PayU takes the security of our systems and our data very seriously. We are continuously striving to maintain and ensure that our environment is safe and secure for everyone to use. If you’ve discovered any security vulnerabilities associated with any of our PayU services, we do appreciate your help in disclosing it to us in a responsible manner.
Responsible Disclosure Policy
PayU will engage with you as external security researchers (the Researcher) when vulnerabilities are reported to us in accordance with this Responsible Disclosure Policy.
If a Researcher follows the rules set out in this Responsible Disclosure Policy when reporting a security vulnerability to us, unless prescribed otherwise by law or the payment scheme rules, we commit to:
– promptly acknowledging receipt of your vulnerability report and work with the researcher to understand and attempt to resolve the issue quickly;
– validating, responding and fixing such vulnerability in accordance with our commitment to security and privacy. We will notify you when the issue is fixed;
– unless prescribed by law otherwise, not pursue or take legal action against you or the person who reported such security vulnerabilities;
– not suspend or terminate access to our service(s) if you are a merchant. If you are an agent, not suspend or terminate merchants’ access to our services to which the agent represents;
– publicly acknowledge and recognize your responsible disclosure in our Hall of Fame page.
In Scope of this Policy
Any of the PayU services, iOS or Android-based apps, which process, store, transfer or use in one way or personal or sensitive personal information, such as card data and authentication data.
In particular, Web service vulnerabilities are classified using OWASP Top-10. Mobile application vulnerabilities are classified using OWASP Mobile Top-10.
Out of Scope
Any services hosted by 3rd party providers and services not provided by PayU.
A Researcher can test only against a merchant account if they are an account owner or an agent authorized by the account owner to conduct such testing.
As a Researcher, in no event are you permitted to access, download or modify data residing in any other account or that does not belong to you or attempt to do any such activities.
In the interest of the safety of our merchants, users, employees, the Internet at large and you as a Researcher, the following test types are expressly excluded from scope and testing: any findings from physical testing (office access, tailgating, open doors) or DOS or DDOS vulnerabilities. A responsible disclosure also does not include identifying any spelling mistakes, or any UI and UX bugs…
We require that all Researchers must:
– Make every effort to avoid privacy violations, degradation of user or merchant experience, disruption to production systems, and destruction of data during security testing.
– Not attempt to gain access to any other persons account, data or personal information.
– Use the identified email address to report any vulnerability information to us.
– Keep information about any vulnerabilities you’ve discovered confidential between yourself and PayU. PayU will take a reasonable time to remedy such vulnerability (approximately 3 months as a minimum but this is dependent on the nature of the security vulnerability and regulatory compliance by PayU). The Researcher shall not publicly disclose the bug or vulnerability on any online or physical platform before it is fixed and prior written approval to publicly disclose from PayU.
– Not perform any attack that could harm the reliability, integrity and capacity of our Services. DDoS/spam attached not allowed;
– Not use scanners or automated tools to find vulnerabilities (noisy and we may automatically suspend your account and ban your IP address)
– As a Researcher, you represent and warrant that you have the right, title and interest to disclose any vulnerability found and to submit any information, including documents, codes, among others, in connection therewith. Once you inform a vulnerability, you grant PayU, its subsidiaries and affiliates an irrevocable, worldwide, royalty-free, transferrable, sublicensable right to use in any way PayU deems appropriate for any purpose, such as: reproduction, modification, distribution, adaptation among other uses, the information related with the vulnerabilities. Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure accepted by PayU.
Remember that you must never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
Please include the following information with your report:
– detailed description of the steps required to help us reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us); and
– Your email address.
Recognition – Hall of Fame Page
– By helping PayU continuously keep our data secure, once the security vulnerability is verified and fixed as a result of report, we would like to put your name on our Hall of Fame page.
– Of course, we will need to know if you want the recognition, in which case you will be required to give us your name and Twitter handle as you wish it to be displayed on our Hall of Fame page.
We do not offer any monetary compensation, only fame, glory recognition and our appreciation.
Requests or demands for monetary compensation in connection with any identified or alleged vulnerability are non-compliant with this Responsible Disclosure Policy.
Hall of Fame
PayU thanks the following individuals and organizations that have identified security vulnerabilities in accordance with this Responsible Disclosure Policy.
Researcher shall fully indemnify, hold harmless and defend (collectively “indemnify” and “indemnification”) PayU, its subsidiaries and affiliates, its directors, officers, employees, agents, and stockholders (collectively, “Indemnified Parties”) from and against all claims, demands, actions, suits, damages, liabilities, losses, settlements, judgments, costs and expenses (including but not limited to reasonable attorney’s fees and costs), whether or not involving a third party claim, which arise out of or relate to (1) any breach of any representation or warranty contained in this Responsible Disclosure Policy made by the researcher, (2) any breach or violation of the terms of this Responsible Disclosure Policy or any obligation or duty of the Researcher referred therein or under applicable law, (3) any breach of the confidentiality, (4) any misuse of data, including personal data, (5) any breach of any waiver granted, (6) any attempt to contact PayU’s clients, users or third parties to inform the existence of the vulnerability. It includes any reference or message in social media making reference to the finding (7) any attempt to bring direct or indirectly claims, lawsuits, demands, actions judgments against PayU or any other Indemnified Party, in each case whether or not caused by the negligence of PayU or any other Indemnified Party and whether or not the relevant claim has merit.