1. Introduction
At Flash Payments, we consider the security of our systems a top priority. We understand that no system is entirely free of security vulnerabilities, which is why we value the role of security researchers and the community in contributing to our security.
2. Scope
Flash Payments' Responsible Disclosure Policy applies to all digital assets owned, operated, or maintained by the company. This includes but is not limited to:
Flash Payments main website, subdomains, related platforms, systems and services
Flash Payments public API endpoint URLs and related online documentation
We are dedicated to ensuring the security and privacy of our users and encourage the responsible reporting of any vulnerabilities that may affect the confidentiality, integrity, or availability of user data or our information assets and services.
2.1 In-Scope Vulnerabilities
Please concentrate your research on identifying significant vulnerabilities affecting the integrity, confidentiality, or availability of our information assets and user data.
Injection flaws, such as SQL, NoSQL, XML, and LDAP injection
Authentication and session management vulnerabilities
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
Insecure direct object references
Security misconfigurations
Sensitive data exposure
Missing function-level access controls
Cross-origin resource sharing (CORS) issues
Server-side request forgery (SSRF)
Remote code execution (RCE)
Denial of Service attacks (DoS) (not distributed)
2.2 Out-of-Scope Vulnerabilities
Descriptive error messages (e.g., stack traces, application or server errors)
HTTP 404 codes/pages or other HTTP non-200 codes/pages
Fingerprinting/banner disclosure on standard/public services
Disclosure of known public files or directories (e.g., robots.txt)
Clickjacking and issues are only exploitable through clickjacking
Self-XSS and issues exploitable only through Self-XSS
Lack of Secure/HTTPOnly flags on non-sensitive cookies
SSL/TLS best practices
Distributed Denial of Service attacks (DDoS)
Spamming
Email spoofing (including SPF, DKIM, and DMARC issues)
Issues related to software or protocols not under Flash Payments' control
Physical attacks against Flash Payments' property or data centres
Attacks requiring physical access to a user's device.
Social engineering (including phishing) of Flash Payments staff or contractors.
Any vulnerabilities found through automated testing or scanning.
Presence of autocomplete attributes on web forms.
Missing best practices in SSL/TLS configuration.
Missing best practices in Content Security Policy (CSP) without demonstration of a successful attack.
Reports of insecure SSL/TLS ciphers unless they can be shown to compromise user data.
Reports on determining if a specific username or email address is linked to a Flash Payments account.
Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.
3. Reporting a Vulnerability
If you've discovered an in-scope security vulnerability, we encourage you to inform us as soon as possible. We ask you to consider:
Securely Report: Email your findings to devsupport@flash-payments.com using data masking if needed to keep your findings secure
Responsible Use: Refrain from exploiting any vulnerability you discover
Confidentiality: Do not disclose the vulnerability to others until we have resolved it
Avoid Disruption: Please do not engage in any activity that would disrupt our services, such as DDoS attacks or spam
Provide Details: Share enough information and use the template below to help us understand and reproduce the issue
3.1 Proof of Concept Template
Type of Vulnerability: [Provide a brief description of the type of vulnerability, e.g., SQL Injection, XSS, etc.]
Affected Service/System: [Specify the service or system where the vulnerability exists]
Steps to Reproduce: [Provide a step-by-step guide to reproduce the vulnerability]
Potential Impact: [Explain the potential impact of exploiting this vulnerability]
Suggested Mitigation/Remediation Actions: [If possible, recommend actions to mitigate or remediate the vulnerability]
4. Our Commitment
Flash Payments is committed to the following principles when we receive your report:
Prompt Response: We will acknowledge your report within 7 business days and provide an estimated resolution date.
Legal Assurance: We will not pursue legal action against you regarding the report.
Privacy: We will handle your report confidentially and will not share your personal details without your consent.
Updates: We will inform you of our progress in resolving the issue.
Recognition: With your permission, we will credit you as the discoverer of the reported issue.
Rewards: We will offer rewards for previously unknown vulnerabilities, the amount of which will be based on the severity and quality of the report.
We aim to resolve all issues swiftly and welcome your active participation in the publication process once the issue is resolved.
5. Your Reward
At Flash Payments, we value the contributions of security researchers and are willing to reward reports of security vulnerabilities that help us improve our security. The following principles outline our rewards policy:
Eligibility: To be eligible for a reward, researchers must adhere to our Responsible Disclosure Policy guidelines.
Reward Consideration: Not all reports are eligible for a reward. The decision to grant a reward and its amount depends on the severity of the vulnerability, the quality of the report, and the potential impact on our business and customers.
Severity Assessment: The severity of the reported vulnerability is evaluated based on its impact and exploitability. Critical vulnerabilities that could cause significant harm to Flash Payments or our users are more likely to receive a reward.
Quality of the Report: A well-documented report with clear, reproducible steps is more likely to be considered for a reward.
No Guarantee: While we endeavour to provide rewards for significant vulnerabilities, there is no guarantee of a reward, and each report is assessed on a case-by-case basis.
Legal Compliance: Researchers must comply with all applicable laws and regulations. Any findings must be reported without violating any laws.
Reward Processing: Upon the decision to grant a reward, we will work with the researcher to process the reward in a timely and compliant manner.
Public Recognition: With the researcher’s consent, we may publicly acknowledge their contribution to Flash Payments’ security.
Please be aware that Flash Payments has the right to assess the eligibility of any reported vulnerability for a reward and may change the rewards program's terms without prior notice. We appreciate the contributions of those who work to secure Flash Payments and are committed to upholding the highest security standards for our services and users.
6. Exceptions to the policy
For an exception to be approved, a business case outlining the logic behind the request shall accompany the request. Each waiver request shall include justification and benefits attributed to the waiver and a time frame for achieving the minimum compliance level.
Such requests for exceptions to this policy shall be reviewed by the Chief Technology Officer (CTO) and the Chief Risk Officer (CRO) and approved by the CEO.