- OVERVIEW
- ELIGIBILITY
- YOUR COVENANTS
- SUBMISSION PROCESS
- GRANT OF LICENSE
- CONFIDENTIALITY AND RESTRICTIONS ON DISCLOSURE
- REVIEW PROCESS
- AWARDING REWARDS POINTS
- PUBLIC RECOGNITION
- PRIVACY
- CODE OF CONDUCT
- NO WARRANTIES
- INDEMNIFICATION
- LIMITATION OF PAYU LIABILITY
- DISPUTE RESOLUTION AND GOVERNING LAW
- MISCELLANEOUS
- UNSOLICITED IDEAS
- Annex 1: Illustrative Vulnerabilities
- Annex 2: PayU Products
- Annex 3: Out of Scope Vulnerabilities
1.OVERVIEW
1.1We, at PayU Payments Private Limited (“PayU” or “us” or “we”), take the security of our systems and our data very seriously and value the security community. PayU continuously strives to maintain and ensure that our environment is safe and secure for everyone to use. If you have discovered any security vulnerabilities associated with any of the Products (as defined below), PayU does appreciate your help in disclosure of such vulnerabilities in a responsible manner.
1.2PayU genuinely values the assistance of the security researchers and others in the digital security community to assist in keeping our systems secure. PayU will investigate all legitimate reports and fix the problem as soon as possible.
1.3The PayU Responsible Disclosure Policy along with such other policy as referred herein (Policy" or “Terms”) covers the terms of your participation in the PayU Responsible Disclosure Program (the "Program"). The Program enables users to submit vulnerabilities and exploitation techniques an illustrative and non-exhaustive list of which is provided under Annex 1 here to ("Vulnerabilities") to PayU about eligible PayU products and services on domains as exhaustively listed under Annex 2 here to ("Products") for a chance to earn reward points as determined by PayU in its sole discretion ("Reward Points"). The decisions made by PayU regarding Reward Points are final and binding.
1.4The Policy forms the contractual relationship between you and PayU with respect to the Program. Participants in the Program hereby irrevocably, unconditionally and unequivocally accept and agree to abide by the Policy. Participants are advised to revisit the Policy regularly to check the terms and conditions and the updates. By submitting any Vulnerabilities to PayU or otherwise participating in the Program in any manner, you, expressly, irrevocably and unconditionally acknowledge, confirm and accept the Policy, as amended from time to time in the sole discretion of PayU. PayU may change or cancel the Program at any time, for any reason at its sole discretion. PayU reserves the right but not the obligation to make changes to the Policy and/or the Program at its sole discretion which will be effective once they are published. Participating in the Program after any changes become effective means you agree to the new Terms and/or Program. If you don't agree to the new Policy (or any amendments thereof), you must not participate in the Program.
2.ELIGIBILITY
2.1You may participate in the Program if you meet all of the following criteria:
- You are at least 18 years old; and
- You are either an individual researcher participating in your own individual capacity, or you work for an organization that permits you to participate in the Program.
2.2You are not eligible to participate in the Program if you meet any of the following criteria:
- You are a resident of any countries under sanctions or any other country that does not allow participation in this type of program;
- You are under the age of 18;
- Your organization does not allow you to participate in these types of programs;
- You are in breach of your employer’s policy with respect to participation in the Program or receipt of the Reward Point under the Program;
- You are currently an employee of PayU or a PayU subsidiary, or a PayU group entity or an immediate family (parent, sibling, spouse, or child) or household member of such an employee;
- Within the six months prior to providing PayU your Submission you were an employee of PayU or a PayU subsidiary or a PayU group entity;
- You currently (or within six months prior providing to us your Submission) perform services for PayU or a PayU subsidiary in an external staff capacity that requires access to PayU group, such as agency temporary worker, vendor employee, or contractor; or
- You are or were involved in any part of the development, administration, and/or execution of this Program.
2.3You are responsible for reviewing and complying with your employer's rules for participating (including to the extent applicable receiving the Reward Points) in this Program. It is your responsibility to comply with any polices that your employer may have that would affect your eligibility to participate in the Program or to receive the Reward Points. If you are participating in violation of your employer’s policies, you may be disqualified from participating or receiving any Reward Points.
2.4To the extent applicable, all awards of Reward Points will be made in compliance with local laws, regulations, and ethics rules. PayU disclaims any and all liability or responsibility for disputes arising between an employee and their employer related to this matter.
