PayU takes the security of our systems and our data very seriously. We are continuously striving to maintain and ensure that our environment is safe and secure for everyone to use. If you’ve discovered any security vulnerabilities associated with any of our PayU services, we do appreciate your help in disclosing it to us in a responsible manner.
PayU will engage with you as external security researchers (the Researcher) when vulnerabilities are reported to us in accordance with this Responsible Disclosure Policy. If a Researcher follows the rules set out in this Responsible Disclosure Policy when reporting a security vulnerability to us, unless prescribed otherwise by law or the payment scheme rules, we commit to:
Any of the PayU services, iOS or Android-based apps, which process, store, transfer or use in one way or personal or sensitive personal information, such as card data and authentication data.
In particular, Web service vulnerabilities are classified using OWASP Top-10. Mobile application vulnerabilities are classified using OWASP Mobile Top-10.
Any services hosted by 3rd party providers and services not provided by PayU.
A Researcher can test only against a merchant account if they are an account owner or an agent authorized by the account owner to conduct such testing. As a Researcher, in no event are you permitted to access, download or modify data residing in any other account or that does not belong to you or attempt to do any such activities.
In the interest of the safety of our merchants, users, employees, the Internet at large and you as a Researcher, the following test types are expressly excluded from scope and testing: any findings from physical testing (office access, tailgating, open doors) or DOS or DDOS vulnerabilities. A responsible disclosure also does not include identifying any spelling mistakes, or any UI and UX bugs…
We require that all Researchers must:
We do not offer any monetary compensation, only fame, glory recognition and our appreciation.
Requests or demands for monetary compensation in connection with any identified or alleged vulnerability are non-compliant with this Responsible Disclosure Policy.
Hall of Fame
PayU thanks the following individuals and organizations that have identified security vulnerabilities in accordance with this Responsible Disclosure Policy.
Researcher shall fully indemnify, hold harmless and defend (collectively “indemnify” and “indemnification”) PayU, its subsidiaries and affiliates, its directors, officers, employees, agents, and stockholders (collectively, “Indemnified Parties”) from and against all claims, demands, actions, suits, damages, liabilities, losses, settlements, judgments, costs and expenses (including but not limited to reasonable attorney’s fees and costs), whether or not involving a third party claim, which arise out of or relate to (1) any breach of any representation or warranty contained in this Responsible Disclosure Policy made by the researcher, (2) any breach or violation of the terms of this Responsible Disclosure Policy or any obligation or duty of the Researcher referred therein or under applicable law, (3) any breach of the confidentiality, (4) any misuse of data, including personal data, (5) any breach of any waiver granted, (6) any attempt to contact PayU’s clients, users or third parties to inform the existence of the vulnerability. It includes any reference or message in social media making reference to the finding (7) any attempt to bring direct or indirectly claims, lawsuits, demands, actions judgments against PayU or any other Indemnified Party, in each case whether or not caused by the negligence of PayU or any other Indemnified Party and whether or not the relevant claim has merit.