INTRODUCTION
Wegofin Digital strives to maintain a safe and secure environment for all users by taking system
security seriously. We welcome any reports of security vulnerabilities associated with our
Wegofin Digital services, but ensuring system security is a continuous process.
Wegofin Digital invites skilled security researchers to participate in its Vulnerability
Disclosure
Program. If you are an external security researcher, you can report any vulnerabilities to
Wegofin Digital according to our Responsible Disclosure Policy. Wegofin Digital reserves the
right to validate
the report's validity based on the impact of the vulnerabilities.
POLICY
To keep our systems secure, Wegofin Digital sincerely appreciates the help of security
researchers
and other members of the security community. When reporting a security vulnerability to us,
researchers must adhere to the rules set forth in this Responsible Disclosure Policy.
- We would like to know if you are aware of any vulnerabilities in our product or
infrastructure
that meet the criteria listed below. Please contact us at
[email protected]
- Our security team will acknowledge your submission within 24 hours. Within 24 hours, we will
acknowledge your submission.
- Wegofin Digital determines whether the issue is severe and easy to exploit based on its
impact.
- We will validate the reported issue within 3 to 5 days.
- Do not access sensitive information (by using a test account and/or system), take actions
that
may negatively affect other users (such as denial of service), or send automated reports.
- Security vulnerabilities should not be exploited.
- Below is a scope for research that should be followed.
- Researcher accounts may not be accessed, downloaded, or modified by researchers other than
their
own.
- Any vulnerability information should be kept confidential until the issue has been resolved.
If
you have reported a security vulnerability to Wegofin Digital, do not disclose the details
publicly.
- Wegofin Digital commits to publicly acknowledge and recognize your responsible disclosure.
- A variety of factors are considered when determining recognition in the Hall of Fame,
including
(but not limited to) impact, ease of exploitation, and quality. Vulnerabilities with
extremely
low risk may not qualify.
- Whenever a vulnerability is reported twice, we recognize the first reporter. Duplicate
reports
are determined by Wegofin Digital and may not share details.
REPORTING GUIDELINES
If you find a vulnerability, please notify [email protected] Wegofin Digital security
team can only
be contacted using the registered email address after registration. You should not use your
personal
emails, social media accounts, or other private connections to contact members of the security
team
about vulnerabilities or any program-related issues, unless instructed to do so.
Here are the details you should include in your report:
-
Defining the vulnerability and its potential impact.
-
Detailed steps for reproducing the vulnerability.
-
If available, screenshots and video POCs.
-
Please let us know your preferred name/handle for our Security Researcher.
TARGET SCOPE
In order to assess security vulnerabilities, researchers should examine the following areas:
Third-party software is excluded:
Wegofin Digital integrates third-party software to provide services to its customers. A bug or
vulnerability found in third-party software will not be considered valid as part of this
program.
Any vulnerabilities communicated to Wegofin Digital may be transmitted/informed to a third-party
service provider.
- An overview of in-scope vulnerabilities
- Execution of code remotely (RCE)
- Flow of payments can be bypassed
- Attacks on accounts (ATOs)
- Manipulation of price with successful transaction (transaction ID required)
- Injection of SQL/XXE and commands
- A stored cross-site scripting attack and an impactful reflected XSS attack
- SSRF (server-side request forgery)
- Server and application misconfigurations
- Authentication and authorization vulnerabilities are both horizontal and vertically
escalating
- CSRF (cross-site request forgery)
- Leak of sensitive information and IDOR
- Vulnerabilities in domain takeover
- Wegofin Digital Brand, User (Customer/Merchant) data, and financial transactions may be
vulnerable to vulnerability
- A vulnerability that is out of scope
- Any employee or contractor of Wegofin Digital who is being socially engineered (including
phishing) should be on guard
- Distributed denial of service
- Cookies with non-sensitive flags are missing due to X-Frame-Options;
- A missing security header that does not lead directly to a vulnerability (unless a
proof-of-concept is delivered)
- Exposure to version (unless you demonstrate a working exploit)
- Publicly readable directory listings
- Injection of HTML and self-XSS
- Non-vulnerability related information, such as stack traces, application errors, robots.txt,
etc.
- Without proof of exploitation, known-vulnerable libraries such as OpenSSL are used
- Account lockout and login brute force are not enforced on the forgotten password and log-in
pages
- Users' accounts are locked as a means of denying service to an application
- Scanned or automated reports
- Issues that can only be exploited through clickjacking
- Captcha is missing/weak/bypassed
- Weak/insecure cipher suites, BEAST, BREACH, renegotiation attacks, and missing best
practices
are some of the SSL issues.
- Enable HTTP TRACE or OPTIONS
- Login/logout CSRF
- Open ports without a proof-of-concept to demonstrate vulnerability
- You must demonstrate impact of reflected XSS through a proof of concept
- Injection of formulas or CSVs
- Images do not lose EXIF data
- Rate limiting
- A cookie without a security header and one without a cookie flag
- SPF/DKIM/DMARC issues in email
- Enumeration of user email addresses
- Wegofin Digital reserves the right to add more exclusions to this list as needed.
ACKNOWLEDGMENTS
Whenever possible, we strive to resolve all problems as quickly as possible, and we appreciate
your
reporting your experiences to us and assisting in the final publication if necessary.