PayTabs Bug Bounty

PayTabs Bug Bounty

The purpose of the Bug bounty program is to layout procedures and establish the rules for collaboration with Security Researchers when security tests are performed on the PayTabs Group (collectively “Company”) environment.

Bug Bounty Scope

Scope for Bug bounty will be PayTabs merchant dashboard (PT 2.0), PayTabs applications such as Paymes, SoftPOS, PayTabs mobile SDK, PayTabs API and PayTabs express checkout.

Responsible Investigation

Responsible investigation includes, but is not limited to, the following rules:

  1. Do not violate the privacy of PayTabs employee, customers, merchants or destroy any data.
  2. Do not defraud or harm PayTabs or its users during your research; you should make a good faith effort to not interrupt or degrade PayTabs services.
  3. Do not target our physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDOS) attacks.
  4. Report the bug only to the email address [email protected] and that will then be forwarded to the information security department for further investigation.
  5. In general, investigate and report bugs in a way that makes a reasonable, good faith effort not to be disruptive or harmful to us or our users. Otherwise, your actions might be interpreted as an attack rather than an effort to be helpful.

Crafting a Report

  1. To help streamline our intake process, it is important that the submissions include:
    1. Name, Email address
    2. Description of the bug or security vulnerability
    3. Description of the attack scenario
    4. The impact of this scenario
    5. Steps to reproduce the reported vulnerability
    6. Proof of exploitability (e.g., screenshot, video)
    7. Perceived impact to another user or the organization
    8. List of URLs and affected parameters
    9. Other vulnerable URLs, additional payloads, Proof-of-Concept code
    10. Browser, OS and/or app version used during testing
    11. The Bug resolution and fix
    Note: Failure to adhere to these minimum requirements may result in the loss of a bug bounty.
  2. As the email subject, kindly use the following format: “PayTabs – BUG BOUNTY_ [SEVERITY LEVEL]” (the severity level of the issue is discretional to your understanding of the submission). Full details should be provided such as (screenshots, code and reproduction steps are always welcome) of the suspected vulnerability in the form so that the Information Security team can verify, validate, and reproduce and evaluate the issue.
  3. Once the issue has been submitted, the information security team will review the information, assign a severity level (that may or may not be like the Security Researcher’s reported/chosen severity level) and redirect this to a member of the customer support team, who will contact Security Researcher with more details on the next steps.
  4. If the Information Security team cannot reproduce and verify an issue, a bug bounty cannot be awarded.

Report Eligibility

  1. The Security Researcher should be the first to report the vulnerability to the PayTabs Customer Support team.
  2. The report should demonstrate the actual security vulnerability and its impact to PayTabs infrastructure. The Security Researcher is also required to demonstrate step-by-step vulnerability identification process.
  3. Security Researcher should follow applicable local and international laws during the testing.
  4. Security Researcher should not disclose findings to the public.

Note: Going public with your finding before we have fixed it will exclude you from the bug bounty. Instead, kindly endorse and discuss the finding with the authorized experts and give them time to assess and solve the issue.

Disclosure Policy

  1. Security Researcher should agree to the PayTabs Terms and Conditions document sent by PayTabs Legal Department.
  2. Security Researcher should agree that he/she may not publicly disclose their findings or the contents of their Submission to any third party or competitor in any way without PayTabs’ prior written approval.
  3. Failure to comply with the PayTabs Terms and Conditions will result in immediate disqualification from the Bug Bounty Program and ineligible for receiving any Bounty Payments.

Rewards – Security Researcher

  1. Reward amount ranges from 100$ to 2000$ depending on the severity of the reported vulnerability, the type of website concerned, and the quality of the report being received.
  2. If the report is of great value for the continuity and reliability of PayTabs’ infrastructure, the reward or bug bounty will be considerably higher in exceptional cases.
  3. The Security Researcher will be eligible for a bounty only if he is the first person to disclose an unknown security or technical issue.
  4. Rewards are granted at the sole discretion of PayTabs.
  5. Vulnerabilities will be rewarded based on severity, to be determined by PayTabs in its sole discretion.
  6. At PayTabs discretion, providing more complete research, proof-of-concept code and detailed reports may increase the bounty awarded. Conversely, rewards would be less for vulnerabilities that require complex or over-complicated interactions or for which the impact or security risk is negligible.
  7. Rewards may be denied if there is any evidence of program procedure violations.
  8. Rewards will be declined if any evidence of abuse is established

Other Information

This Bug Bounty Program is a discretionary rewards program for the PayTabs community to encourage and reward those who are helping for the enhancement of our services and infrastructure. This is not a competition. The Management can cancel this program at any time and rewards are at the sole discretion of PayTabs.

Report a Vulnerability

Security Researchers can privately share details of suspected vulnerabilities with us by submitting a report via the form below: