<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=416020905483495&amp;ev=PageView&amp;noscript=1">

Vulnerability Disclosure Program

Overview

The security researcher community regularly makes valuable contributions to the security of organisations and the broader Internet, and Reward Gateway recognises that fostering a close relationship with the community will help improve our own security.

We want security researchers to feel comfortable reporting vulnerabilities they’ve discovered – as set out in this program – so we can fix them and keep our users safe. We have developed this policy to reflect our values and uphold our sense of responsibility to security researchers who share their expertise with us in good faith.

We take cybersecurity very seriously. As an extra layer of protection to our cybersecurity program, we are committed to working with skilled security researchers across the globe to help identify and mitigate any potential security vulnerabilities in our systems not already detected through our internal controls.

Our Vulnerability Disclosure Program (VDP) is a structured framework for security researchers to identify and submit security vulnerabilities to us.

Information submitted to Reward Gateway under this program will be used for defensive purposes – to mitigate or remediate vulnerabilities in our digital products, networks or applications, or the applications of our vendors.

Authorization

If you make a good faith effort to comply with the described here restrictions, scope, terms and conditions during your security research, we will consider your research to be authorised, we will work with you to understand and resolve the issue quickly, and Reward Gateway will not recommend or pursue legal action related to your research.

Scope

Any digital product, public-facing website or web API owned, operated, or controlled by Reward Gateway, including web applications hosted on those products and sites.

Terms and conditions

Reward Gateway will deal in good faith with researchers who discover, test, and submit vulnerabilities or indicators of vulnerabilities in accordance with these guidelines:

  • You should only test in order to detect a vulnerability or identify an indicator related to a vulnerability

  • You should not share information about a vulnerability or an indicator related to a vulnerability without the specific permission of Reward Gateway.

  • You should do no harm and/or exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.

  • You avoid intentionally accessing the content of any Reward Gateway data in transit or data at rest, except to the extent that the information is directly related to a vulnerability and the access is necessary to prove that the vulnerability exists.

  • You do not exfiltrate any data under any circumstances.

  • You should not compromise the privacy or safety of Reward Gateway personnel or any third parties.

  • You should not intentionally compromise the intellectual property or commercial interests of any Reward Gateway personnel or entities, or any third parties.

  • You should not publicly disclose any details of the vulnerability, indicator of vulnerability, or the content of information rendered available by a vulnerability, except upon receiving explicit written authorisation from Reward Gateway.

  • You should not conduct denial of service testing.

  • You should not conduct social engineering, including spear phishing, of Reward Gateway personnel or contractors.

  • You should not submit a high-volume of low-quality reports.

  • If at any point you are uncertain whether to continue testing, please engage with our team.

  • Upon discovery of a vulnerability, you should cease testing and notify us immediately.

  • Upon discovery of an exposure of nonpublic data, you should cease testing and notify us immediately.

  • Upon reporting a vulnerability, you should purge any stored or extracted nonpublic data.

  • You should refrain from breaking any applicable law or regulations

  • You should refrain from accessing unnecessary, excessive or significant amounts of data

  • You should refrain from modifying data in the Organisation’s systems or services

  • You should refrain from using high-intensity invasive or destructive scanning tools to find vulnerabilities

  • You should refrain from attempting any form of denial of service, e.g. overwhelming a service with a high volume of requests

  • You should refrain from disrupting the Organisation’s services or systems

  • You should refrain from submitting reports detailing TLS configuration weaknesses, for example “weak” cipher suite support or the presence of TLS 1.0 support

  • You should refrain from communicating any vulnerabilities or associated details other than by means described here.

  • You should refrain from social engineering, ‘phishing’ or physically attacking the Organisation’s staff or infrastructure.

  • You should refrain from demanding financial compensation in order to disclose any vulnerabilities

Your actions should cause no harm! Any exfiltration or downloading of data, disclosure of confidential information, and/or disrupting our customers experience are all outside the scope of this program and outside any protections it affords from legal recourse!

What You Can Expect From Us

We take every disclosure seriously and appreciate the efforts of security researchers. We will investigate every disclosure and strive to ensure that appropriate steps are taken to mitigate risk and remediate reported vulnerabilities.