2.5There may be additional restrictions on your ability to enter the Program depending upon your local law.
3.YOUR COVENANTS
3.1You represent, warrant, undertake and covenant to:
- Refrain from privacy violations, degradation of user experience, disruption to our systems, and destruction of data during security testing.
- Perform research only within the scope set out in this Policy.
- Use the identified communication channels to report Vulnerability information to PayU.
- Keep information about any Vulnerabilities you’ve discovered confidential between yourself and PayU. PayU will take a reasonable time to remedy such vulnerability (approximately 30 days as a minimum but this is dependent on the nature of the security vulnerability and regulatory compliance by PayU). You shall not publicly disclose the Vulnerability on any online or physical platform before it is fixed and prior written approval from PayU to publicly disclose such Vulnerability.
- Have the right, title and interest to disclose any Vulnerability found and to submit any information, including documents, codes, among others, in connection therewith.
- Waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure accepted by PayU.
- You are not guaranteed any compensation or credit for use of your Submission; and
- Your Submission is your own work, that you haven't used information owned by another person or entity, and that you have the legal right to provide the Submission to PayU.
- Not perform any attack that could harm the reliability, integrity and capacity of our Products.
- Not undertake directly or indirectly any denial of service/spam attacks in any manner whatsoever are strictly not allowed;
- Not disclose any card data to any third party whatsoever or in screenshot mentioned for Proof of Concept (PoC).
- Not run automated scanners (PayU may automatically suspend your account and ban your IP address).
- Not undertake any non-technical attacks such as social engineering, phishing, or physical attacks against PayU employees, personnel, users, or infrastructure.
4.SUBMISSION PROCESS
4.1If you believe you have identified a Vulnerability (excluding the vulnerabilities that are listed under the Annex 3 that is out of scope vulnerabilities) that meets the applicable requirements set forth in the Policy, you may submit it to PayU, in accordance with the following process:
4.2Each Vulnerability submitted to PayU shall be a "Submission." Submissions must be reported through the form located at the bottom of this page. Please specify the Vulnerability details, and specific product version numbers (to the extent applicable) you used to validate your research. Please also include as much of the following information as possible:
- Type of issue (buffer overflow, SQL injection, cross-site scripting, etc.)
- Product and version that contains the bug, or URL if for an online service
- Service packs, security updates, or other updates for the product you have installed
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue on a fresh install
- Proof-of-concept or exploit code
- Impact of the issue, including how an attacker could exploit the issue
4.3You must follow these Terms and the form provided hereunder (“Disclosure Protocol”) when reporting all Vulnerabilities to PayU. Submissions that do not follow the Disclosure Protocol may not be eligible for Reward Points and not following the Disclosure Protocol could disqualify you from participating in the Program in the future.
4.4Depending on the detail of your Submission, PayU may award Reward Points of varying scale at its sole discretion. Well-written reports and functional exploits are more likely to result in Reward Points. Those Submissions that do not meet the minimum bar described above are considered incomplete and not eligible for Reward Points. PayU is not responsible for Submissions that we do not receive for any reason.
4.5There are no restrictions on the number of qualified Submissions you can provide and potentially be awarded Reward Points.
4.6It is clarified that, if you submit a Vulnerability for a product or service that is not covered by the Program at the time you submitted it, you will not be eligible to receive Reward Points if the product or service is later added to the Program.
5.GRANT OF LICENSE
5.1PayU does not claim any ownership rights to your Submission. However, by providing any Submission to PayU, you:
- grant PayU, its subsidiaries and affiliates the following non-exclusive, irrevocable, perpetual, royalty free, worldwide, sub-licensable license to the intellectual property in your Submission: (i) to use, review, assess, test, and otherwise analyze your Submission; (ii) to reproduce, modify, distribute, display, adapt and perform publicly, and commercialize and create derivative works of your Submission and all its content, in whole or in part; and (iii) to feature your Submission and all of its content in connection with the marketing, sale, or promotion of this Program or other programs (including internal and external sales meetings, conference presentations, tradeshows, and screen shots of the Submission in press releases) in all media (now known or later developed
- agree to sign any documentation that may be required for us or our designees to confirm the rights you granted above; and
- understand and acknowledge that PayU may have developed or commissioned materials similar or identical to your Submission, and you waive any claims you may have resulting from any similarities to your Submission.
