Responsible disclosure

 

Rewards Program Terms
  • Based on the risk of the reported security vulnerability, Pay. decides the reward. Please note: if the report is not a security issue or is low risk, no reward may be awarded.
  • When duplicate reports are received about a specific security issue, the reward will be awarded to the first person to report the security issue. Pay. determines whether there is a double report and does not share substantive data about the reports concerned.
  • An awarded reward is only given to one person.
  • We try to provide equal rewards for similar security vulnerabilities. However, the rewards and eligible security vulnerabilities are subject to change. Past awards are no guarantee of comparable results in the future.

 

What can you not report?

This Responsible Disclosure scheme is not intended for reporting complaints. The scheme is also not intended for:

  • reporting that the website is not available
  • reporting fraud
  • reporting fake emails (phishing emails)
  • reporting viruses

 

Websites out of scope

We use third-party software, this software does not contain critical data and in some cases is hosted externally. Security notifications for the following:

Are exclused from the Resposible Disclosure program. 

To demonstrate various webshop systems, example shops are set up on the domain: paywebshopdemo.nl

All subdomains on the URL paywebshopdemo.nl are excluded from this Responsible Disclose (https://*********.paywebshopdemo.nl).

 

What do we do next?

After receiving your report, you will receive an automatic confirmation of receipt from us. You will be notified of the next steps within 3 business days. 

Is it a serious security issue? Then you will receive an appropriate reward from us as a thank you for reporting it. Determining what the reward is, is based on the risk and impact of the security problem, and can vary from a t-shirt to a maximum of 250 euros in gift vouchers. Please note: this must be an unknown and serious security problem.

Your contact details are only used to communicate about the report. We do not share these with others, unless law, regulation or judicial authorities require us to do so. If we regard your action as a criminal offence (i.e. you do not act in good faith), we will report it to the police.

If you have reported anonymously, we will not be able to transfer your reward and keep you informed. 

 

How can you submit a report?

You can report a discovered vulnerability in our services via security@pay.nl.

Rules

Please don't make the issue public and only share it via security@pay.nl. This is how we keep our customers' data safe. It would be great if you give us the time to solve the problem.

When investigating the vulnerability found, do not damage the applications. You may not share data with anyone other than Pay. employees. Furthermore, the service should never be intentionally interrupted by your research.

When researching our systems, you could potentially be doing something that is not allowed by law. If you act in good faith, carefully and in accordance with the rules below, we will not file a report.

 

We ask that you: 
  • clearly substantiate in your report how the security problem can be exploited. For example, use screenshots or a step-by-step explanation.
  • do not use social engineering to access our systems.
  • do not put a backdoor in an information system to show the weak spot.
  • only do what is strictly necessary to demonstrate the vulnerability.
  • do not copy, modify or delete any data. Only send us (minimum) information that you need to demonstrate the problem. For example, make a directory listing or screenshot.
  • restrict attempts to gain access to the system, and do not share information about gained access with others.
  • do not use so-called 'brute force attacks' to get into our systems.
  • submit one security issue per report.
  • to respond if we need additional information about the submitted report.
Never contact us directly or via channels other than security@pay.nl.

 

Exceptions

Pay. may decide to not reward a report if it concerns a vulnerability with a low or accepted risk. Below are some examples of such vulnerabilities:

  • HTTP 404 codes or other non HTTP 200 codes
  • Add plain text in 404 pages
  • Version banners on public services
  • Publicly accessible files and folders containing non-sensitive information
  • Clickjacking on pages without a login 
  • Cross-site request forgery (CSRF) on forms that can be accessed anonymously
  • Lack of 'secure' / 'HTTP Only' flags on non-sensitive cookies
  • Notifications related to SSL certificate (e.g. weak cipher)
  • Using the HTTP OPTIONS Method
  • Host Header Injection
  • Lack of SPF, DKIM and DMARC records
  • Lack of DNSSEC
  • The lack of HTTP Security Headers
  • Reporting outdated versions of software (e.g. jQuery) without a proof of concept or working exploit
  • Notifications related to Cloudflare
  • Tabnabbing
  • Best practices

 

Discovered a security issue in our services?

