Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing
Use the identified communication channels to report vulnerability information to us
Report vulnerabilities as soon as you discover it, but keep it confidential between yourself and Shakepay until we’ve resolve the issue
Provide us with at least 5-7 working days to investigate the issue and get back to you
Additionally, if you are the first to report the issue, and we make a code or configuration change based on the issue, we commit to:
Reward you with a bounty (up to a maximum of CAD $5000 paid out per month):
Up to CAD $4000 if you identified a vulnerability that presented a severe risk
Up to CAD $1000 if you identified a vulnerability that presented a moderate risk
Up to CAD $50 if you identified a vulnerability that presented a low risk
CAD $5 if there was in fact no vulnerability, but we still made a related code or configuration change nonetheless
Please note that the reward will be determined at our discretion depending on the impact of the vulnerability.
Examples of vulnerabilities and the levels we assign them:
Severe risk:
Stored cross-site scripting (XSS) vulnerability
Remote code execution
File system access
Exfiltration of digital or fiat currency
Moderate risk:
Authentication flaw
Cross-Site Request Forgery (CSRF) on user data
Sensitive data sent unencrypted (for example, with HTTP and not HTTPS)
Vulnerabilities when uploading documents
Low risk:
Self-XSS (XSS), a user performing XSS on themselves only
On a case-by-case basis, issues with publicly-available malicious browser extensions that capture user data
On a case-by-case basis, exploits for legacy browsers (any version of Internet Explorer or any version of Chrome/Firefox/Safari/Chromium/Opera/Edge that is not the latest)
Payout
Payouts will be done in either Bitcoin or Interac e-transfer. Researcher will provide us with a Bitcoin address or email address for the payout within 7 days after we have resolved the issue.
Findings derived primarily from social engineering (e.g. phishing, etc)
Findings from applications or systems not listed in the ‘Scope’ section
Physical security
UI/UX bugs and spelling mistakes
Network level Denial of Service (DoS/DDoS) vulnerabilities
Spam or Social Engineering techniques, including SPF and DKIM issues
Security bugs in third-party applications or services
XSS Exploits that do not pose a security risk
https/ssl or server-info disclosure related issues
Brute Forces attacks
How to report a security vulnerability
Description of the location and potential impact of the vulnerability
A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us)