6.CONFIDENTIALITY AND RESTRICTIONS ON DISCLOSURE
6.1Protecting customers, merchants and partners is one PayU's highest priority. We endeavour to address each Vulnerability report in a timely manner. While we are doing that we require that Program Submissions remain confidential and cannot be disclosed to third parties or as part of paper reviews or conference submissions. You can only make available high-level descriptions of your research and non-reversible demonstrations after the Vulnerability is fixed. PayU requires that detailed proof-of-concept exploit code and details that would make attacks easier on customers be withheld after the Vulnerability is fixed. PayU will notify you when the Vulnerability in your Submission is fixed. You may be awarded Reward Points prior to the fix being released and the awarding of Reward Points should not be taken as notification of fix completion. VIOLATIONS OF THIS SECTION COULD REQUIRE YOU TO RETURN OR FOREFEITURE OF REWARD POINTS AWARDED FOR THAT VULNERABILITY AND DISQUALIFY YOU FROM PARTICIPATING IN THE PROGRAM IN THE FUTURE.
7.REVIEW PROCESS
7.1After a Submission is sent to PayU in accordance with this Policy, PayU engineers will review the Submission and validate its eligibility. The review time will vary depending on the complexity and completeness of your Submission, as well as on the number of Submissions we receive.
7.2PayU retains sole discretion in determining which Submissions are qualified. If PayU receive multiple bug reports for the same issue/Vulnerabilities from different parties, the Reward Points will be granted to the first eligible Submission. If a duplicate report provides new information that was previously unknown to PayU, we may award a differential Reward Points to the person submitting the duplicate report.
7.3If you report a Vulnerability without a functioning exploit, you may be eligible for a partial Reward Point. If you submit the functioning exploit within a reasonable time of submitting the Vulnerability (as may be solely determined by PayU), we may, in our discretion, provide additional Reward Points (but are not obligated to do so).
8.AWARDING REWARD POINTS
8.1The decisions made by PayU regarding Reward Points are final and binding.
8.2If PayU has determined at its sole discretion that your Submission is eligible for a Reward point under the Policy, we will notify you of the Reward point awarded and provide you with the necessary paperwork/documentation to process your award. Failure to deliver the paperwork/documentation as required by PayU may result in the non-awarding of Reward Points. You may waive the award if you do not wish to receive the Reward Points.
8.3If there is a dispute as to who the qualified submitter is, Program owner / platform will consider the eligible submitter to be the authorized account holder of the email address used to enter the Program.
8.4If your Submission qualifies for a Reward Points, please note:
- you shall not designate someone else to receive the Reward Point;
- if you are eligible for this Program but are considered a minor in your place of residence, we may award the Reward point to your parent/legal guardian on your behalf and require them to sign all required forms on your behalf.;
- if you are unable or unwilling to accept your Reward point, we reserve the right to rescind it;
8.5If you follow this Policy when reporting an issue to us, we commit to:
- We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this Policy to constitute “authorized” conduct;
- Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within a reasonable time of your Submission); and
- If legal action is initiated by a third party against you and you have complied with our Policy, PayU will take steps to make it known that your actions were conducted in compliance with this Policy.
9.PUBLIC RECOGNITION
9.1PayU may publicly recognize individuals who have been awarded Reward Points. PayU at its sole discretion may recognize you on web properties or other printed materials or digital platforms or any other media.
9.2Notwithstanding anything to the contrary stated elsewhere, the Policy do not allow public disclosure. You should not release the information about Vulnerabilities to public, failing which you shall be liable for legal penalties.
10.PRIVACY
10.1See the PayU Privacy Policy here for disclosures relating to the collection and use of your information in connection with the Program. Notwithstanding the Privacy Policy, your information may be shared with service providers of PayU in relation to the Program. Your consent is deemed to be granted for such disclosures when you make a Submission.
11.CODE OF CONDUCT
11.1By participating in the Program, you will follow these rules:
- Don’t do anything illegal.
- Don't engage in any activity that exploits, harms, or threatens to harm children.
- Don't send spam. Spam is unwanted or unsolicited bulk email, postings, contact requests, SMS (text messages), or instant messages.
- Don't share inappropriate content or material (involving, for example, nudity, bestiality, pornography, graphic violence, or criminal activity).
- Don't engage in activity that is false or misleading.
