Disclosure Policy

Open Financial looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

Open will engage with you as external security researchers (the Researcher) when vulnerabilities are reported to us in accordance with this Responsible Disclosure Policy.

If a Researcher follows the rules set out in this Responsible Disclosure Policy when reporting a security vulnerability to us, unless prescribed otherwise by law or the payment scheme rules, we commit to:

• promptly acknowledging receipt of your vulnerability report and work with the researcher to understand and attempt to resolve the issue quickly;
• validating, responding and fixing such vulnerability in accordance with our commitment to security and privacy. We will notify you when the issue is fixed
• unless prescribed by law otherwise, not pursue or take legal action against you or the person who reported such security vulnerabilities;
• not suspend or terminate access to our service/services if you are a merchant. If you are an agent, not suspend or terminate merchants access to our services to which the agent represents;

RESPONSE TARGETS:

Open Financial will make a best effort to meet the following SLAs for hackers participating in our program:

Time to first response (from report submitted) - 3 business day

Time to triage (from report submitted) - 5 business days

Time to bounty (from triage) - 10 business days

Time to Resolution - depends on severity and complexity

We'll try to keep you informed about our progress throughout the process.

DISCLOSURE POLICY:

The identified bug shall have to be reported to our security team by sending us a mail from your registered email address to security@bankopen.co with email containing below details with subject prefix with "Bug Bounty". The mail should strictly follow the format below.

Note: For <Vulnerability Category> in subject line, please try to select vulnerability category closely matched with defined in Reward categorisations. The Open security team will review the submission and revert back within 3 working days.

PROGRAM RULES:

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

TEST PLAN:

• Verify the things with proper data and should not misuse the data for transactions
• Indian rupees to be considered to do testing with different set of data
• Proper set of environment to be used for testing

REWARD CATEGORIZATION:

Note: Automated tools or scripts ARE STRICTLY PROHIBITED, and any POC submitted to us should have a proper step-by-step guide to reproduce the issue.

Abuse of any vulnerability found shall be liable for legal penalties.

Note: Bounty rewards will be established after discussion with the stakeholder leadership team..

All the bounty rewards will be paid based on an internal assessment by the Open security team. We have grouped vulnerabilities based on impact in below severity categorisation. Vulnerability categorisation based on severity created to give insight how we assess the vulnerabilities. It's not an exhaustive list and Open can update it at any point of time

Critical

• SQL Injections (Able to access and manipulate sensitive and PII information)
• Remote Code Execution (RCE) vulnerabilities
• Shell Upload vulnerabilities (Only upload basic backend script that just prints some string, preferably try printing the hostname of the server and stop there!)
• Vertical privilege escalation (Gaining admin access)
• Bulk user sensitive information leak Business logic vulnerabilities (Critically impacting Open Brand, User (Customer/Vendor/Delivery Executive) data and financial transactions)

High

• Authentication bypass
• Non-Blind SSRF
• Account Takeover (Without user interaction)
• Vertical privilege escalation (Gaining admin access)
• Stored XSS
• Subdomain Takeover (On active domains)
• IDOR (Able to access and modify sensitive and PII information)
• Horizontal privilege escalation
• Deserialization vulnerabilities
• Stored XSS
• Mobile App vulnerability (Doesn’t require root/jailbreak access on the device and having access to sensitive information)

Medium

• Account Takeover (With user interaction)
• IDOR (Able to access and modify non-sensitive information)
• Reflected/DOM XSS to steal user cookies
• Subdomain Takeover ( On non-active domains)
• Injection attacks ( Formula injection, Host header injection)
• Mobile App vulnerability (Require root/jailbreak access on the device and having access to sensitive information)

Low

• Path Traversal (Access non-sensitive information)
• IDOR (Non-sensitive information disclosure)
• Mobile App vulnerability (Require root/jailbreak access on the device and having access to non-sensitive information)
• Mobile App vulnerability (Doesn’t require root/jailbreak access on the device and having access to non-sensitive information)
• Captcha bypass

EXCLUSIONS:

General

• IDOR references for objects that you have permission to
• Duplicate submissions that are being remediated
• Known issues
• Rate limiting (Unless which impacts severe threat to data, business loss)
• Multiple reports for the same vulnerability type with minor differences (only one will be rewarded)
• Open redirects
• Clickjacking and issues only exploitable through clickjacking
• Only session cookies needed http and secure flags. Apart from these, for other cookies we won’t consider as vulnerability
• Social Engineering attacks

System Related

• Patches released within the last 30 days
• Networking issues or industry standards
• Password complexity

Email Related

• SPF or DMARC records
• Gmail "+" and "." acceptance
• Email bombs
• Unsubscribing from marketing emails

Information Leakage

• Descriptive error messages (e.g. Stack Traces, application or server errors)
• HTTP 404 codes/pages or other HTTP non-200 codes/pages
• Fingerprinting / banner disclosure on common/public services
• Disclosure of known public files or directories, (e.g. robots.txt)
• Cacheable SSL pages
• SSL/TLS best practices

CSRF

• CSRF on forms that are available to anonymous users (e.g. the contact form, sign-up form)
• Logout Cross-Site Request Forgery (logout CSRF)
• Weak CSRF in the APIs

Login/Session Related

• Forgot Password page brute force and account lockout not enforced
• Lack of Captcha
• Sessions not expiring after email change
• Presence of application or web browser 'autocomplete' or 'save password' functionality
• Session Timeouts

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Open Financial and our users safe!

