Responsible disclosure

Rewards Program Terms

Based on the risk of the reported security vulnerability, Pay. decides the reward. Please note: if the report is not a security issue or is low risk, no reward may be awarded.
When duplicate reports are received about a specific security issue, the reward will be awarded to the first person to report the security issue. Pay. determines whether there is a double report and does not share substantive data about the reports concerned.
An awarded reward is only given to one person.
We try to provide equal rewards for similar security vulnerabilities. However, the rewards and eligible security vulnerabilities are subject to change. Past awards are no guarantee of comparable results in the future.

What can you not report?

This Responsible Disclosure scheme is not intended for reporting complaints. The scheme is also not intended for:

reporting that the website is not available
reporting fraud
reporting fake emails (phishing emails)
reporting viruses

Websites out of scope

We use third-party software, this software does not contain critical data and in some cases is hosted externally. Security notifications for the following:

https://developer.pay.nl - technical documentation
https://docs.pay.nl - information centre
https://support.pay.nl - ticket platform
https://status.pay.nl - status page
https://www.pay.nl - Marketing website, or any legacy or co-branded website www(#).pay.nl
https://werkenbijpay.nl - Recruitment website

Are exclused from the Resposible Disclosure program.

To demonstrate various webshop systems, example shops are set up on the domain: paywebshopdemo.nl

All subdomains on the URL paywebshopdemo.nl are excluded from this Responsible Disclose (https://*********.paywebshopdemo.nl).

What do we do next?

After receiving your report, you will receive an automatic confirmation of receipt from us. You will be notified of the next steps within 3 business days.

Is it a serious security issue? Then you will receive an appropriate reward from us as a thank you for reporting it. Determining what the reward is, is based on the risk and impact of the security problem, and can vary from a t-shirt to a maximum of 250 euros in gift vouchers. Please note: this must be an unknown and serious security problem.

Your contact details are only used to communicate about the report. We do not share these with others, unless law, regulation or judicial authorities require us to do so. If we regard your action as a criminal offence (i.e. you do not act in good faith), we will report it to the police.

If you have reported anonymously, we will not be able to transfer your reward and keep you informed.

How can you submit a report?

You can report a discovered vulnerability in our services via security@pay.nl.

Rules

Please don't make the issue public and only share it via security@pay.nl. This is how we keep our customers' data safe. It would be great if you give us the time to solve the problem.

When investigating the vulnerability found, do not damage the applications. You may not share data with anyone other than Pay. employees. Furthermore, the service should never be intentionally interrupted by your research.

When researching our systems, you could potentially be doing something that is not allowed by law. If you act in good faith, carefully and in accordance with the rules below, we will not file a report.

We ask that you:

clearly substantiate in your report how the security problem can be exploited. For example, use screenshots or a step-by-step explanation.
do not use social engineering to access our systems.
do not put a backdoor in an information system to show the weak spot.
only do what is strictly necessary to demonstrate the vulnerability.
do not copy, modify or delete any data. Only send us (minimum) information that you need to demonstrate the problem. For example, make a directory listing or screenshot.
restrict attempts to gain access to the system, and do not share information about gained access with others.
do not use so-called 'brute force attacks' to get into our systems.
submit one security issue per report.
to respond if we need additional information about the submitted report.

Never contact us directly or via channels other than security@pay.nl.

Exceptions

Pay. may decide to not reward a report if it concerns a vulnerability with a low or accepted risk. Below are some examples of such vulnerabilities:

HTTP 404 codes or other non HTTP 200 codes
Add plain text in 404 pages
Version banners on public services
Publicly accessible files and folders containing non-sensitive information
Clickjacking on pages without a login
Cross-site request forgery (CSRF) on forms that can be accessed anonymously
Lack of 'secure' / 'HTTP Only' flags on non-sensitive cookies
Notifications related to SSL certificate (e.g. weak cipher)
Using the HTTP OPTIONS Method
Host Header Injection
Lack of SPF, DKIM and DMARC records
Lack of DNSSEC
The lack of HTTP Security Headers
Reporting outdated versions of software (e.g. jQuery) without a proof of concept or working exploit
Notifications related to Cloudflare
Tabnabbing
Best practices

Discovered a security issue in our services?

Let us know! Keeping our data secure is extremely important to us. That is why we constantly work on keeping our services safe and maintain the highest standards of security. However, should something go wrong, we would like to be informed.

What can you report?

You can report vulnerabilities in our services. Examples:

Cross-Site Scripting (XSS) vulnerabilities
SQL injection vulnerabilities
Weaknesses in secure connection devices

Please send an email with the found issue to security@pay.nl and explain the problem you have found as clearly as possible.

We are confident that regular mail encryption is sufficient enough to provide the confidentiality needed to report a vulnerability. However, if you feel that your vulnerability report requires the use of PGP encryption you can find our public key below.

Key created on 2022-12-01.