- Don't engage in activity that is harmful to you, the Program, or others (e.g., transmitting viruses, stalking, posting terrorist content, communicating hate speech, or advocating violence against others).
- Don't infringe upon the rights of others (e.g., unauthorized sharing of copyrighted material) or engage in activity that violates the privacy of others.
- Don't help others break these rules.
11.2If you violate this Policy, you may be prohibited from participating in the Program in the future and any Submissions you have provided may be deemed to be ineligible for receiving Reward Points.
12.NO WARRANTIES
PAYU, AND OUR AFFILIATES, RESELLERS, MERCHANTS, AND VENDORS, MAKE NO WARRANTIES, EXPRESS OR IMPLIED, GUARANTEES OR CONDITIONS WITH RESPECT TO THE PROGRAM. YOU UNDERSTAND THAT YOUR PARTICIPATION IN THE PROGRAM IS COMPLELETELY VOLUNTARY AND AT YOUR OWN RISK. WE EXCLUDE ANY IMPLIED WARRANTIES IN CONNECTION WITH THE PROGRAM. YOU MAY HAVE CERTAIN RIGHTS UNDER YOUR LOCAL LAW. NOTHING IN THESE TERMS IS INTENDED TO AFFECT THOSE RIGHTS, IF THEY ARE APPLICABLE.
13.INDEMNIFICATION
13.1To the maximum extent permitted by law, you agree to indemnify and hold harmless on demand and without any demur PayU and each of its subsidiaries, affiliates, officers, employees, agents, shareholders, representatives and third party service providers (“Indemnified Parties”), from and against any and all claims, demands, costs, expenses, losses, liabilities and damages of every kind and nature (including, without limitation, attorneys’ fees) imposed upon or incurred directly or indirectly or involving any third party claim due to, relating to and/or arising from: (i) the breach of any term, obligations, covenant, representation or warranty of this Policy; (ii) your violation of any law; (iii) the violation of rights of a third party/other persons including without limitation any intellectual property or other proprietary right ; (iv) any breach of the confidentiality; (v) any misuse of data, including personal data; (vi) any breach of any waiver granted; (vii) any attempt to contact PayU’s clients, merchants, partners, users or third parties to inform the existence of the Vulnerability (including any reference or message in social media making reference to the finding); (viii) any attempt to bring direct or indirectly claims, lawsuits, demands, actions judgments against PayU or any other Indemnified Party, in each case whether or not caused by the negligence of PayU or any other Indemnified Party and whether or not the relevant claim has merit; and/or (ix) any actual or threatened disparagement, defamation or brining to disrepute PayU and or any Indemnified Party by you while being a participant in the Program.
13.2PayU holds the benefit of this indemnity and all other rights under this T&C as trustee for each Indemnified Party benefiting from it. PayU’s failure to act with respect to a breach by you or a cause of indemnity as stated above does not waive its right to act with respect to same, subsequent or similar breaches. These indemnification obligations under shall survive any termination or expiration of Policy against you or your exit from Platform.
14.LIMITATION OF PAYU LIABILITY
14.1If you have any basis for recovering damages in connection with the Program (including breach of these Terms), you agree that your exclusive remedy is to recover, from PayU or any affiliates, merchants, third-party providers, and vendors, direct damages up to a maximum of INR 100.00. You can't recover any other damages or losses, including direct, consequential, lost profits, lost business, lost opportunity, special, indirect, incidental, or punitive. These limitations and exclusions apply even if this remedy doesn't fully compensate you for any losses or fails of its essential purpose or if we knew or should have known about the possibility of the damages. To the maximum extent permitted by law, these limitations and exclusions apply to anything or any claims related to these Terms and the Program.
15.DISPUTE RESOLUTION AND GOVERNING LAW
15.1You and PayU irrevocably consent that this Policy shall be governed by and construed in accordance with the laws of India.
