Privacy Policy


Sifipay Technology ("us", "we", or "our") operates the https://www.sifipay.com website (the "Service"). This page informs you of our policies regarding the collection, use and disclosure of Personal Information when you use our Service.

We will not use or share your information with anyone except as described in this Privacy Policy.

We use your Personal Information for providing and improving the ServiceSifipay. By using the Service, you agree to the collection and use of information in accordance with this policy.

Information Collection And Use

While using our Service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you. Personally identifiable information may include, but is not limited to, your email address, other information ("Personal Information").

Log Data

We can have a more elaborated clause with respect to the subject. Please let me know if we can replace the existing clause with below mentioned:

"We record information relating to your use of Sifipay, such as the searches you undertake, the pages you view, your browser type, IP address, location, requested URL, referring URL, and timestamp information. We use this type of information to administer Sifipay and provide the highest possible level of security and service to you. We also use this information in the aggregate to perform statistical analyses of User behavior and characteristics in order to measure interest in and use of the various areas of Sifipay. However, you cannot be identified from this aggregate information.

In addition, we may use third party services such as Google Analytics that collect, monitor and analyze this type of information in order to increase our Service's functionality. These third party service providers have their own privacy policies addressing how they use such information.

Cookies

Cookies are files with small amount of data, which may include an anonymous unique identifier. Cookies are sent to your browser from a web site and stored on your computer's hard drive.

We use "cookies" to collect information. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service.

Service Providers

We may employ third party companies and individuals to facilitate our Service, to provide the Service on our behalf, to perform Service-related services or to assist us in analyzing how our Service is used.

These third parties have access to your Personal Information only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

Communications

We may use your Personal Information to contact you with newsletters, marketing or promotional materials and other information that may be of interest to you. You may opt out of receiving any, or all, of these communications from us by following the unsubscribe link or instructions provided in any email we send.

Security

The securities of your Personal Information are important to us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Information, we cannot guarantee its absolute security.

International Transfer

Your information, including Personal Information, may be transferred to and maintained on computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction.

If you are located outside India and choose to provide information to us, please note that we transfer the information, including Personal Information, to India and process it there.

Your consent to this Privacy Policy followed by your submission of such information represents your agreement to that transfer.

Links To Other Sites

Our Service may contain links to other sites that are not operated by us. If you click on a third party link, you will be directed to that third party's site. We strongly advise you to review the Privacy Policy of every site you visit.

We have no control over, and assume no responsibility for the content, privacy policies or practices of any third party sites or services.

Children's Privacy

Our Service does not address anyone under the age of 13 ("Children").

We do not knowingly collect personally identifiable information from children under 13. If you are a parent or guardian and you are aware that your Children has provided us with Personal Information, please contact us. If we become aware that we have collected Personal Information from a children under age 13 without verification of parental consent, we take steps to remove that information from our servers.

Changes To This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

By using Sifipay and/or by providing your information, you consent to the collection and use of the information you disclose on Sifipay in accordance with this Privacy Policy, including but not limited to your consent for sharing your information as per this privacy policy. As per Information Technology Act 2000 and rules made there under, the name and contact details of the Grievance Officer are provided below:

 

 

 

 

1. Responsible Disclosure Policy

Sifipay takes the security of our systems and its data very seriously. We are continuously striving to maintain and ensure that our environment is safe and secure for everyone to use. If you’ve discovered any security vulnerabilities associated with any of our Sifipay services, we do appreciate your help in disclosing it to us in a responsible manner.

Sifipay will engage with you as external security researchers (the Researcher) when vulnerabilities are reported to us in accordance with this Responsible Disclosure Policy.

If a Researcher follows the rules set out in this Responsible Disclosure Policy when reporting a security vulnerability to us, unless prescribed otherwise by law or the payment scheme rules, we commit to:

o promptly acknowledging receipt of your vulnerability report and work with the researcher to understand and attempt to resolve the issue quickly;

o validating, responding and fixing such vulnerability in accordance with our commitment to security and privacy. We will notify you when the issue is fixed

o unless prescribed by law otherwise, not pursue or take legal action against you or the person who reported such security vulnerabilities;

o not suspend or terminate access to our service/services if you are a merchant. If you are an agent, not suspend or terminate merchants access to our services to which the agent represents;

2. In Scope of this Policy

Any of the Sifipay services iOS, Android or Web apps, which process, store, transfer or use in one way or personal or sensitive personal information, such as card data and authentication data.

