Bug bounty program

About

The BridgerPay Bug Bounty program is designed to improve the security of our applications and services by encouraging external researchers to report vulnerabilities. This program is open to any researcher who agrees to the program's terms and conditions. All vulnerability reports will be reviewed and processed on an individual basis. Rewards are only available under the terms and conditions of this program. BridgerPay reserves the right to not respond to vulnerability reports, deny rewards, request additional information, and modify the program's terms and conditions at any time.

Privacy policy

By submitting a vulnerability report to BridgerPay, the researcher agrees to maintain the confidentiality of the vulnerability and related information until BridgerPay has had the opportunity to address the issue.

Without the written consent of BridgerPay, researchers are prohibited from disclosing discovered vulnerabilities, information about discovered vulnerabilities, and also shares any information about the work related to searching for vulnerabilities in BridgerPay applications and services. BridgerPay reserves the right to decline requests for public disclosure of vulnerabilities found in BridgerPay applications and services.

Scope for researchers

Restrictions:

The BridgerPay Bug Bounty program does not address vulnerabilities that may apply to one of the following categories:

• Spam.
• Vulnerabilities that require social engineering/phishing.
• Reports of phishing and other social engineering techniques.
• DDOS attacks.
• Hypothetical issues that do not have any practical impact.
• Security vulnerabilities in third-party applications/libraries and on third-party websites integrated with BridgerPay.
• Scanner output or scanner-generated reports.
• Issues found through automated testing.
• Publicly-released bugs in Internet software within 30 days of their disclosure.
• Man-in-the-Middle attacks.
• Host header injections without a specific, demonstrable impact.
• Self-XSS without the ability to attack other users.
• Login/logout CSRF.
• CSRF and XSS without influencing sensitive data.
• Information about IP addresses, DNS records and open ports.
• Disclosure of public information about users.
• Clickjacking.
• Lack of recommended security mechanisms without an additional attack vector (for example, HTTP security headers, cookie safety flags or CSRF protection).
• Unsafe configured TLS or SSL without an attack vector.
• Open Redirect without an additional attack vector (for example, token theft authorization).
• Content Substitution on page.
• Vulnerabilities that require the implementation of complex or improbable scenarios of user interaction.
• Tabnabbing.
• Full Path Disclosure.
• Cache-control related issues.
• Lack of security flags in cookies.
• UX/UI bugs and spelling mistakes.
• Broken Link Hijacking.

Rules and conditions:

When searching for vulnerabilities in BridgerPay services, should be to follow the rules:

• For testing you should use only your own accounts.
• You are not allowed to use the credentials of other users for testing.
• BridgerPay does not issue additional accesses and accounts (including test accounts) for testing.
• Any attempts to access other people's credentials of users of BridgerPay applications and services are prohibited.
• When searching for vulnerabilities, it is prohibited to violate the integrity, availability and confidentiality conditions for BridgerPay applications and services.
• Any activity that could damage the company's applications, infrastructure, customers and partners is prohibited.

Requirements for the reporting

One report should describe one vulnerability. The exceptions are those cases when vulnerabilities are either linked or can be combined into a chain.

The subject of email should begin with a phrase Bug Report Submission - [Bug Title].

The vulnerability report should contain the following information:

• Bug Title: [Bug Title]
• Description: [Bug Description]
• Severity: [Reported Severity]
• Steps to Reproduce: [Detailed Steps]
• Impact: [Potential Impact]
• Recommendations for elimination: [Potential solutions]
• Proof of concept: [Provide any necessary code snippets, screenshots, or other evidence to support your findings.]

Failure to adhere to the specified reporting guidelines may result in the report being deemed ineligible for consideration.

If the report is not enough data to check for vulnerabilities, the payment of compensation is not carried out.

Time for consideration of the report

Each report is reviewed individually by the BridgerPay security team.

The duration of the report review depends on the degree of criticality for the vulnerability found and the workload of the team.

On average, each report is reviewed within two weeks.

Rewards

The reward is paid only for the discovery of previously unknown vulnerabilities.

Payment is carried out subject to all conditions, rules and restrictions of this program, in case of violation of which, the payment is not made.

Reward payment

The reward is paid only for the first received report on the vulnerability found.

Payment is made provided that the report contains all the information necessary to confirm the vulnerability.

Any subsequent reports covering the same vulnerability or containing similar attack vectors will be marked as duplicate.

The amount of the award paid is final and non-negotiable.

Payment is made on condition that the researcher sends all the information requested in Invoice. An invoice will be sent separately for filling.

Contacts

The information on the vulnerabilities found should be sent to ciso@bridgerpay.com.