After you have submitted your report, we will respond within 5 working days and aim to triage your report within 10 working days. We’ll also aim to keep you informed of our progress.

Priority for remediation is assessed by looking at the impact, severity and exploit complexity. Vulnerability reports might take some time to triage or address. You are welcome to enquire on the status but should avoid doing so more than once every 14 days. This allows our teams to focus on the remediation.

We will notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution covers the vulnerability adequately. Once your vulnerability has been resolved, we welcome requests to disclose your report. We’d like to unify guidance to affected users, so please do continue to coordinate public release with us.

Reward Gateway must take extra care while investigating the impact of vulnerabilities and providing a fix, so we ask your patience during this period.

We ask that you do not share or publicize an unresolved vulnerability with/to third parties. If you responsibly submit a vulnerability report, the Reward Gateway security team and associated development organisations will use reasonable efforts to:

  • Respond in a timely manner, acknowledging receipt of your vulnerability report

  • Provide an estimated time frame for addressing the vulnerability report

  • Notify you when the vulnerability has been fixed

We are happy to thank every individual researcher who submits a vulnerability report helping us improve our overall security posture at Reward Gateway.

Where necessary or if we are unable to resolve communication issues or other problems, Reward Gateway may bring in a neutral third party to assist in determining how best to handle the vulnerability.

Legal

You must comply with all applicable International, Federal, State, and local laws, including applicable Data Protection Law in connection with your security research activities or other participation in this vulnerability disclosure program.

Reward Gateway does not authorize, permit, or otherwise allow (expressly or impliedly) any person, including any individual, group of individuals, consortium, partnership, or any other business or legal entity to engage in any security research or vulnerability or threat disclosure activity that is inconsistent with this policy or the law. If you engage in any activities that are inconsistent with this policy or the law, you may be subject to criminal and/or civil liabilities.

You agree that You shall not, without the prior written consent of Reward Gateway in each instance (i) use in advertising, publicity or otherwise the name of Reward Gateway or its Affiliates or any trade name, trademark, trade device, service mark, symbol or any abbreviation, contraction or simulation thereof owned by Reward Gateway or its Affiliates, or (ii) represent, directly or indirectly, any service or work provided by You as approved or endorsed by Reward Gateway.

You agree that any and all information, including personal information, acquired or accessed by You as part of this exercise is confidential to Reward Gateway and You shall hold the Confidential Information in strict confidence and shall not copy, reproduce, sell, assign, license, market, transfer or otherwise dispose of, give or disclose such information to third parties or use such information for any purpose other than for the performance of your work.

If you conduct your security research and vulnerability disclosure activities in accordance with the restrictions and guidelines set forth in this policy, Reward Gateway will not initiate or recommend any law enforcement or civil lawsuits related to such activities. To the extent that any security research or vulnerability disclosure activity involves the products, networks, systems, information, applications, products, or services of a non-Reward Gateway entity (such as a Reward Gateway supplier), Reward Gateway will take steps to make known that your activities were conducted pursuant to and in compliance with this policy.

Reward Gateway may modify the terms of this policy or terminate the policy at any time.

 

How to Submit a Report

Please fill in and submit the form on this page. Include a detailed summary of the vulnerability, including type of issue; digital product, version, and configuration of software containing the bug; step-by-step instructions to reproduce the issue; proof-of-concept; impact of the issue; and suggested mitigation or remediation actions, as appropriate.

Hostname/URL of the vulnerability *

Vulnerability description and potential impact *

Detailed description of steps to reproduce *

Is there anything else we should know?

Email for contact about the report

* I have read and agree with the terms and conditions

By sending this information you are indicating that you have read, understand, and agree to the terms and conditions described in this policy for the conduct of security research and disclosure of vulnerabilities or indicators of vulnerabilities related to Reward Gateway digital products and information systems, and consent to having the contents of the communication and follow-up communications stored.  Any personal information submitted as part of the report, such as your email address, will only be used for the purpose of communicating with you about the report and will not be used for any other purpose. In order to track trends in vulnerabilities, these reports may be held for up to 5 years, after which they will be deleted from our systems and back-ups.