Vulnerability Disclosure Programme

At NodesPay Tekh Pte Ltd, we prioritize the security and integrity of our products and services. Our Vulnerability Disclosure Program (VDP) is an initiative designed to foster collaboration with the cybersecurity community, including ethical hackers and security researchers. This program invites individuals to report potential security vulnerabilities in a responsible manner, enabling us to enhance our security posture and protect user data effectively.

Guidelines

Under this policy, “research” means activities in which you:

– Notify us as soon as possible after you discover a real or potential security issue.

– Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.

– Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.

– Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.

– Do not submit a high volume of low-quality reports.

– Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

Exclusions

While researching, please refrain from:

– Forms are hosted by an external party. Kindly exclude.

– Attempting to gain access to others accounts or data.

– Distributed Denial of Service (DDoS)

– Impacting/ Affecting other users

– Spamming 

– Social engineering or phishing of NodesPay Tekh’s employees or contractors

– Any attacks against NodesPay Tekh’s physical property or data centers 

Scope

In-Scope Services

– *.nodespay.com

– *.nodespay.co

Out-of-Scope Services

In-Scope Vulnerabilities

We are interested in the following types of vulnerabilities:

• SQL injections
• Privilege Escalations
• Code Executions
• File inclusions (Local & Remote)
• Authentication Bypasses
• Leakage of sensitive data
• Administration portals without an authentication mechanism
• Open redirects that allow stealing tokens/ secrets
• Cross-Site Request Forgery (CSRF)
• Cross-Site Scripting (XSS)
• Server-Side Request Forgery (SSRF)
• Protection Mechanism bypasses (CSRF bypass, etc.)
• Directory Traversal

Out-of-Scope Vulnerabilities

The types of vulnerabilities excluded include, but are not limited to:

• Self-XSS
• Tabnabbing
• Email Spoof
• Content Spoofing
• Missing cookie flags
• Best practices/ issues
• Content injection
• Long string validation/ DOS Attacks
• Clickjacking/ UI redressing
• HTTPS/SSL/ TLS Related Issues
• Physical or social engineering attacks
• Login/logout/ unauthenticated/ low-impact CSRF
• Unverified Results of automated tools or scanners
• No SPF/ DMARC in non-email domains/ subdomains
• Attacks requiring MITM or physical access to a user’s device
• Vulnerabilities affecting users of outdated browsers or platforms
• Error information disclosure that cannot be used for direct attack
• Missing security-related HTTP headers that do not lead directly to a vulnerability
• Xmlrpc.php open to the public
• WordPress related user info disclosure
• Insecure CORS at wp-json endpoint and CVE-2018-6389
• User enumeration at different endpoints and Rate limiting absence at different endpoints