Responsible Disclosure Policy

Safe Wallet Security Vulnerabilities

At Safe Wallet, we are committed to maintaining a secure environment for everyone's use. The security of our data and systems is paramount. We value and appreciate your responsible disclosure of any security vulnerabilities you discover in any of Safe Wallet's services

When you adhere to this Responsible Disclosure Policy and report vulnerabilities to Safe Wallet, we will collaborate with you as an external security researcher (the Researcher).

Responsible Disclosure Policy

If a Researcher, when reporting security vulnerabilities to Safe Wallet, adheres to the rules outlined in this Responsible Disclosure Policy, unless specified otherwise by law or payment scheme practices, Safe Wallet commits to:

• Acknowledge the receipt of the vulnerability report promptly and collaborate with the researcher to understand and address the issue expeditiously.
• Validate, verify, respond to, and fix the vulnerability in line with our commitment to privacy and security. We will notify you once the issue is resolved.
• Refrain from initiating legal action against you or the person reporting the security vulnerability unless specified otherwise by law.
• Ensure the continued access to Safe Wallet services, without stopping, suspending, or restricting access, for both you as a merchant and the merchants you represent as an agent.
• Acknowledge and appreciate your responsible disclosure of vulnerabilities to Safe Wallet by recognizing you in our Hall of Fame.

In scope of this Policy

Any Safe Wallet services, including iOS or Android-based apps, that involve the processing, storage, transfer, or utilization of personal or sensitive personal information, such as card data and authentication data, fall within the scope of this policy.

Specifically, web service vulnerabilities will be assessed based on the OWASP Top-10 classification, while mobile application vulnerabilities will be categorized according to the OWASP Mobile Top-10.

Out of scope

Any services hosted by 3rd party providers and services not provided by Safe Wallet fall beyond the scope of this policy.

Testing

To perform any testing or research, a Researcher can use their own merchant accounts and do not access the account or data of which they are not the owner.

A Researcher testing the merchant account can be the account owner or an agent approved by the account owner. The Researcher, in no case, is authorized or granted access to the merchant account or can download or modify the data in any other account, the account that does not belong to the Researcher, or try to do any such activities.

The Researcher must not infringe any applicable laws or regulations.

The test types are excluded explicitly from the scope, and testing for the best interests of the safety of our merchants, users, employees, the internet at large, and you as a Researcher - any findings from physical testing (office access, tailgating, open doors) or DOS or DDOS vulnerabilities.

Identifying any spelling mistakes or any UI and UX bugs are excluded from this responsible disclosure, ensuring a focused approach.

Rules

The Researchers must adhere to the following terms and conditions:

• Must not violate the privacy policy, ensuring no impact on the user and merchant experience. Interruption or denial of services to any user and disturbance to our production system is strictly prohibited. Data deletion, compromise, or misuse during testing is not allowed.
• Must not exploit a vulnerability but rather show or explain its potential exploitation.
• Must not incur the loss of funds that are not your own.
• Must not attempt to access, download, copy, delete, compromise, or misuse others’ data, accounts, or personal information.
• Must use personal email ID and information for account sign up, reporting vulnerability information to Safe Wallet.
• Must maintain confidentiality of vulnerability information between the Researcher and Safe Wallet. Disclosure to third parties without prior written approval from Safe Wallet is prohibited. Safe Wallet commits to resolving vulnerabilities within a reasonable timeframe, approximately one month as a minimum, depending on the nature of the vulnerability and regulatory compliance.
• Must not execute any attack that could impact the integrity and reliability of our service delivery. DDoS/SPAM attacks are strictly prohibited.
• Must refrain from using automated tools or scanners to find vulnerabilities, as it may lead to account and IP address suspension.
• By reporting a vulnerability, the Researcher grants Safe Wallet and its affiliates a permanent, irrevocable, worldwide, royalty-free, transferable, sublicensable right to use, copy, adapt, develop, create derivative work from, or share the submission for any purpose. All claims, including breach of contract or implied-in-fact contract, are waived by the Researcher.
• Must avoid non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.

Report

The Researcher is required to submit detailed steps and a description enabling the reproduction of the vulnerability. Proof-of-concept (POC) scripts, screenshots, and compressed screen captures are valuable for our understanding. Additionally, Researchers must include their email address for communication.

They need to email us at info@safewallet.co.in

Recognition

No monetary requests or demands related to identified vulnerabilities will be entertained or honored under this Responsible Disclosure Policy.

Safe Wallet values your responsible reporting of security vulnerabilities, expressing gratitude by featuring your name on our Hall of Fame page upon resolution. Your contribution to a secure environment is recognized and acknowledged on our Hall of Fame.

Policy Compliance and Consequences

Safe Wallet refrains from filing complaints or initiating legal actions for unintentional violations of this policy conducted in good faith. Our understanding is that activities consistent with this policy are considered "authorized" conduct under the Computer Fraud and Abuse Act. We will not pursue a Digital Millennium Copyright Act (DMCA) claim against you for circumventing technological measures protecting the subject applications.

Penalty

Should a third party initiate legal action against you, and you have abided by the Safe Wallet Responsible Disclosure Policy, we will take measures to clarify that your research and actions were in compliance with this policy.

Public NonDisclosure

Safe Wallet Security Vulnerability Program operates in a "Public Non-Disclosure" Mode, signifying that, according to this policy, participants must refrain from making information about vulnerabilities public by default, or they may be subject to legal penalties.

Small Print

Safe Wallet reserves the right to modify the terms of this program or terminate it at any time. Any changes to the program's terms will not apply retroactively. Additionally, Safe Wallet employees and their family members are not eligible for bounties.