System security is a top priority at Hyperswitch. Regardless of the amount of effort any Company puts into its system security, ensuring a safe and secure environment is a continuous process. Hyperswitch believes that working with skilled security researchers across the globe is crucial in identifying any weaknesses in its systems, and in ensuring that its security is maintained.

Hyperswitch hence invites all skilled security researchers to participate in its Vulnerability Disclosure Program (the ‘Program’)

Hyperswitch will engage with you as an external security researcher (the Researcher) when vulnerabilities are reported to us in compliance with the below Responsible Disclosure Policy.
If a Researcher follows the rules set out in this Responsible Disclosure Policy when reporting a security vulnerability to us, unless prescribed otherwise by law or the payment scheme rules, we commit to:

  • Promptly acknowledge the receipt of your vulnerability report and work with you, the researcher, to understand and resolve the issue quickly;
  • Validate, respond and fix such vulnerability in accordance with our commitment to security and privacy. We will notify you when the issue is fixed;
  • Unless prescribed by law otherwise, not pursue or take legal action against you or the person who reported such security vulnerabilities;
  • Not suspend or terminate access to our service/services if you are a merchant or representative for a merchant;
  • Publicly acknowledge and recognise your responsible disclosure in our Hall of Fame page.

 

  • I. Scope of the Program:

II. Terms of Registration:

These terms govern the terms of your access and participation in the Hyperswitch Vulnerability Disclosure Program and you deem to agree and undertake to abide by these terms while participating in the Program and submitting your reports. By agreeing to participate in the Program, you agree to abide by the terms hereunder.

  1. By submitting the vulnerability through this Program, you affirm that you have not disclosed and agree that you will not disclose the bug or your submission to anyone other than to Hyperswitch under this Program.
  2. Any information you receive or collect about Hyperswitch by participating in this Program must be kept confidential and only used in connection with the Program and in line with getting the vulnerabilities cleared. You may not use, disclose or distribute any such confidential information, including, but not limited to, any information regarding your submission and information you obtain when researching the Hyperswitch sites, without Hyperswitch's prior written consent.
  3. Your testing activities must not negatively impact Hyperswitch or Hyperswitch's business or performance.
  4. You are responsible for notifying Hyperswitch of any changes to your contact information, including but not limited to your email address.
  5. Only the above listed in-scope domains should be included in the security testing by any researcher and the scope of this Program is limited to security vulnerabilities found within the scope of the program

III. Guidelines for Responsible Disclosure:

Researchers will need to comply with the below guidelines while disclosing the vulnerabilities detected:

  1. Researchers should notify us as soon as they find any potential security issue on the notified e-mail id (security@juspay.in)
  2. The researchers are advised to stick to this policy and shall not be allowed to disclose details of the vulnerability to any third party or expose it to any agencies.
  3. Researchers will be required to use official communication channels only. Do not use personal emails, social media accounts, or other private connections to contact a member of the security team in regard to vulnerabilities or any program related issues, unless you have been instructed to do so.
  4. Any unauthorized attempts of social engineering, phishing, or physical attacks against Hyperswitch’s employees, users, or impersonation of a Hyperswitch employee through a third party, another hacker, or a security team will not be tolerated.
  5. Researchers should not gain unauthorized access or destroy any user's data.
  6. Any unauthorized attempts of social engineering, phishing, or physical attacks against Hyperswitch’s employees, users, or impersonation of a Hyperswitch employee through a third party, another hacker, or a security team will not be tolerated.
  7. Researchers shall be strictly prohibited from exploiting any of the vulnerabilities found.
  8. Researchers will make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.

IV. How to Report:

  1. Drop us an email atsecurity@juspay.in with the details of the vulnerability identified to register yourself.
  2. Once registered, you shall only use the registered email Id to interact with the Hyperswitch security team. Do not use personal emails, social media accounts, or other private connections to contact a member of the security team in regard to vulnerabilities or any program-related issues, unless you have been instructed to do so.
  3. Upon detection of a vulnerability/bug, you shall immediately report it to the Hyperswitch team and such bug/vulnerability report shall include:
    • Details that must be included in the report:
    • Description and potential impact of the vulnerability.
    • Information about the researcher including organization name and contact name.
    • Products or solutions and versions affected.
    • Proof-of-Concept URL and the information of affected parameters.
    • Supporting technical details (such as system configuration, traces, description of exploit/attack code).
    • Information about known exploits/attacks.
    • Detailed steps of reproducing the vulnerability
    • Screenshots to show Proof-of-Concept
    • Details of the system where the tests were conducted
    • Video recording of the Proof-of-Concept (If Possible.)

However, Hyperswitch reserves the right to refuse your request if any of the above-mentioned details are not provided by you to Hyperswitch.

V. Exclusions:

  1. While researching, you shall strictly refrain from indulging in:
    1. Social engineering (including phishing) with any Hyperswitch staff or contractors
    2. Any physical attempts against Hyperswitch property, data centers or infrastructure
    3. Denial of Service, Distributed-DoS ( DDoS )
    4. X-Frame-Options related, missing cookie flags on non-sensitive cookies;
    5. Missing security headers which do not lead directly to a vulnerability (unless you deliver a PoC)
    6. Version exposure (unless you deliver a PoC of working exploit)
    7. Directory listing with already public readable content
    8. Content spoofing on error pages or text injection
    9. Information disclosure not associated with a vulnerability, i.e.: stack traces, application or server errors, robots.txt etc
    10. Use of known-vulnerable libraries without proof of exploitation such as OpenSSL
    11. Vulnerabilities affecting end of life browsers or platforms;
    12. Login or forgotten password page brute forcing and account lockout not being enforced;
    13. Application denial of service by locking user accounts;
    14. Password or account recovery policies, such as reset link expiration or password complexity;
    15. Reports from automated scripts or scanners;
    16. Findings from physical testing such as office access (e.g. open doors, tailgating);
    17. Findings derived primarily from social engineering (e.g. phishing, vishing, smishing);
    18. Functional, UI and UX bugs and spelling mistakes;
    19. Logged out cross-site request forgery (logout CSRF)
    20. Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
    21. Options / trace HTTP method being enabled (unless you deliver a PoC of working exploit)
    22. Modification of headers, URLs, POST body content, server responses by man-in-the-middle attacks
    23. Fingerprinting / banner disclosure on common / public services
    24. Clickjacking and issues only exploitable through clickjacking
    25. No / weak captcha / captcha bypass
    26. SSL issues such as BEAST, BREACH, renegotiation attack, forward secrecy not enabled, weak / insecure cipher suites.

Hyperswitch reserves its right to expand this list and include additional exclusions when required.

VI. Additional Terms:

  1. You must abide by the law and intimation of vulnerability shall be as per the law.
  2. Hyperswitch reserves the right to discontinue the Program with prior intimation to registered researchers.
  3. By submitting information about a potential vulnerability, you are agreeing to these terms and conditions and granting Hyperswitch a worldwide, royalty-free, non-exclusive license to use your submission for the purpose of addressing vulnerabilities.
  4. Hyperswitch reserves the right to hold you responsible and liable for any consequences arising out of your breach of these terms or breach of confidentiality. You hereby undertake to indemnify and keep indemnified Hyperswitch and its directors, officers, employees and consultants against all losses, damages, claims or liabilities that they incur due to any Fraud, Willful Misconduct, Gross Negligence, breach of confidentiality or due to breach of personal confidential information.

VII. Governing Law and Jurisdiction::

These terms shall be governed by the Laws of India and the courts at Bangalore, India shall have exclusive jurisdiction to try any disputes that may arise out of this Program.