In order for Mypinpad to consider your submission the following criteria will apply: Violation of any law that applies to regions involved in the submission. If you are considered to be a minor in either of the countries involved in the submission, you must get parent’s or minder’s approval. The only compensation provided is through public recognition so please refrain from other types.

The following links cover our web presence mypinpad.com The following software is also covered by this policy: Android CPoC/SPoC app iOS SPoC app Regarding the vulnerabilities that are in scope, here is the list that apply: Server-side or remote code execution (RCE) Authentication or authorization flaws, including insecure direct object references and authentication bypass Injection vulnerabilities, including SQL and XML injection Directory traversal Significant security misconfiguration with a verifiable vulnerability The following vulnerabilities will be also considered for web sites: Disclosure of sensitive or personally identifiable information Cross-Site Scripting (XSS) Cross-Site Request Forgery (CSRF) for sensitive functions in a privileged context

Any software in the form of application, either web or mobile, and/or services that are not described in the above section are considered to be outside of scope. Therefore, any activity identified on them will be rejected and considered a breach of policy, treated as an illegal conduct, and reported to the relevant parties for prosecution.

In order for us to receive and accept your reports you need to use the following information:

Send any communications to respdisclosure@mypinpad.com with all the relevant information regarding the vulnerability identified. Remember that all the information presented is used for verification purposes so the more detailed you provide the better for us to consider your report. The following considerations should be in place for all parties involved in the disclosure: ✓ Respect merchant’s and their customers’ privacy. ✓ Be transparent and open No other forms of reporting will be considered under this policy and any public interaction over other channels (e.g. Facebook, twitter, etc.) will not be considered formal and tolerated.

An individual participating in the responsible disclosure process is voluntarily and any report will be considered for review. No monetary recognition will be given to the reporters for their voluntary work, but we will be happy to provide public recognition for their hard work and invaluable input.