Responsible Disclosure

1. INTRODUCTION

At PAYSTRAX AB (hereinafter referred to as the PAYSTRAX, we or us) we consider the security of our services a top priority, and we value the security community. But no matter how much effort we put into the security of our services, there can still be vulnerabilities present. The disclosure of security vulnerabilities helps us ensure the security of our services and privacy of our customers.

We are undertaking this program to give you as a Security Researcher a point of contact so you can in a responsible manner directly disclose your research findings to us, which then can be remediated in a prioritized and efficient way.

2. RESPONSIBLE DISCLOSURE RULES

Please note that this Policy should not be construed as encouragement or permission to hack, penetrate, or otherwise attempt to gain unauthorized access to PAYSTRAX services or data. To avoid any confusion between good-faith reporting and a malicious attack, we ask that you, as Security Researcher:

Report any suspected or confirmed vulnerability you’ve discovered promptly;
Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
Perform research only within the scope set out below;
If a vulnerability provides unintended access to data: cease testing and submit a report immediately (e.g., if you encounter any user data during testing, such as Personal data/Personally identifiable information, payment card data, or proprietary information) – you are not authorized to access any PAYSTRAX data;
Provide us with a reasonable amount of time to remediate vulnerabilities;
Keep the details of any discovered vulnerabilities confidential;
Use the identified communication channels to report vulnerability information to us;
Only interact with accounts you own or with explicit permission from the account holder;
Do not violate any national and/or international laws and/or regulations.

If you follow these rules when reporting an issue to us, we commit to:

Not pursue or support any legal action related to your research;
Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 hours of submission);
After triage, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it;
An open dialog to discuss issues;
Notification when the vulnerability analysis has completed each stage of our review;
Recognize your contribution on our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.

If we are unable to resolve communication issues or other problems, PAYSTRAX may bring in a neutral third party (such as National Cyber Security Centre in Lithuania, or the relevant regulator) to assist in determining how best to handle the vulnerability.

3. SCOPE

*.paystrax.com

4. OUT OF SCOPE

Any services hosted by 3rd party providers and services not provided by PAYSTRAX are excluded from scope.

In the interest of the safety of our customers, users, employees, the Internet at large and you as a Security Researcher, the following test types are clearly excluded from scope and testing:

Findings from physical testing such as office access (e.g. open doors, tailgating);
Findings derived primarily from social engineering (e.g. phishing, vishing);
Findings from applications or systems not listed in the “Scope” section;
UI and UX bugs and spelling mistakes;
Network level Denial of Service (DoS/DDoS) vulnerabilities;
Missing Cookie flags on non-session cookies or 3rd party cookies;
Email spoofing, SPF, DMARC & DKIM;
Scanner output or scanner-generated reports, including any automated or active exploit tool;
Cross Site Request Forgery;
Banner or version disclosures;
Any vulnerability that relies upon an outdated browser.

Things we do not want to receive:

Personal data/Personally identifiable information;
Payment card data.

5. LEGAL POSTURE

We openly accept reports for the in scope listed systems and services. We agree not to pursue legal action against Security Researchers who:

Engage in research without harming PAYSTRAX, its customers and employees;
Engage in vulnerability testing within the scope of this Policy and avoid testing against Out of Scope services;
Test without affecting customers;
Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.

Should legal action be initiated by a third party against Security Researchers for activities that were conducted in accordance with this Policy, we will inform third party (if needed) about authorization provided to Security Researchers in this Policy.

6. VULNERABILITY REPORTING

If you believe you’ve found a security vulnerability in our service, please send it to us by emailing security@paystrax.com. Please include the following details with your report:

Detailed summary of the vulnerability;
Description of the location and potential impact of the vulnerability, including the exploitability;
A detailed description of all steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us);
Tools and artifacts used during discovery;
IP address used during the testing;
Your name/handle and a link for recognition in our Hall of Fame;
Any potential remediation;
Please include any plans or intentions for public disclosure.

7. PREFERENCE, PRIORITIZATION, AND ACCEPTANCE CRITERIA

We will use the following criteria to prioritize and triage submissions.

What we would like to see from you:

Well-written reports in English or Lithuanian will have a higher chance of resolution;
Reports that include proof-of-concept code equip us to better triage;
Reports that include only crash dumps or other automated tool output may receive lower priority;
Reports that include products not on the initial scope list may receive lower priority.

8. COMPENSATION

We do not offer compensation to researchers for identifying potential or confirmed security vulnerabilities, and requests for monetary compensation will be treated as a breach of this Policy.

9. DONATION TO CHARITY

Although we do not offer monetary compensation, if we feel that the vulnerability is significant, we will show our appreciation by making a donation on your behalf to your choice of these charities:

International Federation of Red Cross and Red Crescent Societies;
Save the Children;
Maisto bankas

10. SECURITY RESEARCHER HALL OF FAME

PAYSTRAX would like to acknowledge and thank the following people for helping us to improve our security:

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.
_gat_UA-153541166-1	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.

Cookie	Duration	Description
__Secure-3PAPISID	2 years	Builds a profile of website visitor interests to show relevant and personalized ads through retargeting.
__Secure-3PSID	2 years	Builds a profile of website visitor interests to show relevant and personalized ads through retargeting.
__Secure-3PSIDCC	2 years	Used by for targeting purposes to build a profile of the website visitor's interests in order to show relevant & personalised Google advertising.
NID	6 months	This cookie is used to save the user's preferences and other information. This includes in particular the preferred language, the number of search results to be displayed on the page as well as the decision as to whether the Google SafeSearch filter should be activated or not.