Disclosure Policy

At WeGoFin, we're dedicated to upholding the strictest security and privacy guidelines to protect our clients and companies interests. We understand how critical it is to work together with the security community to find and fix possible vulnerabilities. Because of this, we are happy to have outside security researchers help us report vulnerabilities in accordance with our Responsible Disclosure Policy.

Engagement Process:

When security vulnerabilities are reported to us in adherence to this policy, we commit to the following:

Acknowledgment and Collaboration:

• As soon as we receive your vulnerability report, we will swiftly acknowledge it and collaborate directly with you to quickly identify and resolve the issue.

Validation and Resolution:

• We will validate, respond to, and resolve reported vulnerabilities in alignment with our dedication to security and privacy. Upon resolution, we will notify you accordingly.

Legal Considerations:

• We will not pursue or take legal action against you or the individual who reported the security vulnerabilities, except as required by law or payment scheme regulations.

Access Suspension/Termination:

• We won't stop or restrict your access to our services if you're a merchant. In a similar vein, we won't abruptly suspend or terminate a merchant's access to our services if you are an agent acting on behalf of the merchant.

Response Targets:

We strive to adhere to the following Service Level Agreements (SLAs) for researchers participating in our program:

• Time of first response (from report submitted): 3 business days
• Time to triage (based on supplied report): 5 working days
• After triage, the time to bounty is 10 business days.
• Resolution Time: Variable based on degree and intricacy

Throughout the process, we will endeavour to keep you informed of our progress.

Disclosure Policy:

To report any bugs identified, please send an email from your registered email account to info@wegofindigital.com with the subject "Bug Bounty" prefixed. The email should have the following format:

Subject:

Bug Bounty: < Category of Vulnerability> - < Bounty Hunter Full Name>

Email Body:

Information on Vulnerability:

• Vulnerability Name:
• Description:
• Steps to Reproduce:
• Recommendation:
• Vulnerable Instances:
• Category of Vulnerability:
• Impact:
• Proof of Concept:

Bounty Hunter Details:

• Full Name:
• Mobile Number:
• Email Address:

For the vulnerability category in the subject line, please select the category closely matched with those defined in our Reward Categorizations. Our security team will review submissions and respond within 3 working days.

Program Rules:

• Provide detailed reports with reproducible steps. Inadequately detailed reports will not be eligible for a reward.
• Submit one vulnerability per report unless vulnerabilities need to be chained to demonstrate impact.
• Duplicates will only be awarded to the first report received, provided it can be fully reproduced.
• Social engineering activities are prohibited.
• Try your best to keep privacy from being invaded, data from being lost, and service from being interrupted.

Test Plan:

• Conduct tests with appropriate data without misusing it for transactions.
• Use Indian rupees for testing with varied datasets.
• Employ a proper testing environment.

Reward Categorization:

Note: We strictly prohibit the use of automated tools or scripts, and any proof of concept that is sent to us must include a detailed, step-by-step procedure for replicating the problem.

Any vulnerability that is abused will result in legal repercussions.

Note: After consulting with the stakeholder leadership committee, bounty rewards will be decided upon.

The WeGoFin security team will pay out all of the bounty payouts after conducting an internal evaluation. The impact-based vulnerability groupings are categorised below in terms of severity. Severity-based vulnerability categorization was developed to shed light on our vulnerability assessment process. WeGoFin has the right to update this list at any time, thus it's not comprehensive.

Critical

• SQL Injections (Capable of gaining access to and modifying PII and sensitive data)
• Exploits for Remote Code Execution (RCE)
• Flaws in Shell Uploads (Only submit a simple backend script that outputs a string; ideally, try printing the server's hostname and end there!)
• Increasing one's privilege vertically (gaining admin access)
• Vulnerable user data breach in bulk Vulnerabilities in business logic that could seriously affect WeGoFin Brand, user data (customer, vendor, delivery executive), and financial transactions

High

• Non-Blind SSRF
• Horizontal privilege escalation
• Authentication bypass
• Subdomain Takeover (On active domains)
• Vertical privilege escalation (Gaining admin access)
• Stored XSS
• Account Takeover (Without user interaction)
• There is a vulnerability in a mobile app that doesn't require having root or jailbreak access to the device or private information.
• IDOR (able to see and change private and secret data)
• Deserialization vulnerabilities
• Stored XSS

Medium

• Account Takeover (With user interaction)
• IDOR (Capable of gaining access to and altering non-sensitive data)
• Using reflected/DOM XSS, user cookies are stolen
• Subdomain Acquisition (On dormant domains)
• Injection attacks (such as host header injection and formula injection)
• Vulnerability in mobile apps (needs root/jailbreak access to access sensitive data on the device)

Low

• Traversing a path to obtain non-sensitive data
• IDOR (Disclosure of non-sensitive information)
• Vulnerability in mobile apps (needs root/jailbreak access and access to non-sensitive data on the device)
• Mobile app vulnerability (accessing non-sensitive data and not requiring root or jailbreak access on the device)
• Bypassing CAPTCHAs

Exclusions:

General

• IDOR points to things that you are allowed to get to
• There are duplicate entries that are being fixed.
• Issues Known
• Rate limitation (unless it has an adverse effect on a serious data danger or company loss)
• Several reports with slight variations on the same vulnerability type (only one will be rewarded)
• Open redirects
• Clickjacking and problems that can only be exploited by clickjacking
• Only session cookies needed http and secure flags. Apart from these, for other cookies we won’t consider as vulnerability
• Social Engineering attacks

