MPayN Bug Bounty Program

At MPayN, security is our top priority, and we value the contributions of the security research community in helping us maintain the safety and reliability of our platform. Through our Bug Bounty Program, we invite security researchers, ethical hackers, and developers to identify and responsibly disclose vulnerabilities that could impact our services or our users.

This program rewards those who help us enhance our platform’s security, ensuring that MPayN remains a secure environment for all users.

Why Participate in MPayN’s Bug Bounty Program?

Security researchers who participate in our Bug Bounty Program have the chance to:

1. Earn Rewards: Receive monetary rewards based on the severity of the identified vulnerability.
2. Contribute to Security: Play a role in protecting MPayN’s user data and improving the platform’s resilience.
3. Enhance Skills: Develop and hone your security research skills in a real-world environment.
4. Receive Recognition: Gain acknowledgment and recognition within the security community.

MPayN thanks all participants who contribute their skills and insights to make our platform stronger. To ensure a smooth process, please review our eligibility criteria, scope, and responsible disclosure guidelines below.

Eligibility

The Bug Bounty Program is open to any individual who meets the following criteria:

• Legal Age: Must be at least 18 years old or possess legal consent to participate in such a program in your jurisdiction.
• Location: Program participants must not reside in a country or region currently under economic or trade sanctions.
• Respect for Privacy and Law: All participants must follow applicable local, national, and international laws and respect the privacy of our users. Unauthorized access or breach of user data is strictly prohibited.
• Responsible Disclosure: The vulnerability must be responsibly disclosed to MPayN, without sharing or publishing the information with/to third parties prior to resolution.

If you meet the above requirements, we invite you to participate and help us make MPayN even more secure for all users.

In-Scope Vulnerabilities

The following are examples of vulnerabilities that qualify for our Bug Bounty Program:

1. Authentication Flaws: Any weaknesses in the login process, user authentication, or authorization mechanisms.
2. Cross-Site Scripting (XSS): Including both stored and reflected XSS vulnerabilities that may compromise user data.
3. Cross-Site Request Forgery (CSRF): Attacks that could lead to unauthorized actions within a user’s account.
4. SQL Injection (SQLi): Vulnerabilities that allow direct access to MPayN’s databases.
5. Remote Code Execution (RCE): Critical vulnerabilities allowing attackers to execute code on our servers.
6. Access Control Issues: Bugs that allow unauthorized access to accounts, information, or settings.
7. Business Logic Vulnerabilities: Bugs that allow bypassing critical flows, like payments and fund transfers.
8. Server-Side Request Forgery (SSRF): SSRF vulnerabilities that could lead to unauthorized access or data leaks.
9. Directory Traversal: Vulnerabilities allowing access to files or directories outside intended paths.
10. Sensitive Information Exposure: Any vulnerability that could reveal confidential data, such as payment information or personal user data.

Out-of-Scope Vulnerabilities

While we encourage all submissions, the following types of vulnerabilities are generally out of scope and will not be eligible for rewards:

1. Rate Limiting or Brute Force Attacks on Non-Critical Features
2. Distributed Denial of Service (DDoS) Attacks
3. Email Spoofing or Social Engineering Attacks on MPayN Employees
4. Vulnerabilities in Third-Party Platforms (e.g., social media platforms)
5. Self-XSS or Vulnerabilities Requiring Physical User Interaction
6. Spam and Phishing Attacks
7. Minor Content Injection or Cosmetic UI Bugs
8. Known CVEs without Original or Novel Exploits in MPayN’s Context

We focus our rewards on vulnerabilities that could potentially cause harm to our users or compromise our systems’ confidentiality, integrity, and availability.

Program Rules

1. No Disruption of Services: Avoid any actions that could disrupt the functionality or availability of MPayN services, including DDoS attacks.
2. Confidentiality: Do not share any information about the vulnerability before it has been reviewed and resolved by MPayN.
3. Responsible Disclosure: After submitting a vulnerability, please allow our security team adequate time to investigate and resolve the issue.
4. Respect User Privacy: Do not access or alter other users’ data. Your testing should focus solely on identifying vulnerabilities.
5. Do Not Use Automated Tools Unnecessarily: Use discretion when running scripts or tools that might strain MPayN’s servers.

Submission Guidelines

To submit a vulnerability, please provide:

• Clear Title: A concise summary of the vulnerability.
• Description: Details of the vulnerability, including its impact, affected endpoint or URL, and potential consequences.
• Reproduction Steps: Include step-by-step instructions to reproduce the vulnerability.
• Proof of Concept (PoC): Attach screenshots, videos, or code snippets demonstrating the issue.
• Suggested Fixes (Optional): Recommendations for resolving the issue are appreciated.

How to Submit: Send your report via our secure bug submission portal at [email protected]. MPayN will acknowledge your submission within 48 hours.

Rewards

Our Bug Bounty Program offers rewards based on the severity of the vulnerability, using the following criteria:

1. Low Severity: Minor issues with limited impact (e.g., small UI bugs). Reward: INR 100 – INR 500
2. Medium Severity: Vulnerabilities that could affect a subset of users. Reward: INR 500 – INR 2,000
3. High Severity: Significant issues impacting user data or functionality. Reward: INR 2,000 – INR 5,000
4. Critical Severity: Major security flaws impacting platform-wide security, such as SQLi or RCE vulnerabilities. Reward: INR 5,000 – INR 10,000

MPayN reserves the right to adjust reward amounts based on the quality and uniqueness of each submission.