Security Policy

Keeping our software and code secure is a top priority for us and we welcome the contribution of external security researchers in providing findings on security vulnerabilites through responsible disclosure.

Please respect our systems and the use of automated vulnerability scanners to bruteforce and spam our systems is not appreciated. Do not attempt to use social engineering on our users and employees.

Laws and responsible disclosure

Security researchers should act in good faith and report vulnerabilities in full to our security team at security [att] jewelpaymentech.com

Responsible disclosure entails:

  • Sharing with us the problem in detail
  • Taking the time to explain and provide a working POC where avail
  • Not disclosing publicly before bugs are fixed
  • Not modifying any data without consent
  • Not breaking any laws
Please also include the following:

  • Your name / Name of other team members
  • Your company or education insitution that you represent

Recognition

We run a simple bug bounty program that is based on merit; completely at our discretion. Patched vulnerabilities will result in researcher's name being published on our recognition board. Please understand that we run this program on good faith and we receive a lot of reports with most of them being duplicates. We will only be able to recognize the first reporter.

Should there be monetary bounties, it will be paid via paypal. We will need to collect W9 (U.S. citizens) or W8_BEN (non-U.S.) before any payment can be made. If you are unable or unwilling the share this information, we will still be happy to put your name on the recognition board.

Exclusion

The following issues are excluded from our bug bounty program:

Absence of SPF/DMARC records, policies, CSRF tokens, compromise of device belonging to customer, missing header information, arbitary content hosting (including any open source CMS platform), contact forms, XSS, Self-XSS, host header injection, reporting of spam, reports from automated tools or scanners, tapjacking, social engineering, missing cookie flags, insecure TLS ciphers, presence of autocomplete attribute on web forms, vulnerabilities that affect our users with outdated third party software, vulnerabilities on known-vulnerabilities without exploits, vulnerabilities on protocols that are outside our control.

All reports must be channeled using the appropriate method (above) and by submitting your report, you agree to all of the rules on this page.

Other matters

You are solely responsible for any applicable taxes in relation to your participation to the above; and we reserve the right to modify and terminate the program at any time.

This is not a competition or contest and we request that all researchers participate in good faith and practice responsible disclosure.

Recognition - Many thanks to:

  • Anonymous Researcher
  • Snehal Datar