At Send Payments, we are dedicated to maintaining the security of our
products, services, and online platforms and value the important role of
security researchers in assisting us to mitigate cyber security risks.
If you suspect you’ve uncovered a potential cyber threat or security issue
that impacts the confidentiality, integrity, or availability of our information,
systems, or services, we would appreciate if you could keep your findings
strictly confidential and disclose the relevant information to us in a
responsible manner, as described below.
How to report a vulnerability
If you believe you’ve found a security vulnerability in Send Payments
products, services, or online platforms, please contact us immediately via
email and encrypt your report with our PGP key provided below:
Email contact: Report.Vulnerability@sendpayments.com
What to include in the report?
To assist us in investigating your report, we would appreciate the following
information:
- Affected product or service, including affected URL(s)
- Your contact information, including your organisation and contact
name for ongoing communication (if you do not wish to provide your
personal information, you may contact us anonymously) - Date, time and time zone of when the suspected vulnerability was
discovered. - URLs, IP addresses, or infrastructure linked to the vulnerability (if
applicable). - Steps to reproduce the vulnerability.
Also, please let us know if you have informed any agencies or other
parties about the vulnerability and provide any reference numbers.
Rules of engagement
We request you refrain from:
- Exploiting a security vulnerability
- Accessing, altering, or deleting Send Payments data
- Publicly disclosing a vulnerability before it’s resolved
- Downloading more data than necessary to demonstrate a
vulnerability - Attempting to access client accounts illicitly
- Using Social Engineering, Denial of Service, or Phishing attacks
Next steps
Please maintain confidentiality and abstain from publicly disclosing your
research until we have completed our investigation and applied patches or
other measures to address the issue. The Send Payments security team will
reach out to you within 72 hours of receiving your report, providing updates
on our efforts to resolve the vulnerability. Upon successfully patching or
mitigating the vulnerability, we’ll notify you and acknowledge your
contribution if it’s deemed a valid high or critical vulnerability.
Recognition
We do not offer compensation to individuals or organizations for identifying
potential or confirmed security vulnerabilities. We extend our sincere
gratitude to the researchers who have contributed to keeping our
customers and communities safe by reporting security vulnerabilities.