Coordinated Vulnerability Disclosure

Payconiq highly values the security of our systems and platform, and the effort security researchers put in to improve it.

Even though we continuously take the utmost care of our systems, it might just happen that you have found a vulnerability or weakness. In order to resolve this swiftly, we kindly request that you follow this guideline to report it to us.

Only Payconiq owned and administered services are in the scope of this policy. That includes payconiq affiliated web domains like payconiq.com and other payconiq domains, except payconiq.be

Guideline

To encourage disclosing your report responsibly, we will not take legal action against you nor ask law enforcement to investigate you, and possibly reward you, provided that you comply with these guidelines:

Send the details in an email to [email protected] .
Make a good faith effort to prevent privacy violations, destruction of data and interruption/degradation of any of our services.
Do not download, read, share or modify any information or data that does not belong to you.
Do not share details that relate to the vulnerability with others until fully mitigated.
Destroy all remaining private data, resulting from your research, immediately after reporting the vulnerability.
Do not use any research attempt that involves breaching or attacking physical security or the use of social engineering, DOS, spam, fishing or any involvement of third parties.
Provide details of the vulnerability so that we can reproduce it, including a Proof of Concept (POC), information on the URL, endpoint and IP address, and other necessary information.
Allow us to respond and mitigate within a reasonable amount of time.

Note that you will still have to abide by any applicable law and that potential law enforcement consequences are not within our control.

Our commitment

We will put effort to

respond with 3 business days
handle your report and personal details in a confidential manner
keep you posted on the progress
reward you in cases of serious and unknown vulnerabilities, containing enough information to swiftly reproduce

Note that people who are in any way involved with designing, regulating, auditing, creating or maintaining our services or platform are not eligible for reward.

Out of scope

The following is specifically out of scope and not eligible for reward either:

reports without clear description of potential exploits
vulnerabilities concerning other sites and domains than the ones affiliated with Payconiq
CSFR issues on public and non-authenticated web pages
The absence of best practice security headers, like HSTS, HttpOnly, CSP, XSS or click-jacking related headers
possible old/vulnerable third party/off-the-shelf systems without evidence that they are exploitable and impacting our platform security
TLS/SSL related configuration issues
payconiq.be and Payconiq by Bancontact mobile app