Vulnerability Bounty Program Terms and Conditions
At EQUOS, we are committed to providing a safe and secure payment platform. We constantly improve our services and carry out security updates to make sure your details are safe. In order to achieve the utmost security, we are interested in receiving any information about vulnerabilities or bugs. In return you'll be awarded. We are particularly interested in vulnerabilities in our payment flow.
The EQUOS Vulnerability Bounty Programs Terms and Conditions (Terms) cover your participation in the EQUOS Vulnerability Bounty Programs (Program). By submitting any vulnerabilities to EQUOS or otherwise participating in the Program in any manner, you (i) represent that you are at least 18 years old and capable of consent in your jurisdiction, and (ii) accept these Terms.
We may make any amendments to this Terms by posting the revised Terms on the website or by emailing it to you. If you do not agree with any amendment, you must not participate the Program.
References in this Terms to "EQUOS" or "we" are to Diginex Capital Pte. Ltd. (company number 201827813E) and/or the Diginex Group.
Attack types and issues have been separated into reward groups as follows. Issues that are not (yet) partitioned in a reward group will be assessed and by us and rewarded accordingly.
Very low priority ($10+)
- Non-persistent XSS
- Mixed content
Low priority ($20+)
- Provisioning errors
- Information leaks (excluding user data)
- Low severity issues
Medium priority ($50+)
- Persistent XSS
- CSRF on sensitive forms
High priority ($100+)
- Customer data disclosure
- Authentication bypass
Critical priority ($200+)
- SQL Injection
- Arbitrary code execution
- Remote file inclusion
- Privilege escalation
- Access to user wallets
The decisions made by us regarding bounties are final and binding. You are responsible for any tax implications depending on your country of residency and citizenship.
- People ineligible to participate in the Program are:
- Diginex Group/ EQUOS employees or anyone associated directly with such employees (past and current);
- Diginex Group/ EQUOS vendors and/or contractors (past and current);
- A resident of any countries under U.S. sanctions or any other country that does not allow participation in this type of program;
- Your employer or organization does not allow you to participate in these types of programs. You are responsible for reviewing your employer's rules before participating in this Program.
- You are or were involved in any part of the development, administration, and/or execution of this Program.
- Only the first person to report a vulnerability will be awarded
- Reports have to follow our disclosure guidelines*
- Full details have to be shared about the problems found
- Disruption of services, compromising/sharing of any user data or breaking the law is strictly forbidden
- Attacks that can result in harm to the reliability of our service are forbidden. Attacks that can result in data integrity issues are also forbidden. (D)DoS, spam attacks et cetera are strictly forbidden.
- Don't use automated tools to search for vulnerabilities. Your EQUOS account can get suspended as a result.
- Attacks involving social engineering, phishing, et cetera of EQUOS staff and users are strictly forbidden.
- Do not perform any attacks that are in violation of the law.
- A report shall have detailed steps to reproduce the issue, including links you visited, screenshots or screencasts where needed.
- A report shall include versions of software and all factors that played a role in the attack (browser, OS, et cetera.)
- By participating in the Program, you will follow these rules:
- Don't engage in any activity that exploits, harms, or threatens to harm children.
- Don't share inappropriate content or material (involving, for example, nudity, bestiality, pornography, graphic violence, or criminal activity).
- Don't engage in activity that is false or misleading.
- Don't engage in activity that is harmful to you, the Program, or others (e.g., transmitting viruses, stalking, posting terrorist content, communicating hate speech, or advocating violence against others).
- Don't infringe upon the rights of others (e.g., unauthorized sharing of copyrighted material) or engage in activity that violates the privacy of others.
All rewards will be made in compliance with local laws, regulations, and ethics rules. We disclaim any and all liability or responsibility for disputes arising between an employee and their employer related to this matter.
There may be additional restrictions on your ability to enter depending upon your local law.
- Finders shall adhere to the Program rules
- Finders shall respect privacy and make effort not to access user data
- Publish issues or bugs without our prior written consent is not allowed.
