Summary
o If you spot any security issue, you will be eligible for a reward, provided you report it directly to us
o The reward will be based on the severity of the issue (at least ₹1000 assured)
o Send a description of the issue, along with details on how to reproduce it, to: support@snortpay.com
Help us to secure SnortPay further!
SnortPay invites independent security groups or individual researchers to study it across all platforms and help us make it even safer for our customers. Please alert us to any potential security flaw you find. We would suitably reward you for your efforts in cryptocurrencies. Though we welcome reporting of non-security issues, please note that only genuine security issues are eligible for rewards and we may not be able to respond to non-security issues. Send detailed description at support@snortpay.com
Guidelines
All researchers are expected to:
o Report their finding by writing to us directly at support@snortpaycom without making any information public. We will confirm receipt within 24 working hours of submission.
o Keep the information about any vulnerability you’ve discovered confidential between SnortPay & yourself until we have resolved the problem.
o Based on the criticality level we might take 3 days to 1 week to fix the vulnerability.
o Disclosure of the vulnerability to public, social media or a third party will result in suspension from SnortPay Bug Bounty and Secure SnortPay Reward Programs.
o Please make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
o Perform research only within the following limited scope. If you follow these guidelines when reporting an issue to us, we commit to:
o Working with you to understand and resolve the issue quickly
o Suitably reward your efforts
o Not pursue or support any legal action related to your research
Scope
o Website: https://SnortPay.com
o Out-of-Scope Properties: Any subdomain which is not connected to SnortPay.com.
o Qualifying Vulnerabilities
Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Common examples include:
o Cross-site Scripting (XSS)
o Cross-Site Request Forgery (CSRF)
o Server-Side Request Forgery (SSRF)
o SQL Injection
o Server-Side Remote Code Execution (RCE)
o XML External Entity Attacks (XXE)
o Access Control Issues (Insecure Direct Object Reference Issues, Privilege Escalation, etc)
o Exposed Administrative Panels that don’t require login credentials
o Directory Traversal Issues
o Local File Disclosure (LFD) and Remote File Inclusion (RFI)
o Payments Manipulation
o A flaw in 3rd party integrations to make free orders from SnortPay merchants
o Server-side code execution bugs
Non-Qualifying Vulnerabilities
o Open-Redirects: 99% of open redirects have low-security impact. For the rare cases where the impact is higher, e.g., stealing oath tokens, we do still want to hear about them.
o Reports that state that software is out of date/vulnerable without a ‘Proof of Concept’.
o Host header issues without an accompanying POC demonstrating vulnerability.
o XSS issues that affect only outdated browsers.
o Stack traces that disclose information.
o Clickjacking and issues only exploitable through clickjacking.
o Best practices concern.
o Highly speculative reports about theoretical damage. Be concrete.
o Self-XSS that cannot be used to exploit other users.
o Vulnerabilities as reported by automated tools without additional analysis as to how they’re an issue.
o Reports from automated web vulnerability scanners (Acunetix, Burp Suite, Vega, etc.) that have not been validated.
o Denial of Service Attacks.
o Brute Force Attacks
o Reflected File Download (RFD).
o Physical or social engineering attempts (this includes phishing attacks against SnortPay and SnortCloudteck cybersecurity solutions employees).
o Content injection issues.
o Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)
o Missing autocomplete attributes.
o Missing cookie flags on non-security-sensitive cookies.
o Issues that require physical access to a victim’s computer.
o Missing security headers that do not present an immediate security vulnerability.
o Fraud Issues.
o Recommendations about security enhancement.
o SSL/TLS scan reports (this means output from sites such as SSL Labs).
o Banner grabbing issues (figuring out what web server we use, etc.).
o Open ports without an accompanying POC demonstrating vulnerability./li>
o Recently disclosed vulnerabilities. We need time to patch our systems just like everyone else — please give us two weeks before reporting these types of issues.
o Entering the SnortPay and Snortcloudteck cybersecurity offices and hijacking an abandoned terminal on an unlocked workstation while staff are distracted.
Non-Qualifying Vulnerabilities — Mobile Apps
o Shared links leaked through the system clipboard.
o Any URIs leaked because a malicious app has permission to view URIs opened
o Absence of certificate pinning
o Sensitive data in URLs/request bodies when protected by TLS
o User data stored unencrypted on external storage and private directory.
o Lack of obfuscation is out of scope
o Crashes due to malformed Intents sent to exported Activity/Service/Broadcast Receive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes
o Lack of binary protection control in android app
o Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
o Path disclosure in the binary
o Snapshot/Pasteboard leakage
Communication from SnortPay
We ask the security research community to give us an opportunity to correct a vulnerability and should not publicly disclose it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. Please make a good faith effort to protect our users’ privacy and data. We are committed to addressing security issues responsibly and in a timely manner.
Rewards
The monetary rewards for every valid security bug would be based on the criticality of the issue and can only be credited to your SnortPay wallet in the form of cryptocurrencies. However, the minimum monetary reward is 1000 Indian Rupees.
Reporting Format
If you believe you’ve found a security vulnerability in one of our products or platforms, please send it to us by emailing at support@snortpay.com. Please include the following details in your report:
o Description of the location and potential impact of the vulnerability: A detailed description of the steps required to reproduce the vulnerability — POC scripts, screenshots, and compressed screen captures will all be helpful to us
