Responsible Security Vulnerability Disclosure Policy

At SecurePay, ensuring the safety and security of customer data is paramount. It underpins everything we do, and ensures we maintain the highest security standards across our products and services. We are committed to working with our customers, security researchers, and other third parties to respond to legitimate reported security vulnerabilities. We encourage the community to participate in our responsible reporting process.

If you would like to report a security vulnerability, please send an email to: security@securepay.com.au. Please provide your name, contact information, your PGP public key and company name (if applicable) with each report. We will acknowledge receipt of your vulnerability report within 2 days and send you regular updates about our progress. Please refrain from requesting compensation for reporting vulnerabilities.

Download the SecurePay PGP (encryption) Key here.

Responsible Disclosure Guidelines

To encourage responsible reporting, we will not take legal action against you providing you comply with the following Responsible Disclosure Guidelines:

  • Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC);
  • Do not cause service interruption including degradation of service or destruction of data;
  • Do not access, modify, delete or share data that does not belong to you;
  • Do not use social engineering techniques;
  • Give SecurePay a reasonable time to correct the issue before sharing with any other party and/or person(s) or making any information public.

The following finding types are excluded from this Responsible Disclosure Guidelines:

  • Descriptive error messages such as stack traces, application or server errors
  • HTTP 404 codes or pages, or other HTTP non-200 codes or pages
  • Fingerprinting or banner disclosure on common and public services
  • Disclosure of known public files or directories, such as robots.txt
  • Clickjacking and other issues only exploitable through clickjacking
  • CSRF on forms that are available to anonymous users, such as contact, login and logout forms
  • Content spoofing
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
  • Lack of Secure or HTTPOnly flags on non-sensitive cookies
  • Login or Forgot Password page brute force and account lockout not enforced
  • OPTIONS HTTP method enabled
  • Missing HTTP security headers, such as Strict Transport Security, X-Frame-Options, X-SSS-Protection, etc.
  • HTTP or DNS cache poisoning
  • Weak or insecure SSL cipher suites
  • Self-XSS
Third-party software security vulnerabilities

If security vulnerabilities reported to us affect a third-party code library, service or vendor, SecurePay reserves the right to forward details of the vulnerability to that party without further approval. We will do our best to coordinate and communicate with researchers through this process. SecurePay reserves the right to accept or reject any vulnerability disclosure coordination role at our discretion.

Any inquiries regarding this policy should be directed to security@securepay.com.au.

Recognition

We thank the following researchers who have helped keep our products and services safe by reporting security vulnerabilities responsibly in accordance with our Responsible Disclosure Program:

2018
  • Abhijeet Sarkar
  • Akash Joshi

Our team is on hand to help

Want to get started or learn how you can boost your business and your client’s payment experience? Get in touch today!

Connect to our sales team

Start accepting payments

Sign up for free