Vulnerability
Disclosure Program

System security is a top priority at Juspay. Regardless of the amount of effort any Company puts into its system security, ensuring a safe and secure envirement is a continuous process. Juspay believes that working with skilled security researchers across the globe is crucial in identifying any weaknesses in its systems, and in ensuring that its security is maintained.

Juspay hence invites all skilled security researchers to participate in its Vulnerability Disclosure Program (the ‘Program’)

Juspay will engage with you as an external security researcher (the Researcher) when vulnerabilities are reported to us in compliance with the below Responsible Disclosure Policy.
If a Researcher follows the rules set out in this Responsible Disclosure Policy when reporting a security vulnerability to us, unless prescribed otherwise by law or the payment scheme rules, we commit to:

  • Promptly acknowledge the receipt of your vulnerability report and work with you, the researcher, to understand and resolve the issue quickly;
  • Validate, respond and fix such vulnerability in accordance with our commitment to security and privacy. We will notify you when the issue is fixed;
  • Unless prescribed by law otherwise, not pursue or take legal action against you or the person who reported such security vulnerabilities;
  • Not suspend or terminate access to our service/services if you are a merchant or representative for a merchant;
  • Publicly acknowledge and recognise your responsible disclosure in our Hall of Fame page.

I. Scope of the Program:

  1. Only the below-listed domains are included in the scope of this program and researchers are recommended to look for security vulnerabilities under the same:
    • https://juspay.in/
    • https://api.juspay.in/
    • https://payment.juspay.in/
    • https://dashboard.expresscheckout.juspay.in/
    • https://analytics.expresscheckout.juspay.in/
    • https://lambda.juspay.in/
    • https://logs.juspay.in/
    • https://logs.in-west-1.juspay.in/
  2. Third-Party Softwares are excluded:
    As part of providing services to its customers, Juspay uses integrations with various third-party software. This Program does not extend to any such third-party software and bugs or vulnerabilities detected in such third-party software will not be considered as a valid find. Notwithstanding the above, any such vulnerabilities communicated to Juspay may further be transmitted/informed to the third-party service provider.

II. Terms of Registration:

These terms govern the terms of your access and participation in the Juspay Vulnerability Disclosure Program and you deem to agree and undertake to abide by these terms while participating in the Program and submitting your reports. By agreeing to participate in the Program, you agree to abide by the terms hereunder.

  1. By submitting the vulnerability through this Program, you affirm that you have not disclosed and agree that you will not disclose the bug or your submission to anyone other than to Juspay under this Program.
  2. Any information you receive or collect about Juspay by participating in this Program must be kept confidential and only used in connection with the Program and in line with getting the vulnerabilities cleared. You may not use, disclose or distribute any such confidential information, including, but not limited to, any information regarding your submission and information you obtain when researching the Juspay sites, without Juspay's prior written consent.
  3. Your testing activities must not negatively impact Juspay or Juspay's business or performance.
  4. You are responsible for notifying Juspay of any changes to your contact information, including but not limited to your email address.
  5. Only the above listed in-scope domains should be included in the security testing by any researcher and the scope of this Program is limted to security vulnerabilities found within the scope of the program

III. Guidelines for Responsible Disclosure:

Researchers will need to comply with the below guidelines while disclosing the vulnerabilities detected:

  1. Researchers should notify us as soon as they find any potential security issue on the notified e-mail id.
  2. The researchers are advised to stick to this policy and shall not be allowed to disclose details of the vulnerability to any third party or expose it to any agencies.
  3. Researchers will be required to use official communication channels only. Do not use personal emails, social media accounts, or other private connections to contact a member of the security team in regard to vulnerabilities or any program related issues, unless you have been instructed to do so.
  4. Any unauthorized attempts of social engineering, phishing, or physical attacks against Juspay’s employees, users, or impersonation of a Juspay employee through a third party, another hacker, or a security team will not be tolerated.
  5. Researchers should not gain unauthorized access or destroy any user's data.
  6. Any unauthorized attempts of social engineering, phishing, or physical attacks against Juspay’s employees, users, or impersonation of a Juspay employee through a third party, another hacker, or a security team will not be tolerated.
  7. Researchers shall be strictly prohibited from exploiting any of the vulnerabilities found.
  8. Researchers will make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.

