that was received (provided the security vulnerability can be fully reproducible).
• Multiple security vulnerabilities reported for one underlying issue will be awarded the bounty only once.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• The Participant should make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of Webtopia Pay’s services. The Participant should interact with accounts that it owns or a third party account with an explicit permission of the account holder.

TEST PLAN:

• Verify the security vulnerability with proper data while ensuring that the data is not misused for any other transactions.
• Indian National Rupee (INR) to be considered for testing with different sets of data.
• Proper sets of environment to be used for testing.

REWARD CATEGORIZATION:

Note: Automated tools or scripts ARE STRICTLY PROHIBITED, and any POC submitted to us should have a proper step-by-step guide to reproduce the issue.

Abuse of any vulnerability found shall be liable for legal penalties.

Note: Bounty rewards will be established after discussion with the stakeholder leadership team.

All the bounty rewards will be paid based on an internal assessment by the Webtopia Pay security team. We have grouped vulnerabilities based on impact in below severity categorisation. Vulnerability categorisation based on severity created to give insight how we assess the vulnerabilities. It's not an exhaustive list and Webtopia Pay can update it at any point of time.

Note

• Automated tools or scripts ARE STRICTLY PROHIBITED, and any POC submitted to Webtopia Pay shall have a proper step-by-step guide to reproduce the security vulnerability.
• Abuse of any security vulnerability identified by the Participant may be subject to legal penalties.
• Bounty rewards will be determined after discussions amongst concerned stakeholder in the Webtopia Pay’s leadership teams.
• All the bounty rewards will be paid based on an internal assessment by Webtopia Pay’s security team.

Critical

• SQL Injections (Able to access and manipulate sensitive and PII information)
• Remote Code Execution (RCE) vulnerabilities
• Shell Upload vulnerabilities (Only upload basic backend script that just prints some string, preferably try printing the hostname of the server and stop there!)
• Bulk user sensitive information leak Business logic vulnerabilities (Critically impacting Webtopia Pay Brand, User (Customer/Vendor/Delivery Executive) data and financial transactions)

High

• Authentication bypass
• Non-Blind SSRF
• Account Takeover (Without user interaction)
• Vertical privilege escalation (Gaining admin access)
• Stored XSS
• Subdomain Takeover (On active domains)
• IDOR (Able to access and modify sensitive and PII information)
• Horizontal privilege escalation
• Deserialization vulnerabilities
• Stored XSS

Medium

• Account Takeover (With user interaction)
• IDOR (Able to access and modify non-sensitive information)
• Reflected/DOM XSS to steal user cookies
• Subdomain Takeover (On non-active domains)
• Injection attacks (Formula injection, Host header injection)

Low

• Path Traversal (Access non-sensitive information)
• IDOR (Non-sensitive information disclosure)
• Captcha bypass

EXCLUSIONS:

General

• IDOR references for objects that users have permission to; or
• Duplicate submissions that are being remediated; or
• Known issues; or
• Rate limiting (Unless which impacts severe threat to data, business loss); or
• Webtopia Pay redirects; or
• Clickjacking and issues exploitable only through clickjacking; or
• Social Engineering attacks; or
• Multiple reports for the same vulnerability type with minor differences (only one will be rewarded); or
• Only session cookies that need http and secure flags. Apart from these, any other cookies won’t be considered as security vulnerabilities.
• Security Headers
• HSTS policy
• Username or email address enumeration
• HTML injection
• Missing any best security practice that is not a vulnerability
• Self XSS
• Tabnabbing
• Attacks that require physical access to a user device.
• Broken link hijacking
• CSV Injection (Unless which executes in the server)
• DNSSEC Records

System Related

• Patches released within the last 30 days; or
• Networking issues or industry standards; or
• Password complexity.

Email Related

• SPF or DMARC records; or
• Gmail "+" and "." acceptance; or
• Email bombs; or
• Unsubscribing from marketing emails.

Information Leakage

• Descriptive error messages (e.g. Stack Traces, application or server errors); or
• HTTP 404 codes/pages or other HTTP non-200 codes/pages; or
• Fingerprinting / banner disclosure on common/public services; or
• Disclosure of known public files or directories, (e.g. robots.txt); or
• Cacheable SSL pages; or
• SSL/TLS best practices

CSRF

• CSRF on forms that are available to anonymous users (e.g. the contact form, sign-up form); or
• Logout Cross-Site Request Forgery (logout CSRF); or
• Weak CSRF in the APIs

Login/Session Related

• Forgot Password page brute force and account lockout not enforced; or
• Lack of Captcha; or
• Sessions not expiring after email change; or
• Presence of application or web browser 'autocomplete' or 'save password' functionality, or
• Session Timeouts

Safe Harbor

Any activity conducted by the Participant in a manner consistent with this Policy will be considered authorized conduct and will not be subject to legal action. If legal action is initiated by a third party against the Participant in connection with activities conducted under this Policy, Webtopia Pay will take necessary steps to make it known to the third party that the Participant’s actions were conducted in compliance with this Policy.

Thank you for helping keep Webtopia Pay and it’s users safe!

