We take the security of our systems, products, our employees’ and customers’ information seriously, and we value the security community. We appreciate and encourage security researchers to contact us to report potential vulnerabilities identified in any product, system, or asset belonging to Paymark Limited affiliates and subsidiaries (together referred to herein as ‘Paymark’ or ‘we’/‘us’/‘our’). If you believe you have identified a potential security vulnerability, please submit it to our Responsible Disclosure Programme.

Please note, Paymark does not operate a public bug bounty programme and we make no offer of reward or compensation in exchange for submitting potential issues.

Responsible Disclosure Programme Guidelines

We require that all researchers:

•        Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;

•        Do not engage in any activity that can potentially or actually cause harm to Paymark, our customers, or our employees;

•        Do not initiate any fraudulent financial transactions;

•        Do not store, share, compromise or destroy Paymark or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Paymark. This step protects any potentially vulnerable data, and you;

•        Do not engage in any activity that violates (a) New Zealand, Australian or other applicable laws or regulations or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) the researcher is conducting research activity;

•        Perform research only within the scope set out below;

          * Use the identified communication channels to report vulnerability information to us; and

          *Keep information about any vulnerabilities you have discovered confidential between yourself and Paymark.

If you follow these guidelines when reporting an issue to us, we commit to:

•        Not pursue or support any legal action related to your research;

•        Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 5 business days of submission);

•        Make a code or configuration change based on the issue.

Disclosure Policy

•        Let us know as soon as possible upon discovery of a potential security issue, and we will make every effort to quickly resolve the issue;

•        Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third party;

•        Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Who can participate in the programme

Anyone who does not work for Paymark or partners of Paymark who reports a unique security issue in scope and does not disclose it to a third party.

Scope

•        Any public-facing website owned, operated, or controlled by Paymark, including web applications hosted on those sites.

•        All consumer accessible systems of Software-based PIN Entry on COTS, including the PIN CVM Application itself as well as the protocols used to communicate between the PIN CVM Application, SCRP and back-end monitoring systems.

Out of scope

Any client sites or services hosted by third party providers and services are excluded from scope.

In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:

•        Findings from physical testing such as office access (e.g. open doors, tailgating)

•        Findings derived primarily from social engineering (e.g. phishing, vishing)

•        Findings from applications or systems not listed in the ‘Scope’ section

•        UI and UX bugs and spelling mistakes

•        Resource Exhaustion Attacks

•        Network level Denial of Service (DoS/DDoS) vulnerabilities

•        You do not exfiltrate any data under any circumstances

•        You do not intentionally compromise the privacy or safety of Paymark personnel or any third parties

•        You do not intentionally compromise the intellectual property or other commercial or financial interests of any Paymark personnel or entities, or any third parties.

Any activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Paymark and our users safe! Please submit your report to support@paymark.co.nz.