- Don't do harm to our service or our users
If we find above rules are not adhered to your report will not be eligible for a bounty
What you can expect from us
- Our security team will address your reports and questions as quickly as possible
- Timely pay-out of your bounty to a BTC address of your choice
- Issues that pertain to anything forbidden in the Program rules
- Reports generated by automated tools
- Software issues that are made public
- Reports that do not include testing or context specific to EQUOS
- Issues that require you to already have access to a victim's account, physical device, and/or registered email account.
- Denial of Service attacks
- Brute Force attacks
- Spam techniques (DKIM / SPF et cetera)
- Social Engineering issues
- Content injection/spoofing
- Path disclosure
- Version information disclosure
- Issues that we are already aware of
- Disclosure of trivial, non-sensitive public information
- Vulnerabilities in our official plugins that are specific to the shopping cart system, rather than our plugin
- Issues regarding spoofed e-mails
- HTTP Security Headers related issues without a proof of concept leveraging the issue
- Issues regarding SSL/TLS cipher suites without a proof of concept leveraging the issue
- Issues that can't be reproduced in the latest major browser versions (Edge, Firefox, Chrome, Safari)
- Issues leveraging the presence of browser extensions
To contact our security department simply firstname.lastname@example.org
The EQUOS Mobile applications are not part of this bug Program.
We reserve the right to adjust the Program at any time without prior notification, to deny bounties on our discretion.
Any information, report, and feedback you provided to us shall remain confidential and cannot be disclosed to third parties or as part of paper reviews or conference submissions.
Violations of this section could require you to return any bounties paid and disqualify you from participating in the Program in the future.
By providing any information, report, and feedback to us, you:
- agree to grant us a non-exclusive, irrevocable, perpetual, royalty free, worldwide, sub-licensable license to: (i) use, review, assess, test, and otherwise analyze such information, report, and feedback; (ii) reproduce, modify, distribute, display and perform publicly, and commercialize and create derivative works of such information, report, and feedback and all its content, in whole or in part; and (iii) feature such information, report, and feedback and all of its content in connection with the marketing, sale, or promotion of this Program or other programs in all media (now known or later developed);
- agree to sign any documentation that may be required for us or our designees to confirm the rights you granted above;
- represent and warrant that the aforesaid information, report, and feedback provided to us is your own work, that you haven't used information owned by another person or entity, and that you have the legal right to provide such information, report, and feedback to us.
DIGINEX, AND OUR AFFILIATES, SUBCONTRACTORS AND VENDORS, MAKE NO WARRANTIES, EXPRESS OR IMPLIED, GUARANTEES OR CONDITIONS WITH RESPECT TO THE PROGRAM. YOU UNDERSTAND THAT YOUR PARTICIPATION IN THE PROGRAM IS AT YOUR OWN RISK. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAW, WE EXCLUDE ANY IMPLIED WARRANTIES IN CONNECTION WITH THE PROGRAM. YOU MAY HAVE CERTAIN RIGHTS UNDER YOUR LOCAL LAW. NOTHING IN THESE TERMS IS INTENDED TO AFFECT THOSE RIGHTS, IF THEY ARE APPLICABLE.
SUCCESSORS AND ASSIGNS
All covenants and agreements and other provisions set forth in this Terms and made by or on behalf of either party shall bind and inure to the benefit of the successors, heirs, and permitted assigns of such party, whether or not so expressed.
GOVERNING LAW AND JURISDICTION
This Terms shall be governed by, and construed in accordance with, the laws of Singapore. Any dispute arising out of or in connection with this Terms (including any question regarding its existence, validity or termination) shall be referred to and finally resolved by the exclusive jurisdiction of the Singapore courts.
A determination by a court or other legal authority of competent jurisdiction that any provision of this Terms is legally invalid shall not affect the validity of enforceability of any other provision hereof. The Parties shall cooperate in good faith to substitute (or cause such court or other legal authority to substitute) for any provision so held to be invalid a valid provision, as like in substance to such invalid provision as is lawful.
This is not a competition, but rather an experimental and discretionary rewards program. You should understand that we can cancel the Program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion.
IF YOU DO NOT AGREE TO THESE TERMS, PLEASE DO NOT SEND US ANY SUBMISSIONS OR OTHERWISE PARTICIPATE IN THIS PROGRAM.