Disclosure Policy

Open Financial Technologies Private Limited (hereinafter referred to as "Open”) construes the security of its products and services as an essential representation of its business practice. To maintain this practice, we encourage security researchers (“Participant(s)”) to make responsible disclosures of any security vulnerabilities that they identify in the Open’s systems. This reporting shall enable Open to strengthen the security of its systems in order to keep its businesses and customers safe. This Responsible Disclosure Policy ("Policy”) is a guide for the Participants for conducting responsible vulnerability discovery activities and the manner in which it should be submitted to us .

If a Participant believes to have found a real or potential security vulnerability in any Open-owned systems or software, we urge that you report it to us as soon as possible on the above provided ‘Submit Report’ tab. We would appreciate your efforts in helping us provide enhanced quality products and services to our customers. Wherever the context requires, Open and the Participant are hereinafter collectively referred to as “Parties” and individually as “Party”.

If the following guidelines are followed by a Participant while reporting a security vulnerability to Open, Unless prescribed otherwise by law or the payment scheme rules, Open shall adheres to:

• promptly acknowledge receipt of the vulnerability report and work with the Participant to understand and attempt to resolve the issue quickly;
• validate, respond and fix such vulnerability in accordance with Open’s commitment to security and privacy. Open shall notify the Participant when the issue is fixed.
• unless prescribed by law or otherwise, not to pursue or take legal action against the Participant or the person who reported such security vulnerabilities;
• not suspend or terminate access to Open’s service/services if the Participant is a merchant. If the Participant is an agent of a merchant, Open shall not suspend or terminate the merchant’s access to Open services;

RESPONSE TARGETS:

On a best efforts basis, Open shall endeavour to meet the following SLAs for Participants engaging in our program:

Time for Resolution - Depends on the severity and complexity of the security vulnerability reported.

Open shall aim to keep the Participant informed on the progress at each stage of the aforementioned process.

DISCLOSURE POLICY:

The identified vulnerability shall be reported to our security team by sending an email from the registered email address to [email protected] with the below details and the subject prefixed with "Bug Bounty". The mail shall strictly follow the specified format.

Note: Open’s security team shall review the submission and revert to the researcher within 3 business days

PROGRAM RULES:

The Participant should provide a detailed report on the security vulnerability with reproducible steps. If Open identifies the report not to be detailed enough to reproduce the security vulnerability, the vulnerability shall not be eligible for a reward.

• The participant should submit one report per security vulnerability, unless the security vulnerabilities need to be clubbed together to demonstrate a collective impact.
• When a duplication occurs or multiple reports are submitted on the same security vulnerability, Open shall only reward the first report that was received (provided the security vulnerability can be fully reproducible).
• Multiple security vulnerabilities reported for one underlying issue will be awarded the bounty only once.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• The Participant should make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of Open’s services. The Participant should interact with accounts that it owns or a third party account with an explicit permission of the account holder.

TEST PLAN:

• Verify the security vulnerability with proper data while ensuring that the data is not misused for any other transactions.
• Indian National Rupee (INR) to be considered for testing with different sets of data.
• Proper sets of environment to be used for testing.

REWARD CATEGORIZATION:

Note: Automated tools or scripts ARE STRICTLY PROHIBITED, and any POC submitted to us should have a proper step-by-step guide to reproduce the issue.

Abuse of any vulnerability found shall be liable for legal penalties.

Note: Bounty rewards will be established after discussion with the stakeholder leadership team.

All the bounty rewards will be paid based on an internal assessment by the Open security team. We have grouped vulnerabilities based on impact in below severity categorisation. Vulnerability categorisation based on severity created to give insight how we assess the vulnerabilities. It's not an exhaustive list and Open can update it at any point of time.

Note

• Automated tools or scripts ARE STRICTLY PROHIBITED, and any POC submitted to Open shall have a proper step-by-step guide to reproduce the security vulnerability.
• Abuse of any security vulnerability identified by the Participant may be subject to legal penalties.
• Bounty rewards will be determined after discussions amongst concerned stakeholder in the Open’s leadership teams.
• All the bounty rewards will be paid based on an internal assessment by Open’s security team.

