iPaidThat Vulnerability disclosure program

---

iPaidThat values the work done by security researchers in improving the security of our products and service offerings. We are committed to working with this community to verify, reproduce, and respond to legitimate reported vulnerabilities.

We will investigate legitimate reports and make every effort to quickly correct any vulnerability. To encourage responsible reporting, we will not take legal action against you nor ask law enforcement to investigate you provided you comply with the following Responsible Disclosure Guidelines:

PLEASE DO NOT RUN ANY AUTOMATIC SCAN AGAINST OUR INFRASTRUCTURE. IF YOU'RE USING TOOLS LIKE REPEATER ON BURP SUITE, PLEASE CONFIGURE YOUR THROTTLE TO SIMULATE A USER USAGE.

 

• Create an account with the following phone number: +336 13371337

• Use a valid address mail so we can get in touch with you in case you make to much "noise"

• Do not create more than 5 accounts.

• Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC).

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.

• Do not modify or access data that does not belong to you.

• Give iPaidThat a reasonable time to correct the issue before making any information public, and ask for our approval before making any disclosure.

Endpoint

• Website related endpoints on https://ipaidthat.io

• API related endpoints on ipaidthat.io

 

We are primarily interested in hearing about the following vulnerability categories:

• Sensitive Data Exposure – Cross Site Scripting (XSS) Stored, SQL Injection (SQLi), etc.

• Authentication or Session Management related issues

• Remote Code Execution

• Particularly clever vulnerabilities or unique issues that do not fall into explicit categories

 

Out of Scope

The following vulnerability categories are considered out of scope of our responsible disclosure program and should be avoided by researchers.

• Any other iPaidThat subdomains

• Denial of Service (DoS) – Either through network traffic, resources exhaustion or others

• Issues only present in old browsers/old plugins/end-of-life software browsers

• Phishing or social engineering of iPaidThat employees, users or clients

• User enumeration

• TLS cookie without secure flag set

• Privilege escalation between member of the same organisation

• Missing CSRF token on some endpoint (we are aware of some issue and are working on it).

• Broken link hijack

• Systems or issues that relate to Third-Party technology used by iPaidThat

• Disclosure of known public files and other information disclosures that are not a material risk (e.g.: robots.txt)

• Any attack or vulnerability that hinges on a user’s computer first being compromised

• Miss of rate limits

• Report from automated tools or scans

• DNSSEC

• Relating to HSTS

• Missing security headers which do not lead directly to a vulnerability

• Physical attack on the infrastructure

• Browser that support "Content Security Pocily" tag

• Theoretical attacks

• Breaking of SSL/TLS trust

• Compromising of browser/device (ex. computer sharing, physical access to a user's device, ...)

• Vulnerabilities only affecting users of outdated or unpatched browsers and platforms

• Outdated DNS record pointing to system which does not belong to iPaidThat 

• Access to content via means of CDN / Content Delivery Networks / Network caches

• Clickjaking

• Email verification

• Password policy

Vulnerability Rewards

Level	Examples	Reward
Critical	Remote code execution SQL Injection Data leak Server Access	500$+
High	Privilege Escalation to Super Admin accounts Access to unauthorized private data	200$+
Medium	XSS  Security missconfiguration	100$+
Low	Vulnerability may result in limited risk or require the presence of multiple additional vulnerabilities to become exploitable. Examples include overly verbose error messages, and detailed banner information disclosure.	25$-75$
Informative	Finding does not have a direct security impact but represents an opportunity to add an additional layer of security, is a deviation from best practices, or is a security-relevant observation that may lead to exploitable vulnerabilities in the future. Examples include vulnerable yet unused source code and missing HTTP security headers. DMARC / DKIM / SPF missconfiguration	0

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Vulnerability rating is based on CVSS and at the appreciation of iPaidThat team.

On top of this reward, we will also list you here in the Special Thanks session (if you accept) 

Reporting a Security Vulnerability

Submit your findting to security@ipaidthat.io. 

Please include:

• A summary of the problem

• A proof-of-concept or a stepwise breakdown

Special Thanks

 

2020

 

• Judy Magleo

• Parikshit Pingle

• Ayushmaan Banerjee

• Harpreet Singh

• Saket Saurav

• Ronit Bhatt

• Samuel Valmiki x3

• Mohd Mubin Girach 

• Smaran Chand