Responsible Disclosure Policy

Introduction

Zivy takes the security of our systems and its data very seriously. We are continuously striving to maintain and ensure that our environment is safe and secure for everyone to use. If you’ve discovered any security vulnerabilities associated with any of our Zivy services, we do appreciate your help in disclosing it to us in a responsible manner. Zivy will engage with you as external security researchers (the Researcher) when vulnerabilities are reported to us in accordance with this Responsible Disclosure Policy.
If a Researcher follows the rules set out in this Responsible Disclosure Policy when reporting a security vulnerability to us, unless prescribed otherwise by law or the payment scheme rules, we commit to:
  • promptly acknowledging receipt of your vulnerability report and work with the researcher to understand and attempt to resolve the issue quickly;
  • validating, responding and fixing such vulnerability in accordance with our commitment to security and privacy. We will notify you when the issue is fixed.
  • unless prescribed by law otherwise, not pursue or take legal action against you or the person who reported such security vulnerabilities;
  • not suspend or terminate access to our service/services if you are a customer. If you are an agent, not suspend or terminate merchants access to our services to which the agent represents;

In Scope of this Policy

Any of the Zivy services’ APIs, web apps, mobile apps, which process, store, transfer or use in one way or personal or sensitive personal information, such as PII data and authentication data.

Domains

https://api.zivy.app
https://web.zivy.app

Focus Areas

Automated tools or scripts ARE STRICTLY PROHIBITED, and any POC submitted to us should have a proper step-by-step guide to reproduce the issue. Abuse of any vulnerability found shall be liable for legal penalties.
  • SQL Injections
  • Remote Code Execution (RCE) vulnerabilities
  • Shell Upload vulnerabilities (only upload basic backend script that just prints some string, preferably try printing the hostname of the server and stop there ! YES STOP THERE!)
  • Authentication and Authorization vulnerabilities including horizontal and vertical escalation. (Use 2 different test accounts created by you)
  • Domain take-over vulnerabilities
  • Stored XSS
  • Bulk user sensitive information leak
  • Descriptive error messages (e.g. Stack Traces, application or server errors)
  • Any vulnerability that can affect the Zivy Brand, User data and PII.

Out of Scope

General

  • Any service that is not mentioned in the In Scope domains section
  • IDOR references for objects that you have permission to access
  • Duplicate submissions that are being remediated
  • Known issues
  • Rate limiting (Unless it implies severe threat to data, business loss)
  • Multiple reports for the same vulnerability type with minor differences
  • Open redirects
  • Clickjacking and issues only exploitable through clickjacking
  • Only session cookies needed http and secure flags. Apart from these, for other cookies we won't consider as vulnerability
  • Issues without clearly identified security impact such as missing security headers.
  • Missing CAA headers
  • Vulnerabilities requiring physical access to the victim's unlocked device.
  • Formula Injection or CSV Injection
  • DOM Based Self-XSS and issues exploitable only through Self-XSS.

System and Infrastructure Related

  1. Patches released within the last 30 days
  2. Networking issues or industry standards
  3. Password complexity
  4. Email related:
    • SPF or DMARC records
    • Gmail "+" and "." acceptance
    • Email bombs
    • Unsubscribing from marketing emails
  5. Information Leakage:
    • HTTP 404 codes/pages or other HTTP non-200 codes/pages
    • Fingerprinting / banner disclosure on common/public services
    • Disclosure of known public files or directories, (e.g. robots.txt)
  6. Cacheable SSL pages

System and Infrastructure Related

  1. Forgot Password page bruteforce and account lockout not enforced
  2. Lack of Captcha
  3. Presence of application or web browser 'autocomplete' or 'save password' functionality
  4. Session Timeouts

Testing

A Researcher can test only against their own account if they are an account owner or an agent authorised by the account owner to conduct such testing.

As a Researcher, in no event are you permitted to access, download or modify data residing in any other account or that does not belong to you or attempt to do any such activities.

In the interest of the safety of our users, employees, the Internet at large and you as a Researcher, the following test types are expressly excluded from scope and testing: any findings from physical testing (office access, tailgating, open doors) or DOS or DDOS vulnerabilities. A responsible disclosure also does not include identifying any spelling mistakes, or any UI and UX bugs.

Rules

We require that all Researchers must:

  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
  • Not attempt to gain access to any other person's account, data or personal information.
  • Use their real email address to sign up and report any vulnerability information to us.
  • Keep information about any vulnerabilities you've discovered confidential between yourself and Zivy. Zivy will take a reasonable time to remedy such a vulnerability (approximately 1 month as a minimum but this is dependent on the nature of the security vulnerability and regulatory compliance by Zivy). The Researcher shall not publicly disclose the bug or vulnerability on any online or physical platform before it is fixed and prior written approval to publicly disclose from Zivy.
  • Not perform any attack that could harm the reliability, integrity and capacity of our Services. DDoS/spam attacks are STRICTLY not allowed.
  • Not use scanners or automated tools to find vulnerabilities (noisy and we may automatically suspend your account and ban your IP address).
  • As a Researcher, you represent and warrant that you have the right, title and interest to disclose any vulnerability found and to submit any information, including documents, codes, among others, in connection therewith. Once you inform a vulnerability, you grant Zivy, its subsidiaries and affiliates an irrevocable, worldwide, royalty-free, transferable, sublicensable right to use in any way Zivy deems appropriate for any purpose, such as: reproduction, modification, distribution, adaptation among other uses, the information related with the vulnerabilities. Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure accepted by Zivy.
  • Include a custom HTTP header in all your traffic with an ID. (Burp and other proxies allow easy automatic addition of headers to all outbound requests.)

A header that includes a random uuid:
X-Responsible-Disclosure: RDP-<random_uuid>

Remember that you must never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.

Please include the following information with your report:
  • Detailed description of the steps required to help us reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us)
  • Your email address.

Report Template

The identified bug shall have to be reported to our security team by sending us a mail from their registered email address to security@zivy.com (SUBJECT: SUSPECTED VULNERABILITY ON ZIVY) (without changing the subject line else the mail shall be ignored). The mail should strictly follow the format below:

Individual Details:
  • Full Name:
  • Mobile Number:
  • Any Publicly Identifiable profile(LinkedIn, Github etc.):
  • Bug Details:
    • Name of the Vulnerability:
    • Areas affected:
  • Impact:
    • Detailed steps to reproduce (transaction id's can also be provided here):

We currently do not offer any monetary compensation. However, we may send out Zivy swag in some cases.

Requests or demands for monetary compensation in connection with any identified or alleged vulnerability are non-compliant with this Responsible Disclosure Policy.

Consequences of Complying with This Policy

We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorised” conduct under the Computer Fraud and Abuse Act. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.

If legal action is initiated by a third party against you and you have complied with Zivy’s Vulnerability Disclosure Program, Zivy will take steps to make it known that your actions were conducted in compliance with this policy.

Public Disclosure Policy

By default, this program is in “PUBLIC NONDISCLOSURE” mode which means:

"THIS PROGRAM DOES NOT ALLOW PUBLIC DISCLOSURE. ONE SHOULD NOT RELEASE THE INFORMATION ABOUT VULNERABILITIES FOUND IN THIS PROGRAM TO PUBLIC, FAILING WHICH SHALL BE LIABLE FOR LEGAL PENALTIES!”

The Fine Print

We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.

Contact us at security@zivy.app for more details.