logo

Responsible Disclosure

INTRODUCTION

At Wegofin Digital Solutions Private Limited, safeguarding our users and maintaining a secure environment is of utmost importance. We value the input of security researchers in identifying vulnerabilities within our systems and consider it an ongoing effort to ensure system security.

We encourage skilled security researchers to participate in our vulnerability disclosure program to help us maintain the integrity of our services. Our Responsible Disclosure Policy outlines the guidelines for reporting any security vulnerabilities associated with Wegofin Digital Solutions Private Limited.

POLICY

To uphold the security of our systems, Wegofin Digital Solutions Private Limited requests security researchers and members of the security community adhere to the following rules when reporting security vulnerabilities:

  • Researchers must report vulnerabilities to Wegofin Digital Solutions Private Limited's security team via email at [email protected]
  • We acknowledge receipt of submissions within 24 hours.
  • The severity and exploitability of reported issues are evaluated within 3 to 5 days.
  • Researchers should refrain from accessing sensitive information, performing actions that may impact other users, or sending automated reports.
  • Vulnerabilities should not be exploited or disclosed publicly until they have been resolved.
  • Wegofin Digital Solutions Private Limited commits to publicly acknowledging and recognizing responsible disclosures.

REPORTING GUIDELINES

When reporting a vulnerability, please include the following details in your report:

  • Description of the vulnerability and its potential impact.
  • Step-by-step instructions for reproducing the vulnerability.
  • Screenshots and video proofs of concept, if available.
  • Your preferred name or handle for recognition as a Security Researcher.

TARGET SCOPE

To evaluate security vulnerabilities, researchers are advised to investigate the following areas:

Exclusion of Third-Party Software

Wegofin Digital Solutions Private Limited incorporates third-party software to deliver services to its clientele. Any bugs or vulnerabilities discovered in third-party software will not be deemed valid within this program. Vulnerabilities reported to Wegofin Digital Solutions Private Limited may be conveyed to the respective third-party service provider.

In-Scope Vulnerabilities Overview

  • Remote Code Execution (RCE)
  • Payment flow circumvention
  • Account Takeover Attacks (ATOs)
  • Price manipulation resulting in successful transactions (transaction ID requirement)
  • Injection of SQL/XXE and commands
  • Stored cross-site scripting attacks and impactful reflected XSS attacks
  • Server-Side Request Forgery (SSRF)
  • Misconfigurations in servers and applications
  • Horizontal and vertical escalation of authentication and authorization vulnerabilities
  • Cross-Site Request Forgery (CSRF)
  • Leakage of sensitive information and Insecure Direct Object References (IDOR)
  • Domain takeover vulnerabilities
  • Potential vulnerabilities in Wegofin Digital Solutions Private Limited Brand, User (Customer/Merchant) data, and financial transactions

Out-of-Scope Vulnerabilities

  • Social engineering attacks targeting Wegofin Digital Solutions Private Limited employees or contractors (including phishing)
  • Distributed Denial of Service (DDoS) attacks
  • Missing cookies with non-sensitive flags due to X-Frame-Options
  • Security headers missing direct vulnerability impact (unless a proof-of-concept is provided)
  • Exposure to version (unless a working exploit is demonstrated)
  • Publicly readable directory listings
  • Injection of HTML and self-XSS
  • Non-vulnerability-related information (e.g., stack traces, application errors, robots.txt, etc.)
  • Use of known-vulnerable libraries like OpenSSL without proof of exploitation
  • Lack of enforcement of account lockout and login brute force on forgotten passwords and login pages
  • Locking of user accounts to deny service to an application
  • Scanned or automated reports
  • Issues are only exploitable through clickjacking
  • Missing/weak/bypassed CAPTCHA
  • Weak/insecure cipher suites, BEAST, BREACH, renegotiation attacks, and SSL best practice deficiencies
  • Enablement of HTTP TRACE or OPTIONS
  • Login/logout CSRF
  • Open ports without a proof-of-concept to demonstrate vulnerability
  • Demonstration of reflected XSS impact through a proof of concept
  • Injection of formulas or CSVs
  • Retention of EXIF data in images
  • Rate limiting
  • Cookies without security headers and flags
  • SPF/DKIM/DMARC issues in email
  • Enumeration of user email addresses
  • Wegofin Digital Solutions Private Limited reserves the right to augment this list of exclusions as necessary.

ACKNOWLEDGMENTS

We appreciate the efforts of security researchers in identifying and reporting vulnerabilities. Your contributions help us maintain a secure environment for all our users, and we aim to resolve reported issues promptly.

Thank you for your assistance and cooperation in ensuring the security of Wegofin Digital Solutions Private Limited's services.