Paymatrix takes the security of our systems and its data very seriously. We are continuously striving to maintain and ensure that our environment is safe and secure for everyone to use. If you’ve discovered any security vulnerabilities associated with any of our Paymatrix services, we do appreciate your help in disclosing it to us in a responsible manner.
Paymatrix will engage with you as external security researchers (the Researcher) when vulnerabilities are reported to us in accordance with this Responsible Disclosure Policy.
If a Researcher follows the rules set out in this Responsible Disclosure Policy when reporting a security vulnerability to us, unless prescribed otherwise by law or the payment scheme rules, we commit to:
Any of the Paymatrix services iOS, Android or Web apps, which process, store, transfer or use in one way or personal or sensitive personal information, such as card data and authentication data.
Automated tools or scripts ARE STRICTLY PROHIBITED, and any POC submitted to us should have a proper step-by-step guide to reproduce the issue. Abuse of any vulnerability found shall be liable for legal penalties
A Researcher can test only against a merchant account if they are an account owner or an agent authorized by the account owner to conduct such testing. As a Researcher, in no event are you permitted to access, download or modify data residing in any other account or that does not belong to you or attempt to do any such activities. In the interest of the safety of our merchants, users, employees, the Internet at large and you as a Researcher, the following test types are expressly excluded from scope and testing: any findings from physical testing (office access, tailgating, open doors) or DOS or DDOS vulnerabilities. A responsible disclosure also does not include identifying any spelling mistakes, or any UI and UX bugs.
We require that all Researchers must:
Remember that you must never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure. Please include the following information with your report:
The identified bug shall have to be reported to our security team by sending us a mail from their registered email address to firstname.lastname@example.org (Subject: Suspected Vulnerability on Paymatrix) (without changing the subject line else the mail shall be ignored and not eligible for bounty). The mail should strictly follow the format below:
By helping Paymatrix continuously keep our data secure, once the security vulnerability is verified and fixed as a result of report, we would like to put your name on our Hall of Fame page (We are in process of bringing hall of page soon.Meanwhile, please write to email@example.com)
Of course, we will need to know if you want the recognition, in which case you will be required to give us your name and Twitter handle, LinkedIn Profile as you wish it to be displayed on our Hall of Fame page.
We currently do not offer any monetary compensation. However, we may send out Paymatrix swag or goodies in some cases. Requests or demands for monetary compensation in connection with any identified or alleged vulnerability are non-compliant with this Responsible Disclosure Policy. Visit our Hall of Fame.
We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope. If legal action is initiated by a third party against you and you have complied with Paymatrix’s VDP, Paymatrix will take steps to make it known that your actions were conducted in compliance with this policy.
By default, this program is in “PUBLIC NONDISCLOSURE” mode which means:"THIS PROGRAM DOES NOT ALLOW PUBLIC DISCLOSURE. ONE SHOULD NOT RELEASE THE INFORMATION ABOUT VULNERABILITIES FOUND IN THIS PROGRAM TO PUBLIC, FAILING WHICH SHALL BE LIABLE FOR LEGAL PENALTIES!”
The Fine Print
We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. Paymatrix employees and their family members are not eligible for bounties.