MYPINPAD

Responsible Disclosure

MYPINPAD Responsible Disclosure

If you believe you have discovered a vulnerability in one of MYPINPAD’s solutions, please let us know by sending a report to respdisclosure@mypinpad.com.

To help us quickly identify and fix the vulnerability please consider the following in your submission.

Eligibility

In order for MYPINPAD to consider your submission the following criteria will apply:

  • Violation of any law that applies to regions involved in the submission.
  • If you are considered to be a minor in either of the countries involved in the submission, you must get parent’s or minder’s approval.
  • The only compensation provided is through public recognition so please refrain from other types.

Scope

URLs

The following links cover our web presence

  • mypinpad.com

The following software is also covered by this policy:

  • iOS MPP mPOS App
  • Android MPP mPOS App

Regarding the vulnerabilities that are in scope, here is the list that apply:

  • Server-side or remote code execution (RCE)
  • Authentication or authorization flaws, including insecure direct object references and authentication bypass
  • Injection vulnerabilities, including SQL and XML injection
  • Directory traversal
  • Significant security misconfiguration with a verifiable vulnerability

The following vulnerabilities will be also considered for web sites:

  • Disclosure of sensitive or personally identifiable information
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF) for sensitive functions in a privileged context

Out of scope

Any software in the form of application, either web or mobile, and/or services that are not described in the above section are considered to be outside of scope. Therefore, any activity identified on them will be rejected and considered a breach of policy, treated as an illegal conduct, and reported to the relevant parties for prosecution.

How to contact us

In order for us to receive and accept your reports you need to use the following information:

Email

Send any communications to respdisclosure@mypinpad.com with all the relevant information regarding the vulnerability identified. Remember that all the information presented is used for verification purposes so the more detailed you provide the better for us to consider your report.

The following considerations should be in place for all parties involved in the disclosure:

✓ Respect merchant’s and their customers’ privacy.

✓ Be transparent and open

No other forms of reporting will be considered under this policy and any public interaction over other channels (e.g. Facebook, twitter, etc.) will not be considered formal and tolerated.

Terms and conditions

An individual participating in the responsible disclosure process is voluntarily and any report will be considered for review. No monetary recognition will be given to the reporters for their voluntary work, but we will be happy to provide public recognition for their hard work and invaluable input.