These Responsible Disclosure Policy were last modified on 22nd January, 2024
At Safe Wallet, we are committed to maintaining a secure environment for everyone's use. The security of our data and systems is paramount. We value and appreciate your responsible disclosure of any security vulnerabilities you discover in any of Safe Wallet's services
When you adhere to this Responsible Disclosure Policy and report vulnerabilities to Safe Wallet, we will collaborate with you as an external security researcher (the Researcher).
If a Researcher, when reporting security vulnerabilities to Safe Wallet, adheres to the rules outlined in this Responsible Disclosure Policy, unless specified otherwise by law or payment scheme practices, Safe Wallet commits to:
Any Safe Wallet services, including iOS or Android-based apps, that involve the processing, storage, transfer, or utilization of personal or sensitive personal information, such as card data and authentication data, fall within the scope of this policy.
Specifically, web service vulnerabilities will be assessed based on the OWASP Top-10 classification, while mobile application vulnerabilities will be categorized according to the OWASP Mobile Top-10.
Any services hosted by 3rd party providers and services not provided by Safe Wallet fall beyond the scope of this policy.
To perform any testing or research, a Researcher can use their own merchant accounts and do not access the account or data of which they are not the owner.
A Researcher testing the merchant account can be the account owner or an agent approved by the account owner. The Researcher, in no case, is authorized or granted access to the merchant account or can download or modify the data in any other account, the account that does not belong to the Researcher, or try to do any such activities.
The Researcher must not infringe any applicable laws or regulations.
The test types are excluded explicitly from the scope, and testing for the best interests of the safety of our merchants, users, employees, the internet at large, and you as a Researcher - any findings from physical testing (office access, tailgating, open doors) or DOS or DDOS vulnerabilities.
Identifying any spelling mistakes or any UI and UX bugs are excluded from this responsible disclosure, ensuring a focused approach.
The Researchers must adhere to the following terms and conditions:
The Researcher is required to submit detailed steps and a description enabling the reproduction of the vulnerability. Proof-of-concept (POC) scripts, screenshots, and compressed screen captures are valuable for our understanding. Additionally, Researchers must include their email address for communication.
They need to email us at info@safewallet.co.in
No monetary requests or demands related to identified vulnerabilities will be entertained or honored under this Responsible Disclosure Policy.
Safe Wallet values your responsible reporting of security vulnerabilities, expressing gratitude by featuring your name on our Hall of Fame page upon resolution. Your contribution to a secure environment is recognized and acknowledged on our Hall of Fame.
Safe Wallet refrains from filing complaints or initiating legal actions for unintentional violations of this policy conducted in good faith. Our understanding is that activities consistent with this policy are considered "authorized" conduct under the Computer Fraud and Abuse Act. We will not pursue a Digital Millennium Copyright Act (DMCA) claim against you for circumventing technological measures protecting the subject applications.
Should a third party initiate legal action against you, and you have abided by the Safe Wallet Responsible Disclosure Policy, we will take measures to clarify that your research and actions were in compliance with this policy.
Safe Wallet Security Vulnerability Program operates in a "Public Non-Disclosure" Mode, signifying that, according to this policy, participants must refrain from making information about vulnerabilities public by default, or they may be subject to legal penalties.