Critical

• SQL Injections (Able to access and manipulate sensitive and PII information)
• Remote Code Execution (RCE) vulnerabilities
• Shell Upload vulnerabilities (Only upload basic backend script that just prints some string, preferably try printing the hostname of the server and stop there!)
• Bulk user sensitive information leak Business logic vulnerabilities (Critically impacting Open Brand, User (Customer/Vendor/Delivery Executive) data and financial transactions)

High

• Authentication bypass
• Non-Blind SSRF
• Account Takeover (Without user interaction)
• Vertical privilege escalation (Gaining admin access)
• Stored XSS
• Subdomain Takeover (On active domains)
• IDOR (Able to access and modify sensitive and PII information)
• Horizontal privilege escalation
• Deserialization vulnerabilities
• Stored XSS

Medium

• Account Takeover (With user interaction)
• IDOR (Able to access and modify non-sensitive information)
• Reflected/DOM XSS to steal user cookies
• Subdomain Takeover (On non-active domains)
• Injection attacks (Formula injection, Host header injection)

Low

• Path Traversal (Access non-sensitive information)
• IDOR (Non-sensitive information disclosure)
• Captcha bypass

EXCLUSIONS:

General

• IDOR references for objects that users have permission to; or
• Duplicate submissions that are being remediated; or
• Known issues; or
• Rate limiting (Unless which impacts severe threat to data, business loss); or
• Open redirects; or
• Clickjacking and issues exploitable only through clickjacking; or
• Social Engineering attacks; or
• Multiple reports for the same vulnerability type with minor differences (only one will be rewarded); or
• Only session cookies that need http and secure flags. Apart from these, any other cookies won’t be considered as security vulnerabilities.
• Security Headers
• HSTS policy
• Username or email address enumeration
• HTML injection
• Missing any best security practice that is not a vulnerability
• Self XSS
• Tabnabbing
• Attacks that require physical access to a user device.
• Broken link hijacking
• CSV Injection (Unless which executes in the server)
• DNSSEC Records

System Related

• Patches released within the last 30 days; or
• Networking issues or industry standards; or
• Password complexity.

Email Related

• SPF or DMARC records; or
• Gmail "+" and "." acceptance; or
• Email bombs; or
• Unsubscribing from marketing emails.

Information Leakage

• Descriptive error messages (e.g. Stack Traces, application or server errors); or
• HTTP 404 codes/pages or other HTTP non-200 codes/pages; or
• Fingerprinting / banner disclosure on common/public services; or
• Disclosure of known public files or directories, (e.g. robots.txt); or
• Cacheable SSL pages; or
• SSL/TLS best practices

CSRF

• CSRF on forms that are available to anonymous users (e.g. the contact form, sign-up form); or
• Logout Cross-Site Request Forgery (logout CSRF); or
• Weak CSRF in the APIs

Login/Session Related

• Forgot Password page brute force and account lockout not enforced; or
• Lack of Captcha; or
• Sessions not expiring after email change; or
• Presence of application or web browser 'autocomplete' or 'save password' functionality, or
• Session Timeouts

Safe Harbor

Any activity conducted by the Participant in a manner consistent with this Policy will be considered authorized conduct and will not be subject to legal action. If legal action is initiated by a third party against the Participant in connection with activities conducted under this Policy, Open will take necessary steps to make it known to the third party that the Participant’s actions were conducted in compliance with this Policy.

Thank you for helping keep Open and it’s users safe!

Programme Scope:

In Scope

Web - https://app.open.money

API - https://v2-api.bankopen.co

OPEN NON-DISCLOSURE TERMS ("TERMS"):

Definition

Confidential information' shall mean all information supplied in confidence by Open to the Participant, which may be disclosed to the Participant or otherwise acquired by the Participant in its performance under this Security Bug Bounty Responsible Disclosure Programme including but not limited to -

1. All information which a reasonable person would consider confidential under the context of disclosure or due to the nature of the information itself, and shall include technical and non-technical information, intellectual property rights, know-how, designs, techniques, plans, procedure, improvement, technology or method, object code, source code, databases or any other information relating to Open’s product, work in progress, future development of Open’s product
2. Marketing strategies, plans, financial information, projections, operations, sales estimates, shareholding patterns, business plans and performance results relating to the past, present or future business of Open, plans for products or services, and customer or supplier lists
3. The content, the technical documents and all information in relation to Open’s products.
4. Any information which may be communicated to the Participant by Open

