Responsible Disclosure Policy
Lazypay is committed to the safety and security of its systems and services and to the integrity of its data. We recognise the valuable role of the security research community and we welcome reports from researchers, both of potential vulnerabilities in our systems and of confidential data from or relating to our services that may be accessible by unauthorised persons. If you’ve discovered any security vulnerabilities associated with any of our PayU services, we do appreciate your help in disclosing it to us in a responsible manner.
Lazypay will not initiate legal action against anyone who makes a report in compliance with this policy.
2. Disclosure Policy
If a researcher follows the rules set out in this Responsible Disclosure Policy when reporting a security vulnerability to us, unless prescribed otherwise by law or the payment scheme rules, we commit to.
- Promptly acknowledging receipt of your vulnerability report and work with the researcher to understand and attempt to resolve the issue quickly;
- Validating, responding and fixing such vulnerability in accordance with our commitment to security and privacy. We will notify you when the issue is fixed;
- Unless prescribed by law otherwise, not pursuing or take legal action against you or the person who reported such security vulnerabilities;
- Not suspending or terminate access to our service(s) if you are a merchant. If you are an agent, not suspending or terminating merchants’ access to our services to which the agent represents.
Lazypay does not offer a bug bounty program or compensation for disclosure.
3. In Scope of this Policy
Any of the Lazypay services, iOS or Android-based apps, which process, store, transfer or use in one way or personal or sensitive personal information. In particular, web service vulnerabilities are classified using OWASP Top-10. Mobile application vulnerabilities are classified using OWASP Mobile Top-10.
5. Out of Scope
- Any services hosted by third party providers and services not provided by Lazypay.
A researcher can test only against an end user/merchant account if they are an account owner or an agent authorised by the account owner to conduct such testing. As a researcher, in no event are you permitted to access, download or modify data residing in any other account or that does not belong to you or attempt to do any such activities. In the interest of the safety of our merchants, users, employees, the internet at large and you as a researcher, the following test types are expressly excluded from scope and testing: any findings from physical testing (office access, tailgating, open doors) or DOS or DDOS vulnerabilities. A responsible disclosure also does not include identifying any spelling mistakes, or any UI and UX bug.
7. The Rules
We require that all researchers must:
- Make every effort to avoid privacy violations, degradation of user or merchant experience, disruption to production systems, and destruction of data during security testing
- Not attempt to gain access to any other persons account, data or personal information;
- Use the identified email address to report any vulnerability information to us;
- Keep information about any vulnerabilities you’ve discovered confidential between yourself and Lazypay. Lazypay will take a reasonable time to remedy such vulnerability (approximately 3 months as a minimum but this is dependent on the nature of the security vulnerability and regulatory compliance by Lazypay). The researcher shall not publicly disclose the bug or vulnerability on any online or physical platform before it is fixed and prior written approval to publicly disclose from Lazypay;
- Not perform any attack that could harm the reliability, integrity and capacity of our services. DDoS/spam attached not allowed;
- Not use scanners or automated tools to find vulnerabilities (noisy and we may automatically suspend your account and ban your IP address);
- As a researcher, you represent and warrant that you have the right, title and interest to disclose any vulnerability found and to submit any information, including documents, codes, among others, in connection therewith. Once you inform a vulnerability, you grant Lazypay, its subsidiaries and affiliates an irrevocable, worldwide, royalty-free, transferrable, sub-licensable right to use in any way Lazypay deems appropriate for any purpose, such as: reproduction, modification, distribution, adaptation among other uses, the information related with the vulnerabilities. Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure accepted by Lazypay.
Remember that you must never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
8. Reporting Potential Vulnerabilities
The information in your report is extremely sensitive. To make a report to Lazypay’s Information Security Team, email to email@example.com.
Reports should include the following information:
- Your name and contact information;
- Your organization (if applicable) or LinkedIn/Twitter profile URLs;
- The Lazypay services that may be affected;
- A detailed description of the issue that you’ve discovered;
- Supporting technical details, including descriptions or examples of exploit/attack code, packet captures, and steps to reproduce the issue;
- Any known information about live exploits;
Researcher shall fully indemnify, hold harmless and defend (collectively “indemnify” and “indemnification”) Lazypay, its subsidiaries and affiliates, its directors, officers, employees, agents, and stockholders (collectively, “Indemnified Parties”) from and against all claims, demands, actions, suits, damages, liabilities, losses, settlements, judgments, costs and expenses (including but not limited to reasonable attorney’s fees and costs), whether or not involving a third party claim, which arise out of or relate to:
- Any breach of any representation or warranty contained in this Responsible Disclosure Policy made by the researcher;
- Any breach or violation of the terms of this Responsible Disclosure Policy or any obligation or duty of the Researcher referred therein or under applicable law;
- Any breach of the confidentiality;
- Any misuse of data, including personal data;
- Any breach of any waiver granted
- Any attempt to contact Lazypay’s clients, users or third parties to inform the existence of the vulnerability. It includes any reference or message in social media making reference to the finding;
- Any attempt to bring direct or indirectly claims, lawsuits, demands, actions judgments against Lazypay or any other Indemnified Party, in each case whether or not caused by the negligence of Lazypay or any other Indemnified Party and whether or not the relevant claim has merit.