bug-bounty

XPay.Life Bug Bounty

At XPay.Life we place security as foundation of innovation and growth. Our platform and mobile app had harnessed secure technologies and technique. If you believe that you have found security vulnerability or Bug on any of XPay.Life mobile app or Website, we encourage you to let us know straight away. Our Team will investigate all legitimate reports and do our best to quickly fix the problem.

Disclosure Policy

We will acknowledge your submission only if you are the first person to report a certain vulnerability. Known issues or issues that have already been reported will not be considered as a valid report
You may not publicly disclose the vulnerability prior to our resolutions
Be the first person to responsibly disclose the bug.
Report a bug that could compromise our users' private data, circumvent the system's protections, or enable access to a system within our infrastructure.

Rules of Engagement

You give us reasonable time to investigate and mitigate an vulnerability that you report.
Please refrain from accessing sensitive information (by using a test account and/or system), performing actions that may negatively affect other XPay.Life users (denial of service), or sending reports from automated tools.
You do not exploit a security vulnerability that you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.)
Violating any laws or breaching any agreements in order to discover vulnerabilities.

Programme Terms

We recognise security researchers who help us to keep users safe by reporting vulnerabilities in our services. Recognition for such reports are entirely at XPay.Life’s discretion, based on risk, impact and other factors.
Adhere to our Responsible Disclosure Policy
Report a security bug: identify a vulnerability in our services or infrastructure which creates a security or privacy risk. (Note that XPay.Life ultimately determines the risk of a vulnerability, and that many software bugs are not security vulnerabilities.)
Your report must describe a problem involving one of the products or services listed under "Scope".
We specifically exclude certain types of potential security vulnerabilities; these are listed under "Exclusions”.
If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations or other confidential information) while investigating a vulnerability, make sure that you disclose this in your report.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service and only interact with accounts you own or with the explicit permission of the account holder.

Please refrain from the following:

Trying DOS/DDOS attacks
Automated Scanning
Using vulnerability testing tools that automatically generate significant traffic
Accessing private information (use your own accounts)
Performing actions that may negatively affect XPay.Life users (social engineering, phishing, spam, denial of service)
Submitting reports from automated tools without verifying them.
Performing brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.
We investigate and respond to all valid reports. Due to the volume of reports that we receive, however, we prioritise evaluations based on risk and other factors, and it may take some time before you receive a reply.
We determine recognition in hall of fame based on a variety of factors, including (but not limited to) impact, ease of exploitation and quality of the report.
In the event of duplicate reports, we give recognition to the first person to submit a vulnerability.
Note that your use of XPay.Life’s services including for the purposes of this programme, is subject to XPay.Life’s Terms and Policies. We may retain any communications about security vulnerabilities that you report for as long as we deem necessary for programme purposes, and we may cancel or modify this programme at any time.

Scope

bug

Android XPay.Life

bug

iOS XPay.Life

bug

XPay.Life

Reward

Our minimum reward or bounty is ₹2000.
There is no maximum reward - each bug is awarded a bounty based on its severity, scope and exploit level.
Critical & High severity valid bug reporters will be listed on XPay.Life wall of Fame.
Report Vulnerability at - support@xpay.life
Thank you for helping keep XPay.Life and our users safe!