Focus Areas

Automated tools or scripts ARE STRICTLY PROHIBITED, and any POC submitted to us should have a proper step-by-step guide to reproduce the issue. Abuse of any vulnerability found shall be liable for legal penalties

o Able to bypass payment flow

o Price manipulation with a successful transaction (transaction id required)

o SQL Injections

o Remote Code Execution (RCE) vulnerabilities

o Shell Upload vulnerabilities (only upload basic backend script that just prints some string, preferably try printing the hostname of the server and stop there ! YES STOP THERE ! )

o Authentication and Authorization vulnerabilities including horizontal and vertical escalation. (Use 2 different test accounts created by you)

o Domain take-over vulnerabilities

o Stored XSS

o Bulk user sensitive information leak

o Descriptive error messages (e.g. Stack Traces, application or server errors)

o Any vulnerability that can affect the Sifipay Brand, User (Customer/Merchant) data and financial transactions

3. Out of Scope

General

  1.   Price manipulation WITHOUT SUCCESSFUL TRANSACTION
  2.   Any services hosted by 3rd party providers and services not provided by Sifipay
  3.   Any service that is not mentioned in the In Scope domains section
  4.   IDOR references for objects that you have permission to access
  5.   Duplicate submissions that are being remediated
  6.   Known issues
  7.   Rate limiting (Unless it implies severe threat to data, business loss)
  8.   Multiple reports for the same vulnerability type with minor differences (only one will be rewarded)
  9.   Open redirects
  10.   Clickjacking and issues only exploitable through clickjacking
  11.   Only session cookies needed http and secure flags. Apart from these, for other cookies we won’t consider as vulnerability
  12.   Issues without clearly identified security impact such as missing security headers.
  13.   Vulnerabilities requiring physical access to the victim's unlocked device.
  14.   Formula Injection or CSV Injection
  15.   DOM Based Self-XSS and issues exploitable only through Self-XSS.

System and Infrastructure Related

  1.   Patches released within the last 30 days
  2.   Networking issues or industry standards
  3.   Password complexity
  4.   Email related:
  1.   Information Leakage:
  1.   Cacheable SSL pages

Login and Session Related

  1.   Forgot Password page bruteforce and account lockout not enforced
  2.   Lack of Captcha
  3.   Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
  4.   Session Timeouts

4. Testing

A Researcher can test only against a merchant account if they are an account owner or an agent authorised by the account owner to conduct such testing.

As a Researcher, in no event are you permitted to access, download or modify data residing in any other account or that does not belong to you or attempt to do any such activities.

In the interest of the safety of our merchants, users, employees, the Internet at large and you as a Researcher, the following test types are expressly excluded from scope and testing: any findings from physical testing (office access, tailgating, and open doors) or DOS or DDOS vulnerabilities. A responsible disclosure also does not include identifying any spelling mistakes, or any UI and UX bugs.

5. Rules

We require that all Researchers must:

o Make every effort to avoid privacy violations, degradation of user or merchant experience, disruption to production systems, and destruction of data during security testing.

o Not attempt to gain access to any other persons account, data or personal information.

o Use their real email address to sign up and report any vulnerability information to us.

o Keep information about any vulnerability you’ve discovered confidential between yourself and Sifipay. Sifipay will take a reasonable time to remedy such vulnerability (approximately 1 month as a minimum but this is dependent on the nature of the security vulnerability and regulatory compliance by Sifipay). The Researcher shall not publicly disclose the bug or vulnerability on any online or physical platform before it is fixed and prior written approval to publicly disclose from Sifipay.

o Not perform any attack that could harm the reliability, integrity and capacity of our Services. DDoS/spam attacks are STRICTLY not allowed

o Not use scanners or automated tools to find vulnerabilities (noisy and we may automatically suspend your account and ban your IP address)

o As a Researcher, you represent and warrant that you have the right, title and interest to disclose any vulnerability found and to submit any information, including documents, codes, among others, in connection therewith. Once you inform vulnerability, you grant Sifipay, its subsidiaries and affiliates an irrevocable, worldwide, royalty-free, transferable, sub licensable right to use in any way Sifipay deems appropriate for any purpose, such as: reproduction, modification, distribution, adaptation among other uses, the information related with the vulnerabilities. Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure accepted by Sifipay.

Remember that you must never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.

Please include the following information with your report:

o Detailed description of the steps required to help us reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us)

o Your email address.

6. Report Template

The identified bug shall have to be reported to our security team by sending us a mail from their registered email address to security@sifipay.com (SUBJECT: SUSPECTED VULNERABILITY ON SIFIPAY) (without changing the subject line else the mail shall be ignored and not eligible for bounty). The mail should strictly follow the format below:

  Individual Details:

Full Name:

Mobile Number:

Any Publicly Identifiable profile(LinkedIn, Github etc.):

  Bug Details:

Name of the Vulnerability:

Areas affected:

  Impact:

Detailed steps to reproduce (transaction id’s can also be provided here):

.

7. Consequences of Complying with This Policy

We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.

If legal action is initiated by a third party against you and you have complied with Sifipay’s VDP, Sifipay will take steps to make it known that your actions were conducted in compliance with this policy.

8. Public Disclosure Policy:

By default, this program is in “PUBLIC NONDISCLOSURE” mode which means:

"THIS PROGRAM DOES NOT ALLOW PUBLIC DISCLOSURE. ONE SHOULD NOT RELEASE THE INFORMATION ABOUT VULNERABILITIES FOUND IN THIS PROGRAM TO PUBLIC, FAILING WHICH SHALL BE LIABLE FOR LEGAL PENALTIES!”

9. The Fine Print

We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. Sifipay employees and their family members are not eligible for bounties.

safe and secure payment solution that enables businesses to make or receive payments, bringing ease and trust through uninterrupted innovation using technology.