System Related

• Updates issued in the previous thirty days
• Problems with networking or industry norms
• Passwords complexity

Email Related

• Unsubscribing from marketing emails
• SPF or DMARC records
• Email bombs
• Gmail "+" and "." acceptance

Information Leakage

• Detailed error messages (such as Stack Traces, issues related to the program or server)
• Other HTTP non-200 codes/pages, such as HTTP 404 codes
• Banner disclosure and fingerprinting on public and common services
• Revealing publicly accessible files or directories, such as robots.txt
• Cacheable SSL pages
• SSL/TLS best practices

CSRF

• Cross-Site Request Forgery (CSRF) on anonymous user-accessible forms (such as the sign-up and contact forms)
• Cross-Site Request Forgery (CSRF) Logout
• Inadequate CSRF in APIs

Login/Session Related

• Session Timeouts
• 'Autocomplete' or'save password' features in an application or web browser
• Lack of Captcha
• Forgot Password page brute force and account lockout not enforced
• Sessions not expiring after email change

Safe Harbor

Any actions carried out in line with this policy will be regarded as permitted behavior, and you won't face any legal repercussions from us. We will take efforts to demonstrate that your actions were compliant with this policy in the event that a third party brings legal action against you in relation to the activities you carried out under it.

We appreciate you keeping our users and WeGoFin Financial safe!

Scopes:

In Scope

Web - https://app.Wegofin

NON-DISCLOSURE TERMS ("TERMS"):

Definition

All information provided to the participant in confidence by the company, which the participant may communicate to them or obtain in any other way while they are participating in this Security Bug Bounty Responsible Disclosure Program, is considered "confidential information." This includes:

1. All data that, in the context of disclosure or by its very nature, a reasonable person would consider confidential, including technical and non-technical data, intellectual property rights, know-how, designs, techniques, plans, procedures, improvements, technology or methods, object codes, source codes, databases, and any other data pertaining to the company's product, work-in-progress, or future developments.
2. Plans for goods and services; lists of clients or vendors; financial information; operations; sales forecasts; patterns of ownership; business plans; and performance reports concerning the company's previous, current, and prospective business and marketing strategies.
3. This Agreement's terms, the technical documentation, and other information pertaining to the Company's product
4. Any information which may be communicated.

Obligation Of Confidentiality:

1. The Participant agrees to treat all confidential information with care and to keep it that way. Regarding the same, the Participant consents to and undertakes the following:
• The Parties do not form a partnership or joint venture as a result of these Terms.
• The Participant agrees not to publish, distribute, or reveal any confidential Information for a period of five (five) years.
• The Participant may not use the confidential information for any other purpose than advancing the Purpose.
2. No portion of the confidential information may be copied or reproduced in writing by the participant. Any copies, reproductions, or reductions of the confidential information to written form that have already been made by the parties are the property of the company.
3. From the date of agreement to these Terms, the Participant shall not independently develop or have developed for itself any goods, concepts, systems, or methods that are comparable to or in competition with the goods, concepts, systems, or methods considered or embodied in the Company's Confidential Information or the Purpose; any such development shall be interpreted as a breach of the Participant's obligations under these Terms.
4. As a condition of participating in this agreement, the Participant shall indemnify, defend, and hold the Company harmless from and against any losses, costs, expenses, or damages of any kind that may be incurred or suffered by the Company as a result of any breach of contract, warranty, tort (including negligence), or other obligation of the Participant.

Ownership:

All confidential information that the company gives to the participant will remain its sole property, subject to the rights and privileges that the company expressly grants under the terms stated above.

All rights, title, and interest in and to the confidential information shall belong solely and exclusively to the Company, including ownership of any related copyrights, patents, and trade secrets.

Upon the Company's request at any time, the Participant shall promptly return to the Company all materials or documents that contain or reflect any Confidential Information, including copies of any analyses, compilations, studies, or other documents prepared by and/or for the Company, containing or reflecting any Confidential Information, as well as any copies, summaries, and notes of the contents thereof (whether in hard or soft copy form).

Remedies:

The Participant knows and agrees that the Company will suffer serious and irreversible loss, injury, and harm.

1. The precise amount of which may be impossible to determine
2. Should any confidential information be disclosed or misused in breach of the confidentiality obligations.
3. The Participant acknowledges and agrees that the company may, without posting a bond or other security, apply to a court of competent jurisdiction for specific performance, an order restraining and enjoining any further disclosure or breach, and/or any other relief as the company shall deem appropriate.

The Company is entitled to specific performance, or any other equitable remedy that may be available to it, a temporary or permanent injunction, a temporary restraining order in addition to any other legal remedies that may be available to it. It does not have to prove actual damages. By doing this, the side gives up any defence that a damages award will be enough.

No Warranties:

Nothing in the Terms listed above should be interpreted as requiring the Company to provide the Participant with any information.

Miscellaneous:

Any notice or correspondence that is required to be sent to the participant under this agreement must be sent in writing to the intended participant at the email address that the participant provided during registration.

1. The Participant shall be bound in full by these Terms.
2. The Participant agrees not to assign these Terms or any portion of them.
3. The Company shall not be deemed to have waived or relinquished its rights to assert or rely upon any such provisions, rights, or remedies in that or any other instance; rather, the foregoing shall remain in full force and effect in the event that the Company fails to insist upon or enforce strict performance of any of the Terms mentioned above or to exercise any of the rights or remedies mentioned above.
4. The laws of the Republic of India shall apply to the interpretation, governance, and enforcement of these Terms.
5. The only courts with jurisdiction will be those in Bangalore.