Scopes:

In Scope

Web - https://app.open.money

API - https://v2-api.bankopen.co

OPEN NON-DISCLOSURE TERMS ("TERMS"):

Definition

Confidential information' shall mean all information supplied in confidence by the Company to the Participant, which may be disclosed to the Participant or otherwise acquired by the Participant in its performance under this Security Bug Bounty Responsible Disclosure Program including -

1. All information which a reasonable person would consider confidential under the context of disclosure or due to the nature of the information itself, and shall include technical and non-technical information, intellectual property rights, know-how, designs, techniques, plans, procedure, improvement, technology or method, object code, source code, databases or any other information relating to the Company's product, work in progress, future development of the Company's product
2. Marketing strategies, plans, financial information, projections, operations, sales estimates, shareholding patterns, business plans and performance results relating to the past, present or future business of the Company, plans for products or services, and customer or supplier lists
3. The content, the technical documents and all information in relation to the Company's product the terms of this Agreement
4. Any information which may be communicated.

Obligation Of Confidentiality:

1. The Participant undertakes to treat and maintain all Confidential Information in confidence. With respect thereto, the Participant undertakes and agrees as follows:
   1. These Terms do not create a joint venture or partnership between the Parties.
   2. For a period of 5 (five) years the Participant shall not publish, disseminate, disclose any Confidential Information.
   3. The Participant shall use the Confidential Information only in connection with the Purpose and for no other reason whatsoever
2. The Participant shall not copy or reproduce to writing any part of the Confidential Information and any copies, reproductions or reductions to writing of the Confidential Information which have already been made by the Parties shall be the property of the Company.
3. The Participant shall not, from the date of agreeing to these Terms, independently develop or have developed for itself products, concepts, systems or techniques that are similar to or compete with the products, concepts, systems or techniques contemplated by or embodied in the Confidential Information of the Company or the Purpose, which development shall be construed as a violation of the obligations of the Participant under these Terms.
4. The Participant shall indemnify, defend and hold the Company harmless from and against any losses, costs, expenses, damages of whatsoever nature which may be incurred or suffered by the Company arising out of or as a result of any breach of contract, warranty, tort (including negligence) or otherwise of any of the Participant;s obligations or agreements contained herein.

Ownership:

All Confidential Information furnished to the Participant by the Company shall remain the exclusive property of the Company and the Company shall have the sole and exclusive ownership of all right, title, and interest in and to the Confidential Information, including ownership of all copyrights, patents and trade secrets pertaining thereto, subject only to the rights and privileges expressly granted by the Company under the Terms mentioned herein above.

Promptly upon the Company's request at any time, the Participant shall return / cause to be returned to the Company all the Confidential Information, including all materials or documents, any copies, summaries and notes of the contents thereof (whether in hard or soft copy form) without limitation, all copies of any analyses, compilations, studies or other documents prepared by and/or for Company, containing or reflecting any Confidential Information and give written certification accordingly.

Remedies:

The Participant understands and acknowledges that any disclosure or misappropriation of any of the Confidential Information in violation of the confidentiality obligations will cause the Company grave and irreparable harm, loss and injury, the amount of which may be difficult to ascertain. The Participant agrees that the Company has the right to apply to a court of competent jurisdiction for specific performance and/ or an order restraining and enjoining any such further disclosure or breach and for such other relief as the Company shall deem appropriate, without posting or the need to post any bond or other security. Such right of the Company to obtain equitable relief in the form of specific performance, temporary restraining order, temporary or permanent injunction or any other equitable remedy which may then be available to it, without the necessity of proving actual damages, shall be in addition to the remedies otherwise available to it at law. The Participant expressly waives the defense that a remedy in damages will be adequate

No Warranties:

Nothing contained in the Terms mentioned hereinabove shall be construed to obligate the Company to disclose any information to the Participant.

Miscellaneous:

1. Any notice or communication to be given under to the Participant shall be given if delivered in writing to the intended Participant on the email id provided by the Participant at the time of registration
2. These Terms shall be fully binding upon the Participant.
3. The Participant shall not make any assignment of these Terms or any interest therein.
4. The failure of the Company to insist upon or enforce strict performance of any of the Terms mentioned hereinabove or to exercise any rights or remedies mentioned hereinabove, shall not be construed as a waiver or relinquishment to any extent of the Company's rights to assert or rely upon any such provisions, rights or remedies in that or any other instance; rather the same shall remain in full force and effect.
5. These Terms shall be governed by, construed and enforced in accordance with the laws of the Republic of India.
6. The courts in Bangalore shall have the exclusive jurisdiction