Responsible Disclosure Policy

Introduction

At Procol, we take the security of our systems seriously, and it is our constant endeavour to make our environment, a safe place for our customers to browse. However, in the rare case when some security researcher or member of the general public identifies a vulnerability in our systems we do appreciate their help in sharing the details of it with us, in a responsible manner. Our team will work closely with them to address vulnerabilities when reported to us in accordance with this Responsible Disclosure Policy with urgency, and if they so wish, publicly acknowledge their contribution.

To be eligible for recognition, you must

  1. Be the first person to responsibly disclose the bug.
  2. Report a bug that could compromise our users' private data, circumvent the system's protections, or enable access to a system within our infrastructure.

Rules of Engagement

  1. You give us reasonable time to investigate and mitigate any vulnerability that you report.
  2. Please refrain from accessing sensitive information (by using a test account and/or system), performing actions that may negatively affect other Procol users (denial of service), or sending reports from automated tools.
  3. You do not exploit a security vulnerability that you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.)
  4. Violating any laws or breaching any agreements in order to discover vulnerabilities.
  5. You do not publicly disclose details of a security vulnerability that you've reported without Procol's permission.

Programme terms

We recognise security researchers who help us to keep the Procol system safe by reporting vulnerabilities in our services. Recognition for such reports are entirely at Procol’s discretion, based on risk, impact and other factors. For recognition in Procol’s Hall of Fame, you first need to meet the following requirements:

  1. Adhere to our Responsible Disclosure Policy
  2. Report a security bug: identify a vulnerability in our services or infrastructure which creates a security or privacy risk. (Note that Procol ultimately determines the risk of a vulnerability and that many software bugs are not security vulnerabilities.)
  3. Your report must describe a problem involving one of the products or services listed under "Scope".
  4. We specifically exclude certain types of potential security vulnerabilities; these are listed under "Out of Scope”.
  5. If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations or other confidential information) while investigating a vulnerability, make sure that you disclose this in your report.

In turn, we will follow these guidelines when evaluating reports under our responsible disclosure programme:

  1. We investigate and respond to all valid reports. Due to the volume of reports that we receive, however, we prioritize evaluations based on risk and other factors, and it may take some time before you receive a reply.
  2. We determine recognition in the hall of fame based on a variety of factors, including (but not limited to) impact, ease of exploitation and quality of the report. Note that extremely low-risk vulnerabilities may not qualify for the hall of fame at all.
  3. In the event of duplicate reports, we give recognition to the first person to submit a vulnerability. (Procol determines duplicates and may not share details on the other reports.)

Note that your use of Procol services including for the purposes of this programme is subject to Procol’s Terms and Policies. We may retain any communications about security vulnerabilities that you report for as long as we deem necessary for programme purposes, and we may cancel or modify this programme at any time.

How to Report a Vulnerability?

If you happen to have identified a vulnerability on any of our web or mobile applications, and infrastructure, we request you to follow the steps outlined below:

  1. Please submit the vulnerability report form with the necessary details to recreate the vulnerability scenario. This may include screenshots, videos or simple text instructions.
  2. Share with us your contact details (email address), so that our security team can reach out to you if further inputs are needed to identify or close the problem.
  3. If the identified vulnerability can be used to potentially extract information of our customers or systems, or impair our system’s ability to function normally, then please refrain from actually exploiting such a vulnerability. This is absolutely necessary for us to consider your disclosure a responsible one.
  4. While we appreciate the inputs of Whitehat hackers, we may take legal recourse if the identified vulnerabilities are exploited for unlawful gains or getting access to restricted customer or system information or impairing our systems.
  5. Report bugs to us by sending an email [email protected] with the following information:
    1. Individual Details
      1. Full Name
      2. Mobile Number
      3. Publicly Identifiable profile(LinkedIn, Github etc.)
    2. Bug Details
      1. Vulnerability Name
      2. Affected Areas
      3. Detailed Steps to reproduce the error
      4. Attachments (Screenshots, Errors Logs etc.)

Scope

Any of the Procol services iOS, Android or Web apps, which process, store, transfer or use in one way personal or sensitive personal information, such as authentication data and Personally Identifiable Information (PII).

Domains: procol.in

Qualifying Vulnerabilities

Any design or implementation issue that is reproducible and substantially affects the security of Procol users is likely to be in the scope of the program. Common examples include:

  1. Injections
  2. Cross-Site Scripting (XSS)
  3. Cross-Site Request Forgery (CSRF)
  4. Remote Code Execution (RCE)
  5. Authentication/Authorisation flaws
  6. Domain take-over vulnerabilities
  7. Able to take-over other Procol user accounts (while testing, use your own test account to validate)
  8. Any vulnerability that can affect the Procol Brand, user data and financial transactions
  9. Bulk User Sensitive Information Leak
  10. Descriptive error messages (e.g. Stack Traces, application or server errors)

Out of Scope

The following bugs are unlikely to be eligible:

  1. Vulnerabilities found through automated testing
  2. "Scanner output" or scanner-generated reports
  3. Publicly released CVE’s or 0-days in internet software within 90 days of their disclosure
  4. "Advisory" or "Informational" reports that do not include any Procol testing or context
  5. Vulnerabilities requiring MITM or physical access to the victim’s unlocked device.
  6. Denial of Service attacks
    1. SPF and DKIM issues
    2. Content injection
    3. Hyperlink injection in emails
    4. IDN homograph attacks
    5. RTL Ambiguity
  7. Content Spoofing
  8. Vulnerabilities relating to Password Policy
  9. Full-Path Disclosure on any property
  10. Version number information disclosure
  11. Third-party applications on the Procol Application directory (identified by the existence of a "Report this app" link on the app's page). Please report vulnerabilities with these services to the creator of that specific application.
  12. Clickjacking on pre-authenticated pages, or the non-existence of X-Frame-Options, or other non-exploitable clickjacking vulnerabilities
  13. CSRF-able actions that do not require authentication (or a session) to exploitReports related to the following security-related headers
    1. Strict Transport Security (HSTS)
    2. XSS mitigation headers (X-Content-Type and X-XSS-Protection)
    3. X-Content-Type-Options
    4. Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario)
  14. Bugs that do not represent any security risk
  15. Security bugs in third-party applications or services built on the Procol API - please report them to the third party that built the application or service
  16. Security bugs in software related to an acquisition for a period of 90 days following any public announcement
  17. HTTP TRACE or OPTIONS methods enabled
  18. Non-sensitive (i.e., non-session) cookies missing the Secure or HttpOnly flags
  19. Tap jacking
  20. Mobile client issues require a rooted device and/or outdated OS version or SSL pinning issues.
  21. Subdomain takeovers without supporting evidence
  22. Missing best practices in SSL/TLS configuration.
  23. The Vulnerabilities that cannot be used to exploit other users or Procol - e.g., self-XSS or having a user paste JavaScript into the browser console
  24. Open ports without an accompanying proof-of-concept demonstrating vulnerabilities