Let us know! Keeping our data secure is extremely important to us. That is why we constantly work on keeping our services safe and maintain the highest standards of security. However, should something go wrong, we would like to be informed.

What can you report?

You can report vulnerabilities in our services. Examples: 

  • Cross-Site Scripting (XSS) vulnerabilities
  • SQL injection vulnerabilities
  • Weaknesses in secure connection devices
Please send an email with the found issue to security@pay.nl and explain the problem you have found as clearly as possible. 
 

We are confident that regular mail encryption is sufficient enough to provide the confidentiality needed to report a vulnerability. However, if you feel that your vulnerability report requires the use of PGP encryption you can find our public key below.  

Key created on 2022-12-01.

 

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGOIbyQBEADsAsWrdAAOll2YQEi/Lhq0ojddSnOXqpiVrtZWFrtFm8dRlByy
QpmE7htASHAMVjH4/5BOKwBl/vsT8aKTMuzPNnGNqltiMRNbZfm7FjyVreDH5sPH
S/nVRcuvSuJZNaFj6NLJHd4br8fyMmFOJCavuSQUSWam7SXhFHeI8C3IRBjK9irD
Uv9i5h9RJHtqVOLgrCgjin9F17JyxoeVDQ74APIiPsVF01QUEROfsMLaorVI8THP
ledbp0rZaGBO04ZXu0yO+XTm0foJFfd1CtEfYogroaeQ+Tqw8KpTmUdtuGOfOBf8
ihaDhlonL/3Lp5xUrvzg9pQGnWZyC5YkWSIn1XNSeChMrUc8verSl8Vdppe//VhO
620JadJKI2aWMYduzwVAhZ48bWi6+ukyjgR5LVhRzxT//p30GDXUUQ/2R/qDnAVc
DHuxSDyR9HkVmADcDa2j9VqAa76eeSFW6PyLXIktiLPf/cl39HhIDjpOBMzvY2wu
pIC2yoBW/m+/xM1n86g9CADtCiipLIq8mh9YmDfHM6cPg5MuxhcaXXcJ6XsKRgPO
2IvXfwTfSSkOkSx8DGPObe0dg1rMMJ9hZwo4L3KXBF3d1ypB4wWSg8F1v/j/s1gr
CE1Vr2D94lxSIQATiTzQ7eNVIDQzkg4dQ+evhM00VJbdecvwmkLoavvYMwARAQAB
tDFQQVkuU2VjdXJpdHkgKFBBWS5TZWN1cml0eSBHUEcpIDxzZWN1cml0eUBwYXku
bmw+iQJOBBMBCAA4FiEEQ0cXJnJmEVP0VDVNF49q6ZGb8iIFAmOIbyQCGwMFCwkI
BwIGFQoJCAsCBBYCAwECHgECF4AACgkQF49q6ZGb8iK7og//TyuhlloDQCppJ+/E
TDRwEGFeDCTB8gQdwMB3srPx8lqeCTNONKbJ0eM7Tm9ohkmQWlABG+03PdU6gnYF
fwPgAXR3CgnoJ6RophPYlJp2u0+xQc3UxfHRs2MyNzXN/lcezQH8MyYlIuN/GKna
JYWwcnOd/R4MxHCMbjcrXtAHK+3uLjuUytA6juP0DtYxg4BktAUa2wRMk2r949a5