IV. How to Report:

  1. Drop us an email at security@juspay.in with the details of the vulnerability identified to register yourself.
  2. Once registered, you shall only use the registered email Id to interact with Juspay security team. Do not use personal emails, social media accounts, or other private connections to contact a member of the security team in regard to vulnerabilities or any program-related issues, unless you have been instructed to do so.
  3. Upon detection of a vulnerability/bug, you shall immediately report it to the Juspay team and such bug/vulnerability report shall include:
    • Details that must be included in the report:
    • Description and potential impact of the vulnerability.
    • Information about the researcher including organization name and contact name.
    • Products or solutions and versions affected.
    • Proof-of-Concept URL and the information of affected parameters.
    • Supporting technical details (such as system configuration, traces, description of exploit/attack code).
    • Information about known exploits/attacks.
    • Detailed steps of reproducing the vulnerability
    • Screenshots to show Proof-of-Concept
    • Details of the system where the tests were conducted
    • Video recording of the Proof-of-Concept (If Possible.)
  4. However, Juspay reserves the right to refuse your request if any of the above-mentioned details are not provided by you to Juspay.

V. Exclusions:

  1. While researching, you shall strictly refrain from indulging in:
    • Social engineering (including phishing) with any Juspay staff or contractors;
    • Any physical attempts against Juspay property, data centers or infrastructure;
    • Denial of Service, Distributed-DoS;
    • X-Frame-Options related, missing cookie flags on non-sensitive cookies;
    • Missing security headers which do not lead directly to a vulnerability (unless you deliver a PoC);
    • Version exposure (unless you deliver a PoC of working exploit);
    • Directory listing with already public readable content;
    • Content spoofing on error pages or text injection;
    • Information disclosure not associated with a vulnerability, i.e.: stack traces, application or server errors, robots.txt etc;
    • Use of known-vulnerable libraries without proof of exploitation such as OpenSSL;
    • Vulnerabilities affecting end of life browsers or platforms;
    • Login or forgotten password page brute forcing and account lockout not being enforced;
    • Application denial of service by locking user accounts;
    • Password or account recovery policies, such as reset link expiration or password complexity;
    • Reports from automated scripts or scanners;
    • Findings from physical testing such as office access (e.g. open doors, tailgating);
    • Findings derived primarily from social engineering (e.g. phishing, vishing, smishing);
    • Functional, UI and UX bugs and spelling mistakes;
    • Logged out cross-site request forgery (logout CSRF);
    • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality;
    • Options / trace HTTP method being enabled (unless you deliver a PoC of working exploit);
    • Modification of headers, URLs, POST body content, server responses by man-in-the-middle attacks;
    • Fingerprinting / banner disclosure on common / public services;
    • Clickjacking and issues only exploitable through clickjacking;
    • No / weak captcha / captcha bypass;
    • SSL issues such as BEAST, BREACH, renegotiation attack, forward secrecy not enabled, weak / insecure cipher suites.
  2. Juspay reserves its right to expand this list and include additional exclusions when required.

VI. Additional Terms:

  1. You must abide by the law and intimation of vulnerability shall be as per the law.
  2. Juspay reserves the right to discontinue the Program with prior intimation to registered researchers.
  3. By submitting information about a potential vulnerability, you are agreeing to these terms and conditions and granting Juspay a worldwide, royalty-free, non-exclusive license to use your submission for the purpose of addressing vulnerabilities.
  4. Juspay reserves the right to hold you responsible and liable for any consequences arising out of your breach of these terms or breach of confidentiality.. You hereby undertake to indemnify and keep indemnified Juspay and its directors, officers, employees and consultants against all losses, damages, claims or liabilities that they incur due to any Fraud, Willful Misconduct, Gross Negligence, breach of confidentiality or due to breach of personal confidential information.

VII. Governing Law and Jurisdiction:

These terms shall be governed by the Laws of India and the courts at Bangalore, India shall have exclusive jurisdiction to try any disputes that may arise out of this Program.