Programme Scope:

In Scope

Web - https://app.Webtopia Pay.money

API - https://v2-api.bankWebtopia Pay.co

Webtopia Pay NON-DISCLOSURE TERMS ("TERMS"):

Definition

Confidential information' shall mean all information supplied in confidence by Webtopia Pay to the Participant, which may be disclosed to the Participant or otherwise acquired by the Participant in its performance under this Security Bug Bounty Responsible Disclosure Programme including but not limited to -

1. All information which a reasonable person would consider confidential under the context of disclosure or due to the nature of the information itself, and shall include technical and non-technical information, intellectual property rights, know-how, designs, techniques, plans, procedure, improvement, technology or method, object code, source code, databases or any other information relating to Webtopia Pay’s product, work in progress, future development of Webtopia Pay’s product
2. Marketing strategies, plans, financial information, projections, operations, sales estimates, shareholding patterns, business plans and performance results relating to the past, present or future business of Webtopia Pay, plans for products or services, and customer or supplier lists
3. The content, the technical documents and all information in relation to Webtopia Pay’s products.
4. Any information which may be communicated to the Participant by Webtopia Pay

Obligation Of Confidentiality:

1. The Participant undertakes to treat and maintain all Confidential Information in confidence. With respect thereto, the Participant undertakes and agrees as follows:
   1. These Terms are on a principal-to-principal basis, and nothing contained herein shall be deemed to create any association, partnership, joint venture or relationship of principal and agent or master and servant, or employer and employee between the Parties.
   2. The Participant shall not publish, disseminate, disclose any Confidential Information for the period of 5 (five) years from the time of such information coming to the knowledge of the Participant.
   3. The Participant shall use the Confidential Information only in connection with the detection and reporting of a security vulnerability and for no other reason whatsoever.
2. The Participant shall not copy or reproduce or reduce to writing any part of the Confidential Information and any copies, reproductions or reductions to writing of the Confidential Information which have already been made by the Parties shall be the property of Webtopia Pay.
3. The Participant shall not, from the date of agreeing to these Terms, independently develop or have developed for itself products, concepts, systems or techniques that are similar to or compete with the products, concepts, systems or techniques contemplated by or embodied in the Confidential Information of Webtopia Pay, which development shall be construed as a violation of the obligations of the Participant under these Terms.
4. The Participant shall indemnify, defend and hold Webtopia Pay harmless from and against any losses, costs, expenses, damages of whatsoever nature which may be incurred or suffered by Webtopia Pay arising out of or in connection with any breach of contract, warranty, tort (including negligence) or otherwise of any of the Participant’s obligations or agreements contained herein.

Ownership:

All Confidential Information furnished to the Participant by Webtopia Pay shall remain the exclusive property of Webtopia Pay and Webtopia Pay shall have the sole and exclusive ownership of all right, title, and interest in and to the Confidential Information, including ownership of all copyrights, patents and trade secrets pertaining thereto, subject only to the rights and privileges expressly granted by Webtopia Pay under the Terms mentioned herein above.

Promptly upon Webtopia Pay’s request at any time, the Participant shall return / cause to be returned to Webtopia Pay all the Confidential Information, including all materials or documents, any copies, summaries and notes of the contents thereof (whether in hard or soft copy form) without limitation, all copies of any analyses, compilations, studies or other documents prepared by and/or for Webtopia Pay, containing or reflecting any Confidential Information and furnish a written certification accordingly.

Remedies:

The Participant understands and acknowledges that any disclosure or misappropriation of any of the Confidential Information in violation of the confidentiality obligations may cause Webtopia Pay grave and irreparable harm, loss and injury, the amount of which may be difficult to ascertain. The Participant agrees that Webtopia Pay has the right to apply to a court of competent jurisdiction for specific performance and/ or an order restraining and enjoining any such further disclosure or breach and for such other relief as Webtopia Pay shall deem appropriate, without posting or the need to post any bond or other security. Such right of Webtopia Pay to obtain equitable relief in the form of specific performance, temporary restraining order, temporary or permanent injunction or any other equitable remedy which may then be available to it, without the necessity of proving actual damages, shall be in addition to the remedies otherwise available to it by law. The Participant expressly waives the defense that a remedy in damages will be adequate.

No Warranties:

Nothing contained in this Policy shall be construed to obligate Webtopia Pay to disclose any information to the Participant.

Miscellaneous:

1. Any notice or communication to be given to the Participant under this Policy shall be deemed to be served if the notice in writing is delivered to the email ID provided by the Participant at the time of registration.
2. This Policy shall be legally and contractually binding on the Participant.
3. The Participant shall not make any assignment of this Policy or any interest therein. Any assignments thereto shall be null and void and the Participant shall be solely responsible.
4. The failure of Webtopia Pay to insist upon or enforce strict performance of any of the terms of this Policy mentioned hereinabove or to exercise any rights or remedies mentioned hereinabove, shall not be construed as a waiver or relinquishment to any extent of the Webtopia Pay’s rights to assert or rely upon any such provisions, rights or remedies in that or any other instance; rather the same shall remain in full force and effect.
5. This Policy shall be governed by, construed and enforced in accordance with the laws of the Republic of India.
6. The courts at Bangalore shall have the exclusive jurisdiction to adjudicate all matters under this Policy.