Obligation Of Confidentiality:

1. The Participant undertakes to treat and maintain all Confidential Information in confidence. With respect thereto, the Participant undertakes and agrees as follows:
   1. These Terms are on a principal-to-principal basis, and nothing contained herein shall be deemed to create any association, partnership, joint venture or relationship of principal and agent or master and servant, or employer and employee between the Parties.
   2. The Participant shall not publish, disseminate, disclose any Confidential Information for the period of 5 (five) years from the time of such information coming to the knowledge of the Participant.
   3. The Participant shall use the Confidential Information only in connection with the detection and reporting of a security vulnerability and for no other reason whatsoever.
2. The Participant shall not copy or reproduce or reduce to writing any part of the Confidential Information and any copies, reproductions or reductions to writing of the Confidential Information which have already been made by the Parties shall be the property of Open.
3. The Participant shall not, from the date of agreeing to these Terms, independently develop or have developed for itself products, concepts, systems or techniques that are similar to or compete with the products, concepts, systems or techniques contemplated by or embodied in the Confidential Information of Open, which development shall be construed as a violation of the obligations of the Participant under these Terms.
4. The Participant shall indemnify, defend and hold Open harmless from and against any losses, costs, expenses, damages of whatsoever nature which may be incurred or suffered by Open arising out of or in connection with any breach of contract, warranty, tort (including negligence) or otherwise of any of the Participant’s obligations or agreements contained herein.

Ownership:

All Confidential Information furnished to the Participant by Open shall remain the exclusive property of Open and Open shall have the sole and exclusive ownership of all right, title, and interest in and to the Confidential Information, including ownership of all copyrights, patents and trade secrets pertaining thereto, subject only to the rights and privileges expressly granted by Open under the Terms mentioned herein above.

Promptly upon Open’s request at any time, the Participant shall return / cause to be returned to Open all the Confidential Information, including all materials or documents, any copies, summaries and notes of the contents thereof (whether in hard or soft copy form) without limitation, all copies of any analyses, compilations, studies or other documents prepared by and/or for Open, containing or reflecting any Confidential Information and furnish a written certification accordingly.

Remedies:

The Participant understands and acknowledges that any disclosure or misappropriation of any of the Confidential Information in violation of the confidentiality obligations may cause Open grave and irreparable harm, loss and injury, the amount of which may be difficult to ascertain. The Participant agrees that Open has the right to apply to a court of competent jurisdiction for specific performance and/ or an order restraining and enjoining any such further disclosure or breach and for such other relief as Open shall deem appropriate, without posting or the need to post any bond or other security. Such right of Open to obtain equitable relief in the form of specific performance, temporary restraining order, temporary or permanent injunction or any other equitable remedy which may then be available to it, without the necessity of proving actual damages, shall be in addition to the remedies otherwise available to it by law. The Participant expressly waives the defense that a remedy in damages will be adequate.

No Warranties:

Nothing contained in this Policy shall be construed to obligate Open to disclose any information to the Participant.

Miscellaneous:

1. Any notice or communication to be given to the Participant under this Policy shall be deemed to be served if the notice in writing is delivered to the email ID provided by the Participant at the time of registration.
2. This Policy shall be legally and contractually binding on the Participant.
3. The Participant shall not make any assignment of this Policy or any interest therein. Any assignments thereto shall be null and void and the Participant shall be solely responsible.
4. The failure of Open to insist upon or enforce strict performance of any of the terms of this Policy mentioned hereinabove or to exercise any rights or remedies mentioned hereinabove, shall not be construed as a waiver or relinquishment to any extent of the Open’s rights to assert or rely upon any such provisions, rights or remedies in that or any other instance; rather the same shall remain in full force and effect.
5. This Policy shall be governed by, construed and enforced in accordance with the laws of the Republic of India.
6. The courts at Bangalore shall have the exclusive jurisdiction to adjudicate all matters under this Policy.