logo

An Indian payment platform, Finpandatech, ensures effortless integration within a single day, and is the only platform that can handle integrated payments in real time.

Connected details:
  • FIN PANDA TECHNOLOGY PRIVATE LIMITED
    Registered Office Address: #1-8-303, 48/15, PG Road, Sindhi Colony, Begumpet, Hyderabad 500016.
  • [email protected]

Responsible Disclosure Policy

Finpandatech Security Vulnerabilities

Our website Finpandatech strives non-stop to ensure that our environment is safe and secure. We place a great deal of importance on the security of our data and system. Finpandatech appreciates you disclosing any security vulnerabilities you have discovered in any of its services in a responsible manner.

In accordance with this Responsible Disclosure Policy, when you report vulnerabilities to Finpandatech, we will engage with you as an external security researcher (the Researcher).

Disclosing Responsibly

Finpandatech commits to comply with the following principles when a Researcher reports security vulnerabilities to Finpandatech, unless otherwise specified by law or the payment scheme practices:

  • Recognize the vulnerability report immediately and work with the researcher to resolve it as quickly as possible;
  • We will validate and verify the vulnerability, respond and fix it in accordance with our commitment to privacy and security. Once the issue has been resolved, we will inform you;
  • You or the person reporting the security vulnerability will not be prosecuted unless specified otherwise by law;
  • As a merchant, do not stop, suspend or hold access to the Finpandatech services, and as an agent, do not stop, suspend or hold access to the Finpandatech services that you represent;
  • We acknowledge and appreciate your responsible disclosure of vulnerabilities to Finpandatech.
  • As part of this policy
  • Finpandatech services, iOS or Android-based apps that process, store, transfer or use personal or sensitive information, such as credit card numbers and authentication credentials.

Out of scope

Any services hosted by third-party providers and those not provided by Finpandatech.

Testing

The researcher can use their own merchant accounts to conduct any testing or research and cannot access data that does not belong to them.

There are two types of researchers: account owners or agents who are approved by account owners to test a merchant account. It is not allowed or permitted for the Researcher to access the merchant account, download or modify data from any other account, including the account that does not belong to the Researcher.

Any applicable laws or regulations must not be violated by the Researcher.

A number of test types are explicitly excluded from testing for the protection of our merchants, users, employees, the internet at large, and you as a researcher - any findings from physical testing (office access, tailgating, open doors) or DOS or DDOS vulnerabilities.

This responsible disclosure does not include identifying spelling mistakes or UI/UX bugs.

Rules

Terms and conditions for Researchers are as follows:

  • It mustn't violate the privacy policies, shouldn't interfere with or deny services to any users, shouldn't disturb our production system, and shouldn't delete, compromise, or misuse data.
  • A vulnerability cannot actually be exploited, only explained or shown to be exploitable.
  • Don't lose funds that you don't own.
  • You must not attempt to gain access to, download, copy, delete, compromise, or misuse the personal data of others.
  • To report such vulnerabilities, you must use your own email address and other information for account registration at Finpandatech.
  • You must keep such vulnerability information confidential between yourself and Finpandatech. Finpandatech must approve any disclosure of the information, discovery, or contents of such vulnerability to any third party. Finpandatech will take a reasonable amount of time to resolve the vulnerability (approximately 1 month as a minimum), depending on the nature of the vulnerability and Finpandatech's regulatory compliance.
  • Our integrity, reliability, and service delivery must not be compromised by any attacks. The use of DDoS/SPAM attacks is strictly prohibited.
  • Use of automated tools or scanners is prohibited (noisy and your IP address and account will be suspended automatically).
  • Finpandatech and its affiliates receive a permanent, irrevocable, worldwide, royalty-free, transferable, sublicensable right to use, copy, adapt, develop, create derivative works from, and share your submission.
  • Your submission waives all claims, including breach of contract or implied-in-fact contract, or quasi-contract.
  • Must not attack in no-technical manner such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
  • Report
  • A detailed description and steps from the researcher are necessary for us to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful). It is essential that they include their email address.