Payninja Vulnerability Disclosure Program

Effective Date: November 6, 2024

I. Introduction

At Payninja, security is a top priority. We believe in working with security researchers to identify and address vulnerabilities in our systems. This Vulnerability Disclosure Program ("Program") outlines the process for reporting security vulnerabilities in a responsible manner.

II. Scope

The Program applies to the following domains:

  • payninja.org

    • Third-party software integrations are excluded. We may notify the relevant provider of any vulnerabilities found.

    III. How to Report

  • Email us at: [email address removed] (Subject: SECURITY VULNERABILITY)
  • Alternatively, for urgent reports, you can contact our Cyber Cell at: [email protected]

    • IV. What We Expect from You

  • Report vulnerabilities in good faith and avoid exploiting them.
  • Respect user privacy and avoid disrupting our systems.
  • Use only official communication channels ([email protected] or [email protected]).
  • Not engage in social engineering, phishing, or physical attacks against payninja personnel, users, or infrastructure.

    • V. Exclusions

    We will not consider reports for:

  • Social engineering attempts.
  • Physical attacks on payninja property.
  • Denial-of-service attacks.
  • Well-known vulnerabilities without a working exploit.
  • Outdated browser or platform vulnerabilities.
  • Login/account lockout mechanisms.
  • Functional, UI/UX bugs, and spelling mistakes.
  • Logged-out CSRF exploits.
  • Clickjacking and clickjacking-based vulnerabilities.
  • Captcha bypasses.
  • Certain SSL issues (e.g., weak ciphers).

    • We reserve the right to update this exclusion list as needed.

    VI. What We Offer

  • We will promptly acknowledge your report and work with you to understand and resolve the issue.
  • We will validate, respond to, and fix vulnerabilities in accordance with our security practices.
  • We will not take legal action against you for reporting vulnerabilities in good faith.
  • We will not suspend/terminate your access for participating in the program.
  • We may publicly acknowledge your contribution in our Hall of Fame (with your permission).

    • VII. Public Disclosure

    This program is currently in "PUBLIC NON-DISCLOSURE" mode. Do not publicly disclose vulnerabilities without our consent.

    VIII. Consequences of Compliance

    We will not pursue legal action for accidental, good-faith violations of this policy. Activities conducted consistently with this policy are considered "authorized" under relevant laws. We will not bring legal action against you for circumventing security measures on our applications in scope. We will defend you if a third party sues you for complying with this program.

    IX. Governing Law

    These terms are governed by the laws of India. The courts of New Delhi, India, have exclusive jurisdiction over any disputes arising from this program.

    X. Contact Us

    For any questions about this program, contact us at: [email protected]

    We appreciate your help in keeping Payninja secure!