Fv36D0DVkJgd+SwYmGa/Qlnglqy2B9paYNWVPYOLimsta+48kv6KDQ4qZk6WMhZZ
uHzbPeZOtJXut1p58XWuNjG7wt3fZm7jyilA1pd/5g0ngmun42Y7BW5lw6X2dAcU
jbzayvSGwrg0j63YWVhlQdxwwXiZLET9iI6JMQU9CA+qmS8gKyVnTmhps1LwXKTp
RgY76vXoLOTeDPbGE03W6EsbIi7C2kYVh0BpBPRz/nYJ+/0IBJdlxwVC1Yip0m6t
zAzxrO0FAtrsq7IRJ4AeqakD0h0YtqrC+5yhY1Gb9kn+DNJA6vB/H0+A6UgBaCWW
ciXIRV90ZehDQzrRMvQVKZmbItfRASYPnJ6sDOzvvKKg4HXnmuLNrZ/ockRBCM+h
ejUNXTWHaLoMspFyQsLBo9HKVcqbUxuxjrosCdslgxX5Tb60sN9QbhYMkNio2ymp
XfsPF4XFkG52+J58ZPNwU1tLB4S5Ag0EY4hvJAEQAMJU/L7HTMSEQBVIExt836s4
IjoGqUXlRW1vNtpqvIhQhchExdznv6WT5rw8rxGiB6RavhhhXqnRv+XfaypurnEO
vLSmkafneqoWNRO24QsEqniy9nhur8GNmDlR8LYpdjYP3our0zrZoRf+wc31zYDy
M/P+Rg18Y92HndwX3zMsPoruGhtmuiEQQJnklErhUSGle3IAKEVJ2h17Vs093vxv
Hzr1auebLnCoSr09HhBHw838vTekdi2aUJ77ZT1oafCpJxdmL9DKk7wk+j/IEdBe
YumUrtuDVMgXLtzUvC1Dn7ml3LoRSC7/WncvRkZr1TuF36mQrllcH2lwZ3t131Pc
c4g7gzzMhaZPWIBj82fxxxe6n6IPuco/xaPtirwDnI+NGd9OfzS8zgLpHJRCxXFf
ASb5P7ODgcPe3iXMO6XHc+CBENH5b2ap+m/PEcsEyvtP3q6EtlCGGiB1Usv2HZZK
VeADFSSsPH4L6jGQdZ8QcgvKGjj7Bch5Sxl6dDs0fCplCtZVTwJ6pmgEnUT9D1Wx
GLORxvyg7apom76wR+x3bWVWbsL6pQOU3rAsRP8vIlTciJp3DJe46g57ORxDBVRY
aUJcEHuYUMAkXt+wPYBSFHvja2L61HzBlSB5PKrFLbJzW+1AaN4G9lQhpDS5bpTE
ecvYrMvzFXV6tckc4h7RABEBAAGJAjYEGAEIACAWIQRDRxcmcmYRU/RUNU0Xj2rp
kZvyIgUCY4hvJAIbDAAKCRAXj2rpkZvyIkEVD/wP2FZpCVyhgTvaJJm2DD16Yyty
zyr352bxQGHuIUVO8u+1/M1zTTJq3VVBh2hNil07JYvpWLc8LgjJ64RIY3BhYu/6
PufUZ49mBR56xnYFLUsr+6Ob7Q5mA2prts1jun7CQN/6AnxKaPSVwdk9hIOat5VB
Q5gXyjRhOBHBYmF69smDhHCmItjI0dRKYvcgmipkqgCphgtB1d/4jC9uull4cOtn
tiAbflTfkCXQCqOPf/cRH6dFYaP8GMhZAM1dJ9JtiYzx4TfnFjeGXaQSmpTyOHXQ
641mpTMGwYgYUqDsuiO5IVZklhLbRjeseg2omBkPQ2p1lIphlvAoJM8iorbU4UyP
xgT+sQ+3vCuTgio6zqlOIwwt955e+l8MmY19gb6Mpgc+0YtOIl73hfV4YEhG30tc
O9WZWU/rCDf4ZEcQTuq6uCQZxDdmt+Mbe+5QXbFfrvTOgTnftf58lVgyPGk0IZov
34ABukqeby3Vjv3Qcsw+OB1MjOWb444AnaFYSmBXdIWOQ4EnSJsIXrlWL7eKU+yP
5cuBHxrkGcQJxH1cGx6RvU8capN8KWsesPKs9mLn7up98XKvc7pl/nch5Zgza+X9
hK0kVqxMK+/rdHYjNypUtMnDB/gD8HC3komxmCaTQF2drd7keYnY2CTMCdIYVL5z
+usNDz2TfuQBxr7TaQ==
=5frK
-----END PGP PUBLIC KEY BLOCK-----