Vulnerability Disclosure Programme

Welcome to NodesPay Tekh Pte Ltd – Where Your Security Matters!

At NodesPay, safeguarding the security and integrity of our products and services, as well as the privacy of your data and ours, remains our paramount concern. We fully comprehend the significance of robust security measures in upholding the trust you bestow upon us to deliver exceptional products and services.

Our team of dedicated security researchers is fervently committed to ensuring the protection of our customers’ information. However, we acknowledge that achieving absolute invulnerability is an ongoing challenge. Therefore, we actively encourage responsible security researchers within the community to join forces with us in bolstering the fortification of our offerings and safeguarding our users’ data. We eagerly anticipate the collaboration with proficient security researchers.

As part of our continuous commitment to cybersecurity, we proudly introduce our Vulnerability Disclosure Program (VDP). This program is designed to foster a collaborative environment, inviting ethical hackers, security researchers, and concerned individuals to assist us in strengthening our security posture. By engaging with the security community, we aim to proactively discover and mitigate potential vulnerabilities before they can be exploited.

Whether it be a seemingly minor concern or a critical issue, if you believe you have identified a security vulnerability, we sincerely request you to privately disclose it to us through our VDP, allowing us 5-7 business days to respond. Should the vulnerability be substantiated, we would be thrilled to work alongside you to promptly address the matter.

Your valuable insights and responsible disclosure are essential in helping us uphold the trust of our customers and protect their sensitive data. We believe that together, we can create a safer digital ecosystem for all.

Thank you for joining us in our mission to make NodesPay Tekh Pte Ltd more secure and resilient. Your dedication to the responsible disclosure of vulnerabilities makes a significant impact in our pursuit of excellence in cybersecurity.


Currently we are not awarding any monetary rewards for any vulnerabilities. However, if your submission is accepted, we will send you a “AWESOME SWAG” as a token of our gratitude.


Under this policy, “research” means activities in which you:

– Notify us as soon as possible after you discover a real or potential security issue.

– Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.

– Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.

– Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.

– Do not submit a high volume of low-quality reports.

– Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.


While researching, please refrain from:

– Forms are hosted by an external party. Kindly exclude.

– Attempting to gain access to others accounts or data.

– Distributed Denial of Service (DDoS)

– Impacting/ Affecting other users

– Spamming 

– Social engineering or phishing of NodesPay Tekh’s employees or contractors

– Any attacks against NodesPay Tekh’s physical property or data centers 


In-Scope Services

– *

– *

– Any products or services owned by NodesPay Tekh

Out-of-Scope Services

– Any 3rd party services.
Staging Domain of NodesPay Tekh

In-Scope Vulnerabilities

We are interested in the following types of vulnerabilities:

  • SQL injections
  • Privilege Escalations
  • Code Executions
  • File inclusions (Local & Remote)
  • Authentication Bypasses
  • Leakage of sensitive data
  • Administration portals without an authentication mechanism
  • Open redirects that allow stealing tokens/ secrets
  • Cross-Site Request Forgery (CSRF)
  • Cross-Site Scripting (XSS)
  • Server-Side Request Forgery (SSRF)
  • Protection Mechanism bypasses (CSRF bypass, etc.)
  • Directory Traversal

Out-of-Scope Vulnerabilities

The types of vulnerabilities excluded include, but are not limited to:

  • Self-XSS
  • Tabnabbing
  • Email Spoof
  • Content Spoofing
  • Missing cookie flags
  • Best practices/ issues
  • Content injection
  • Long string validation/ DOS Attacks
  • Clickjacking/ UI redressing
  • HTTPS/SSL/ TLS Related Issues
  • Physical or social engineering attacks
  • Login/logout/ unauthenticated/ low-impact CSRF
  • Unverified Results of automated tools or scanners
  • No SPF/ DMARC in non-email domains/ subdomains
  • Attacks requiring MITM or physical access to a user’s device
  • Vulnerabilities affecting users of outdated browsers or platforms
  • Error information disclosure that cannot be used for direct attack
  • Missing security-related HTTP headers that do not lead directly to a vulnerability
  • Xmlrpc.php open to the public
  • WordPress related user info disclosure
  • Insecure CORS at wp-json endpoint and CVE-2018-6389
  • User enumeration at different endpoints and Rate limiting absence at different endpoints

What we would like to see from you

When submitting potential vulnerabilities, please share the following attributes for it to qualify as a valid submission:
  1. Description of the vulnerability
  2. Detailed steps to reproduce the vulnerability.
  3. Supporting material
  4. Proof of concept
  5. Impact of the vulnerability
  6. Exploit scenarios
  7. Mitigation/ Patch if available

What you can expect from us

When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.

– Within 5-7 business days, we will acknowledge that your report has been received.

– To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.

– We will maintain an open dialogue to discuss issues.


Questions regarding this policy may be sent to [email protected] We also invite you to contact us with suggestions for improving this policy.