iPay Bug Bounty Program

At iPay, we take your safety, security and privacy seriously. We utilize the best practices and are confident that our systems are secure. We are committed to protect our customers’ privacy and the personal data we receive from them, for ensuring their safety we are offering a bug bounty program. We believe that this program will further enhance our security and allow us to continue to provide excellent service. If you think you have discovered a potential security bug that affects our websites, apps and/or online portals, please let us know. If the submission meets our requirements, we’ll gladly reward you for your time and efforts.

Before reporting a security bug, please review the iPay Terms. By participating in the bug bounty program, you agree to comply with these terms.

What is a bug bounty program?
A bug bounty program permits independent researchers, security experts, to discover and report security issues that affect the confidentiality, integrity and/or availability of customer or company information and rewards them for being the first to discover a bug.

Eligibility requirements

To ensure that submissions and payouts are fair and relevant, the following eligibility requirements and guidelines apply to all researchers submitting bug reports:

  • All bugs must be new discoveries. Rewards will be provided only to the first researcher who submits a particular security bug.
  • The researcher must be an iPay member in good standing. If you’re not yet a member, join iPay now.
  • The researcher submitting the bug must not be an employee of iPay, or a family member or household member of an employee of iPay.
  • The researcher submitting the bug must not be the author of the vulnerable code.

Do not attempt:
We do not allow any actions that could negatively impact the experience on our websites, apps or online portals for other iPay customers. Attempting any of the following actions will result in permanent disqualification from the bug bounty program and possible criminal and/or legal investigation.

  • Brute-force attacks.
  • Code injection on live systems.
  • Disruption or denial-of-service attacks.
  • Compromise or testing of iPay accounts that are not your own.
  • Any threats, attempts at coercion or extortion of iPay employees, or customers.
  • Physical attacks against iPay employees, or customers.
  • Vulnerability scans or automated scans on iPay servers (including scans using tools such as Acunetix, Core Impact or Nessus)

Bounties
If you have discovered a security bug that meets the requirements, and you’re the first eligible researcher to report it, we will gladly reward you for your efforts. Bounty payout structure is given below, which is based on the severity and impact of bugs.

 

Bug Bounty payout structure

High
Remote code execution
Tk. 10,000/-

Medium
Authentication bypass
Brute-force attacks
Potential for personally identifiable information (PII) disclosure
Timing attacks
Tk. 5,000/-

Low
Cross-site scripting
Cross-site request forgery
Third-party security bugs that affect iPay
Tk. 2,000/-

Submissions
If you think you have discovered an eligible security bug, we would love to work with you to resolve it.

  • Please email us at bugb[email protected] and include “Bug Bounty Submission” in the subject line.
  • Within the body of the email, please describe the nature of the bug along with any steps required to replicate it, as well as pertinent applications, programs or tools used to discover the bug, the date and time of discovery of the bug.
  • Include your iPay registered name, Mobile Number and IP address that you used during testing and finding the bug.
  • A drafted report including legible screenshots will be greatly appreciated.

Please feel free to reach out to us at [email protected] with any questions regarding the bug bounty program. We may not be able to reply to your email right away, but we’ll respond as soon as possible. We look forward to hearing from you.

 

Terms and conditions

  • By participating, you agree to comply with the iPay Terms.
  • The Program is not a game or competition, but rather an experimental and discretionary reward program. Offer is valid for qualified “Bugs” submitted on or after March 1, 2016. We may cancel the Program at any time and the decision as to whether or not to pay rewards is entirely within iPay’s discretion.
  • The iPay “Bug Bounty” offer is only open to iPay members who are 14 years of age or older at the time of submission. Offer is void where prohibited and subject to all laws. Employees, officers and directors (and their respective immediate family members (spouse, parents, siblings, children) or household members (whether or not related)) of iPay or its parent(s), subsidiaries, affiliated companies, agents, or contractors, and anyone who participates in the administration of the Bug Bounty program are not eligible.
  • Bugs must be submitted to [email protected] and include the researcher’s legal name, iPay number and phone number as well as a detailed description of the Bug and supporting evidence.
  • Bugs must be new discoveries. Rewards will be provided only to the first eligible researcher to submit a particular Bug.
  • The researcher submitting the Bug must not be the author of the vulnerable code.
  • Bugs or potential Bugs you discover may not at any time be disclosed publicly or to a third-party. Doing so will disqualify you from receiving rewards.
  • You must not knowingly or intentionally access or acquire the personal information of any iPay customer or member. In the event if it is determined that you knowingly or intentionally accessed the personal information of any iPay customer or member, you will immediately become ineligible to participate in this Program. In the event you inadvertently access or acquire the personal information of any iPay customer or member, you must immediately cease all activity.
  • Rewards may be earned once for each qualifying Bug submitted. You can earn rewards an unlimited number of times in accordance with these terms and conditions.