Responsible Disclosure Policy

Introduction

Quiken Techno is very concerned about the security of its systems and data. As part of our ongoing efforts, we strive to make sure that the environment in which we operate is secure and safe for everyone. Your assistance in disclosing any security vulnerabilities associated with any of our Quiken Techno services is greatly appreciated.

Quiken Techno will coordinate with you as an external security researcher (the Researcher) when vulnerabilities are reported to us.

We commit to the following if a Researcher reports a security vulnerability to us in accordance with this Responsible Disclosure Policy:

  • Respond promptly to your vulnerability report and work with the researcher to resolve the issue;
  • A commitment to privacy and security requires validating, responding, and fixing such vulnerabilities. Once the issue has been resolved, we will notify you
  • You or the person who reported these security vulnerabilities will not be pursued or taken to court unless prohibited by law;
  • Merchants will not be suspended or terminated from our service/services. Our services should not be suspended or terminated by agents;
Policy Scope

A service provided by the Quiken Techno website, an app for iOS, Android or Web, which processes, stores, transfers or uses personal or sensitive information in some way.

Focus Areas:

All POCs submitted to us should include a step-by-step guide for reproducing the issue, and automated tools or scripts are strictly prohibited. Legal penalties will be imposed if any vulnerability is exploited

  • Flow of payments can be bypassed
  • (Transaction ID required) Price manipulation with successful transaction
  • Injections into SQL
  • Vulnerabilities related to remote code execution (RCE)
  • In this case, upload only a simple backend script that prints a string. Ideally, try printing the hostname of your server and then stop! YES STOP THERE! )
  • Horizontal and vertical escalation vulnerabilities exist in authentication and authorization. (Use two different test accounts you created)
  • Vulnerabilities for domain takeovers
  • Information sensitive to users leaked in bulk
  • Error descriptions (e.g., stack traces, application or server errors)
  • Quiken Techno Brand, User (Customer/Merchant) data, and financial transactions can be affected by any vulnerability
Out of Scope:

General

  • Manipulation of prices without successful transactions
  • Quiken Techno is not responsible for any third-party services
  • Services that are not listed in the In Scope domains
  • Access-permitted IDOR references
  • Remediation of duplicate submissions
  • Issues that have been reported
  • (Unless it implies severe data loss or business disruption)
  • Reports for the same vulnerability type with minor differences (only one reward)
  • Redirects are open
  • Issues that can only be exploited through clickjacking
  • Only session cookies require http and secure flags. For other cookies, we will not consider them vulnerable
  • Unidentified security issues, such as missing security headers.
  • Headers missing from CAA
  • Physically accessed vulnerabilities.
  • Injection of formulas or CSVs
  • Self-XSS exploitable through DOM.
  • Infrastructure and system related
  • Recently released patches
  • Standards or issues related to networking
  • Password complexity

Email related:

  • Records for SPF or DMARC
  • Acceptance of "+" and "." in Gmail
  • Email bombs
  • Getting rid of marketing emails

Information Leakage:

  • Codes/pages returned by HTTP 404
  • Public/common services fingerprinting / banner disclosure
  • Public files or directories (e.g. robots.txt)
  • SSL cacheable pages
  • Relating to logins and sessions
  • Password forgot page bruteforce not enforced and account lockout not enforced
  • Lack of Captcha
  • Autocomplete or password saving functionality in an application or web browser
  • Session Timeouts
  • Testing
  • Only an account owner or an agent authorised by the account owner may conduct testing against a merchant account.

It is not permitted for Researchers to access, download, modify or attempt to modify data within another account or that does not belong to them. We expressly exclude the following test types from scope and testing in order to protect our merchants, users, employees, the Internet as a whole, and you as a Researcher from the following issues: any findings from physical testing (office access, tailgating, open doors) or DOS and DDOS vulnerabilities. Identifying any spelling mistakes or UI or UX bugs is also not included in a responsible disclosure.

Rules

In order to be a Researcher, you must:

  • When performing security tests, take care not to violate privacy, degrade the user experience, disrupt production systems, or delete data.
  • Access to another person's account, data, or personal information should not be attempted.
  • To sign up and to report vulnerabilities, use their real email address.
  • Any vulnerabilities you discover should remain confidential between you and Quiken Techno.
  • (Quiken Techno will remedy such vulnerabilities within a reasonable amount of time (approximately 1 month at the minimum, but this will differ based on the nature of the security vulnerability and regulatory compliance by Quiken Techno). 
  • Researchers shall not publicly disclose the bug or vulnerability until it is fixed and approved to do so by Quiken Techno.
  • Do not attempt to compromise our Services' reliability, integrity, or capacity. Spam/DDoS attacks are strictly prohibited
  • We may automatically suspend your account and ban your IP address if you use scanners or automated tools to find vulnerabilities.
  • If a vulnerability is found, you represent and warrant that you have the right, titles, and interests to disclose that vulnerability, including documents, codes, among others. Once you inform a vulnerability, you grant Quiken Techno its subsidiaries and affiliates an irrevocable, worldwide, royalty-free, transferable, sublicensable right to use in any manner Quiken Techno deems appropriate for any purpose, including reproduction, modification, distribution, adaptation among other uses. Any claims arising from any disclosure accepted by Quiken Techno are hereby waived, including express contract, implied-in-fact contract, or quasi-contract.

Your report should include the following information:

  • The steps that must be followed to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful).
  • Email address.
  • Report Template
  • We require that you notify our security team of the identified bug by info@quikentechno.com from your registered email address (SUBJECT: SUSPECTED VULNERABILITY ON Quiken Techno) (without changing the subject line, otherwise the email will be ignored and will not be eligible for bounty)

The following format must be followed:

Individual Details:

  • Full Name:
  • Mobile Number:
  • Any Publicly Identifiable profile(LinkedIn, Github etc):

Bug Details:

  • Name of the Vulnerability:
  • Areas affected:

Our current compensation policy does not include monetary compensation. We may, however, send out Quiken Techno swag from time to time. The Responsible Disclosure Policy does not permit requests or demands for monetary compensation related to identified or alleged vulnerabilities.

We have a Hall of Fame that you can visit :
Consequences of Complying with This Policy:

In the event of accidental, good faith violations of this policy, we will not initiate civil action or file a complaint with law enforcement. As a result of this policy, we consider activities that are conducted in accordance with the Act to be "authorized" conduct. If you circumvent the technological measures we have used to protect the applications in scope, we will not bring a DMCA claim against you.

You will be informed if a third party initiates legal action against you and you have complied with Quiken Techno Terms of Service.

Public Disclosure Policy:

In "PUBLIC NONDISCLOSURE" mode, this program means:

PERMITTING PUBLIC DISCLOSURE OF VULNERABILITIES FIND IN THIS PROGRAM IS NOT ALLOWED, AND ONE MAY BE LIABLE FOR LEGAL PENALTIES IF SUCH DISCLOSURE IS MADE.

The Fine Print

The terms of this program may change or be terminated at any time. Any changes we make to these terms will not be retroactive. It is not possible to claim a bounty if you are an employee of Quiken Techno.