Vulnerability Disclosure Programme
Welcome to NodesPay Tekh Pte Ltd – Where Your Security Matters!
At NodesPay, safeguarding the security and integrity of our products and services, as well as the privacy of your data and ours, remains our paramount concern. We fully comprehend the significance of robust security measures in upholding the trust you bestow upon us to deliver exceptional products and services.
Our team of dedicated security researchers is fervently committed to ensuring the protection of our customers’ information. However, we acknowledge that achieving absolute invulnerability is an ongoing challenge. Therefore, we actively encourage responsible security researchers within the community to join forces with us in bolstering the fortification of our offerings and safeguarding our users’ data. We eagerly anticipate the collaboration with proficient security researchers.
As part of our continuous commitment to cybersecurity, we proudly introduce our Vulnerability Disclosure Program (VDP). This program is designed to foster a collaborative environment, inviting ethical hackers, security researchers, and concerned individuals to assist us in strengthening our security posture. By engaging with the security community, we aim to proactively discover and mitigate potential vulnerabilities before they can be exploited.
Whether it be a seemingly minor concern or a critical issue, if you believe you have identified a security vulnerability, we sincerely request you to privately disclose it to us through our VDP, allowing us 5-7 business days to respond. Should the vulnerability be substantiated, we would be thrilled to work alongside you to promptly address the matter.
Your valuable insights and responsible disclosure are essential in helping us uphold the trust of our customers and protect their sensitive data. We believe that together, we can create a safer digital ecosystem for all.
Thank you for joining us in our mission to make NodesPay Tekh Pte Ltd more secure and resilient. Your dedication to the responsible disclosure of vulnerabilities makes a significant impact in our pursuit of excellence in cybersecurity.
Rewards
Guidelines
Under this policy, “research” means activities in which you:
– Notify us as soon as possible after you discover a real or potential security issue.
– Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
– Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
– Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
– Do not submit a high volume of low-quality reports.
– Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.
Exclusions
While researching, please refrain from:
– Forms are hosted by an external party. Kindly exclude.
– Attempting to gain access to others accounts or data.
– Distributed Denial of Service (DDoS)
– Impacting/ Affecting other users
– Spamming
– Social engineering or phishing of NodesPay Tekh’s employees or contractors
– Any attacks against NodesPay Tekh’s physical property or data centers
Scope
In-Scope Services
– *.nodespay.com
– *.nodespay.co
Out-of-Scope Services
In-Scope Vulnerabilities
We are interested in the following types of vulnerabilities:
- SQL injections
- Privilege Escalations
- Code Executions
- File inclusions (Local & Remote)
- Authentication Bypasses
- Leakage of sensitive data
- Administration portals without an authentication mechanism
- Open redirects that allow stealing tokens/ secrets
- Cross-Site Request Forgery (CSRF)
- Cross-Site Scripting (XSS)
- Server-Side Request Forgery (SSRF)
- Protection Mechanism bypasses (CSRF bypass, etc.)
- Directory Traversal
Out-of-Scope Vulnerabilities
The types of vulnerabilities excluded include, but are not limited to:
- Self-XSS
- Tabnabbing
- Email Spoof
- Content Spoofing
- Missing cookie flags
- Best practices/ issues
- Content injection
- Long string validation/ DOS Attacks
- Clickjacking/ UI redressing
- HTTPS/SSL/ TLS Related Issues
- Physical or social engineering attacks
- Login/logout/ unauthenticated/ low-impact CSRF
- Unverified Results of automated tools or scanners
- No SPF/ DMARC in non-email domains/ subdomains
- Attacks requiring MITM or physical access to a user’s device
- Vulnerabilities affecting users of outdated browsers or platforms
- Error information disclosure that cannot be used for direct attack
- Missing security-related HTTP headers that do not lead directly to a vulnerability
- Xmlrpc.php open to the public
- WordPress related user info disclosure
- Insecure CORS at wp-json endpoint and CVE-2018-6389
- User enumeration at different endpoints and Rate limiting absence at different endpoints
What we would like to see from you
- Description of the vulnerability
- Detailed steps to reproduce the vulnerability.
- Supporting material
- Proof of concept
- Impact of the vulnerability
- Exploit scenarios
- Mitigation/ Patch if available
What you can expect from us
– Within 5-7 business days, we will acknowledge that your report has been received.
– To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
– We will maintain an open dialogue to discuss issues.