15.2We hope we never have a dispute, but if we do, you and PayU (including its subsidiaries, affiliates and group entities) agree that if any dispute(s) or difference(s) shall arise between the parties in connection with or arising out of or relating to the Program and/or Policy, the parties shall attempt, for a period of 60 (sixty) days from the receipt of a notice (“Disputes Notice”) from the other Party of the existence of a dispute(s), to settle such dispute(s) informally by mutual discussions. If the said dispute(s) cannot be settled by mutual discussions within the sixty-day period specified above, such disputes(s) shall be referred to arbitration for final resolution in the manner provided herein. The Parties shall mutually appoint a sole arbitrator within 90 (ninety) days from the date of the Disputes Notice who shall resolve such accordance with the provisions of the Arbitration and Conciliation Act, 1996, as amended from time to time (“Arbitration Act”). In the event the Parties fail to appoint a sole arbitrator in accordance with the procedure aforesaid and within the time period as specified above, a panel of arbitrators shall be appointed in accordance with the provisions of the Arbitration Act for the final resolution of the dispute(s). The arbitration proceedings shall be held in English language with the seat of the arbitration being New Delhi. Subject to the arbitration agreement as mentioned above, You and we irrevocably consent to the exclusive jurisdiction of the courts at New Delhi, India which shall have the exclusive jurisdiction over any dispute(s) as described above.
15.3Class action lawsuits, class-wide arbitrations, and any other proceeding where someone acts in a representative capacity aren't allowed. Nor is combining individual proceedings without the consent of all parties. If the class action waiver is found to be illegal or unenforceable as to all or some parts of a dispute, then those parts won't be arbitrated but will proceed in court, with the rest proceeding in arbitration. If any other provision of this section is found to be illegal or unenforceable, that provision will be severed but the rest of this section still applies.
16.MISCELLANEOUS
16.1This Policy is the entire agreement between you and PayU for your participation in the Program. It supersedes any prior agreements between you and PayU regarding your participation in the Program. All parts of these Terms apply to the maximum extent permitted by relevant law. If a court or arbitrator holds that PayU can't enforce a part of these Terms as written, PayU may replace those terms with similar terms to the extent enforceable under the relevant law, but the rest of these Terms shall not change.
17.UNSOLICITED IDEAS
17.1Other than your Submission, PayU does not consider or accept unsolicited proposals or ideas, including without limitation ideas for new products, technologies, promotions, product names, product feedback and product improvements ("Unsolicited Feedback"). If you send any Unsolicited Feedback to PayU through the Program or otherwise, PayU makes no assurances that your ideas will be treated as confidential or proprietary.
IF YOU DO NOT AGREE TO THESE TERMS, PLEASE DO NOT SEND US ANY SUBMISSIONS OR OTHERWISE PARTICIPATE IN THIS PROGRAM.
Annex 1: Illustrative Vulnerabilities
- Payment parameters manipulation, Price manipulation with a successful transaction
- All types of Injections
- Broken Access Control
- Server-side Injection
- Cross site scripting - XSS
- Remote Code Execution
- Sensitive data exposure
- Authentication Bypass / Unauthorized Access
- CSRF
- Unrestricted upload vulnerabilities
- Domain take-over vulnerabilities
- Sensitive information leak
- Descriptive error messages
- Any vulnerability that can affect the PayU Brand, User (Customer/Merchant) data and financial transactions
Annex 2: PayU Products
AAny of the PayU services, iOS or Android-based apps, which process, store, transfer or use in one way or personal or sensitive personal information, such as card data and authentication data.
BDomains in scope: -
*.payu.in
*.blazecard.in
*.payu-infra.com
*.payumoney.com
*.payumoney.in
*.payunow.com
*.pmny.in
*.payubiz.com
*.payubiz.in
*.payugur.com
*.payuindia.com
*.blazepay.in
*.citruspay.com
*.citruswallet.co.in
*.citruswallet.co
*.cituswallet.in
*.citruswallet.com
Annex 3: Out of Scope Vulnerabilities
A.Any vulnerabilities without a properly described evidence report of possible exploitation
B.Reports generated by automated scan tools
C.Any services hosted by third party providers and services/Products not provided by PayU.
D.Publicly available information and/or browser instructions, such as:
- Our policies on presence or absence of SPF/DKIM/DMARC records or Cross Site Request Forgery (CSRF) vulnerabilities on unauthenticated pages
- HTML character set vulnerabilities such as “does not specify” or “unrecognized”
- Lack of secure/HTTP Only flags on non-sensitive cookies
- Absence of using HTTP Strict Transport Security (HSTS)
- Clickjacking or the non-existence of X-Frame-Options on non-logon pages
- Cacheable HTTPS response pages on sites that do not provide money transfer capabilities
- Reports of insecure SSL/TLS ciphers
- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms (older than two major releases) or for users who have intentionally reduced security settings on their platform
Vulnerability Submission Form