hyperpg-logo

Vulnerability Disclosure

1. Scope

The scope of a bug bounty program delineates the boundaries and parameters for ethical hackers or bug hunters to identify and report security vulnerabilities within a specified system, application, or network

2. Web Site Main Page Content

System security is a top priority at hyperpg. Regardless of the amount of effort any Company puts into its system security, ensuring a safe and secure environment is a continuous process. hyperpg believes that working with skilled security researchers across the globe is crucial in identifying any weaknesses in its systems, and in ensuring that its security is maintained.

hyperpg hence invites all skilled security researchers to participate in its Vulnerability Disclosure Program (the ‘Program’)

hyperpg will engage with you as an external security researcher (the Researcher) when vulnerabilities are reported to us in compliance with the below Responsible Disclosure Policy. If a Researcher follows the rules set out in this Responsible Disclosure Policy when reporting a security vulnerability to us, unless prescribed otherwise by law or the payment scheme rules, we commit to:

  • Promptly acknowledge the receipt of your vulnerability report and work with you, the researcher, to understand and resolve the issue quickly
  • Validate, respond and fix such vulnerability in accordance with our commitment to security and privacy. We will notify you when the issue is fixed
  • Unless prescribed by law otherwise, not pursue or take legal action against you or the person who reported such security vulnerabilities
  • Not suspend or terminate access to our service/services if you are a merchant or representative for a merchant
  • Publicly acknowledge and recognise your responsible disclosure in our Hall of Fame page

I. Scope of the Program

  1. Only the below-listed domains are included in the scope of this program and researchers are recommended to look for security vulnerabilities under the same:
  2. Third-Party Softwares are excluded: As part of providing services to its customers, hyperpg uses integrations with various third-party software. This Program does not extend to any such third-party software and bugs or vulnerabilities detected in such third-party software will not be considered as a valid find. Notwithstanding the above, any such vulnerabilities communicated to hyperpg may further be transmitted/informed to the third-party service provider.

II. Terms of Registration

These terms govern the terms of your access and participation in the hyperpg Vulnerability Disclosure Program and you deem to agree and undertake to abide by these terms while participating in the Program and submitting your reports. By agreeing to participate in the Program, you agree to abide by the terms hereunder.

  1. By submitting the vulnerability through this Program, you affirm that you have not disclosed and agree that you will not disclose the bug or your submission to anyone other than to hyperpg under this Program.
  2. Any information you receive or collect about hyperpg by participating in this Program must be kept confidential and only used in connection with the Program and in line with getting the vulnerabilities cleared. You may not use, disclose or distribute any such confidential information, including, but not limited to, any information regarding your submission and information you obtain when researching the hyperpg sites, without hyperpg's prior written consent.
  3. Your testing activities must not negatively impact hyperpg or hyperpg's business or performance.
  4. You are responsible for notifying hyperpg of any changes to your contact information, including but not limited to your email address.
  5. Only the above listed in-scope domains should be included in the security testing by any researcher and the scope of this Program is limited to security vulnerabilities found within the scope of the program

III. Guidelines for Responsible Disclosure

Researchers will need to comply with the below guidelines while disclosing the vulnerabilities detected:

  1. Researchers should notify us as soon as they find any potential security issue on the notified e-mail id (security@hyperpg.in)
  2. The researchers are advised to stick to this policy and shall not be allowed to disclose details of the vulnerability to any third party or expose it to any agencies.
  3. Researchers will be required to use official communication channels only. Do not use personal emails, social media accounts, or other private connections to contact a member of the security team in regard to vulnerabilities or any program related issues, unless you have been instructed to do so.
  4. Any unauthorized attempts of social engineering, phishing, or physical attacks against HyperPG’s employees, users, or impersonation of a hyperpg employee through a third party, another hacker, or a security team will not be tolerated.
  5. Researchers should not gain unauthorized access or destroy any user's data.
  6. Any unauthorized attempts of social engineering, phishing, or physical attacks against HyperPG’s employees, users, or impersonation of a hyperpg employee through a third party, another hacker, or a security team will not be tolerated.
  7. Researchers shall be strictly prohibited from exploiting any of the vulnerabilities found.
  8. Researchers will make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.

IV. How to Report

  1. Drop us an email at security@hyperpg.in with the details of the vulnerability identified to register yourself
  2. Once registered, you shall only use the registered email Id to interact with the hyperpg security team. Do not use personal emails, social media accounts, or other private connections to contact a member of the security team in regard to vulnerabilities or any program-related issues, unless you have been instructed to do so.
  3. Upon detection of a vulnerability/bug, you shall immediately report it to the hyperpg team and such bug/vulnerability report shall include:
    • Details that must be included in the report
    • Description and potential impact of the vulnerability
    • Information about the researcher including organization name and contact name
    • Products or solutions and versions affected
    • Proof-of-Concept URL and the information of affected parameters
    • Supporting technical details (such as system configuration, traces, description of exploit/attack code)
    • Information about known exploits/attacks
    • Detailed steps of reproducing the vulnerability
    • Screenshots to show Proof-of-Concept
    • Details of the system where the tests were conducted
    • Video recording of the Proof-of-Concept (If Possible)

However, hyperpg reserves the right to refuse your request if any of the above-mentioned details are not provided by you to hyperpg.

