Search
Close

Responsible disclosure

 

Rewards Program Terms

  • Based on the risk of the reported security vulnerability, PAY. decides the reward. Please note: if the report is not a security issue or is low risk, no reward may be awarded.
  • When duplicate reports are received about a specific security issue, the reward will be awarded to the first person to report the security issue. PAY. determines whether there is a double report and does not share substantive data about the reports concerned.
  • An awarded reward is only given to one person.
  • We try to provide equal rewards for similar security vulnerabilities. However, the rewards and eligible security vulnerabilities are subject to change. Past awards are no guarantee of comparable results in the future.

What can you not report?

This Responsible Disclosure scheme is not intended for reporting complaints. The scheme is also not intended for:

  • reporting that the website is not available
  • reporting fraud
  • reporting fake emails (phishing emails)
  • reporting viruses

What do we do next?

After receiving your report, you will receive an automatic confirmation of receipt from us. You will be notified of the next steps within 3 business days. 

Is it a serious security issue? Then you will receive an appropriate reward from us as a thank you for reporting it. Determining what the reward is, is based on the risk and impact of the security problem, and can vary from a t-shirt to a maximum of 250 euros in gift vouchers. Please note: this must be an unknown and serious security problem.

Your contact details are only used to communicate about the report. We do not share these with others, unless law, regulation or judicial authorities require us to do so. If we regard your action as a criminal offence (i.e. you do not act in good faith), we will report it to the police.

If you have reported anonymously, we will not be able to transfer your reward and keep you informed. 

How can you submit a report?

You can report a discovered vulnerability in our services via security@pay.nl.

Rules

Please don't make the issue public and only share it via security@pay.nl. This is how we keep our customers' data safe. It would be great if you give us the time to solve the problem.

When investigating the vulnerability found, do not damage the applications. You may not share data with anyone other than Pay. employees. Furthermore, the service should never be intentionally interrupted by your research.

When researching our systems, you could potentially be doing something that is not allowed by law. If you act in good faith, carefully and in accordance with the rules below, we will not file a report.

We ask that you: 

  • clearly substantiate in your report how the security problem can be exploited. For example, use screenshots or a step-by-step explanation.
  • do not use social engineering to access our systems.
  • do not put a backdoor in an information system to show the weak spot.
  • only do what is strictly necessary to demonstrate the vulnerability.
  • do not copy, modify or delete any data. Only send us (minimum) information that you need to demonstrate the problem. For example, make a directory listing or screenshot.
  • restrict attempts to gain access to the system, and do not share information about gained access with others.
  • do not use so-called 'brute force attacks' to get into our systems.
  • submit one security issue per report.
    to respond if we need additional information about the submitted report, never contact us directly or via channels other than security@pay.nl.

Exceptions

Pay. may decide to not reward a report if it concerns a vulnerability with a low or accepted risk. Below are some examples of such vulnerabilities:

  • HTTP 404 codes or other non HTTP 200 codes
  • Add plain text in 404 pages
  • Version banners on public services
  • Publicly accessible files and folders containing non-sensitive information
  • Clickjacking on pages without a login 
  • Cross-site request forgery (CSRF) on forms that can be accessed anonymously
  • Lack of 'secure' / 'HTTP Only' flags on non-sensitive cookies
  • Notifications related to SSL certificate (e.g. weak cipher)
  • Using the HTTP OPTIONS Method
  • Host Header Injection
  • Lack of SPF, DKIM and DMARC records
  • Lack of DNSSEC
  • The lack of HTTP Security Headers
  • Reporting outdated versions of software (e.g. jQuery) without a proof of concept or working exploit
  • Tabnabbing
  • Best practices
  • Notifications related to *.webshop.pay.nl

Discovered a security issue in our services?

Let us know! Keeping our data secure is extremely important to us. That is why we constantly work on keeping our services safe and maintain the highest standards of security. However, should something go wrong, we would like to be informed.

What can you report?

You can report vulnerabilities in our services. Examples: 

  • Cross-Site Scripting (XSS) vulnerabilities
  • SQL injection vulnerabilities
  • Weaknesses in secure connection devices
Please send an email with the found issue to security@pay.nl and explain the problem you have found as clearly as possible.