V. Exclusions

While researching, you shall strictly refrain from indulging in:

  1. Social engineering (including phishing) with any hyperpg staff or contractors
  2. Any physical attempts against hyperpg property, data centers or infrastructure
  3. Denial of Service, Distributed-DoS ( DDoS )
  4. X-Frame-Options related, missing cookie flags on non-sensitive cookies;
  5. Missing security headers which do not lead directly to a vulnerability (unless you deliver a PoC)
  6. Version exposure (unless you deliver a PoC of working exploit)
  7. Directory listing with already public readable content
  8. Content spoofing on error pages or text injection
  9. Information disclosure not associated with a vulnerability, i.e.: stack traces, application or server errors, robots.txt etc
  10. Use of known-vulnerable libraries without proof of exploitation such as OpenSSL
  11. Vulnerabilities affecting end of life browsers or platforms;
  12. Login or forgotten password page brute forcing and account lockout not being enforced;
  13. Application denial of service by locking user accounts;
  14. Password or account recovery policies, such as reset link expiration or password complexity;
  15. Reports from automated scripts or scanners;
  16. Findings from physical testing such as office access (e.g. open doors, tailgating);
  17. Findings derived primarily from social engineering (e.g. phishing, vishing, smishing);
  18. Functional, UI and UX bugs and spelling mistakes;
  19. Logged out cross-site request forgery (logout CSRF)
  20. Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
  21. Options / trace HTTP method being enabled (unless you deliver a PoC of working exploit)
  22. Modification of headers, URLs, POST body content, server responses by man-in-the-middle attacks
  23. Fingerprinting / banner disclosure on common / public services
  24. Clickjacking and issues only exploitable through clickjacking
  25. No / weak captcha / captcha bypass
  26. SSL issues such as BEAST, BREACH, renegotiation attack, forward secrecy not enabled, weak / insecure cipher suites.

hyperpg reserves its right to expand this list and include additional exclusions when required.

VI. Additional Terms

  1. You must abide by the law and intimation of vulnerability shall be as per the law.
  2. hyperpg reserves the right to discontinue the Program with prior intimation to registered researchers.
  3. By submitting information about a potential vulnerability, you are agreeing to these terms and conditions and granting hyperpg a worldwide, royalty-free, non-exclusive license to use your submission for the purpose of addressing vulnerabilities.
  4. hyperpg reserves the right to hold you responsible and liable for any consequences arising out of your breach of these terms or breach of confidentiality. You hereby undertake to indemnify and keep indemnified hyperpg and its directors, officers, employees and consultants against all losses, damages, claims or liabilities that they incur due to any Fraud, Willful Misconduct, Gross Negligence, breach of confidentiality or due to breach of personal confidential information.

VII. Governing Law and Jurisdiction

These terms shall be governed by the Laws of India and the courts at Bangalore, India shall have exclusive jurisdiction to try any disputes that may arise out of this Program.

Hall Of Fame

hyperpg would like to thank and show our gratitude to the following Security Researchers for contributing to making hyperpg Applications and Infrastructure more secure by responsibly disclosing security issues to us under the Vulnerability Disclosure Program.

FAQs

Q: What if I found a vulnerability, but I don't have a proof of concept?

A: We expect that vulnerability reports sent to us have a valid attack scenario to qualify for the program, and we consider it as a critical step when doing vulnerability research. Honorable mention is awarded based on the maximum impact of the vulnerability, and the panel is willing to reconsider, based on new information (such as a chain of bugs, or a revised attack scenario).

Q: How do I demonstrate the severity of the bug?

A: Please submit your report as soon as you have discovered a potential security issue. The panel will consider the maximum impact and will triage accordingly.

Q: Who determines whether my report is eligible for the hall of fame?

A: Members of the hyperpg security team.

Q: What happens if I disclose the bug publicly before it has been fixed?

A: We try to respond promptly and fix bugs in a decent time frame as we care about security from core. If you go public without disclosing to the hyperpg security team, your bugs will not be any more eligible for the recognition, and you will get blacklisted from the program. Depending on the case, we might also take legal action.

Q: What if somebody else also found the same bug?

A: You will qualify for a recognition only if you were the first person to alert us to a previously unknown flaw.

Q: What is an honorable mention or hall of fame?

A: This is the page we have put up to appreciate the efforts and recognize the security researchers.