At Rellancer Software Solution Pvt. Ltd., we are committed to ensuring that BOBPEY remains a secure and trustworthy platform. We strive to create a safe browsing environment for our users. If a security researcher or any member of the public discovers a vulnerability in our systems and reports it responsibly, we highly appreciate their efforts. We work closely with them to address the issue promptly and, if they prefer, acknowledge their contribution publicly. Rellancer Software Solution Pvt. Ltd. reserves the right to assess reported vulnerabilities based on their business impact. Our top priority is to protect users' sensitive information and uphold the trust they place in BOBPEY. The cooperation of the security community plays a crucial role in strengthening our platform's security for everyone.

Public disclosure of the submission details of any identified or alleged security vulnerability without express written authorization from Rellancer Software Solution Pvt. Ltd. will deem the submission noncompliant with this Responsible Disclosure Policy for BOBPEY.

Furthermore, to remain compliant, you are prohibited from:

• Accessing, downloading, or modifying data residing in an account that does not belong to you
• Executing or attempting to execute any “Denial of Service” attack
• Posting, transmitting, uploading, linking to, sending, or storing any malicious software
• Testing in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, pyramid schemes, or other forms of unsolicited messages
• Testing in a manner that would degrade the operation of any BOBPEY systems
• Testing third-party applications, websites, or services that integrate with or link to BOBPEY systems

• Hall of Fame

The Program applies to security vulnerabilities found within Rellancer Software Solution Pvt. Ltd.'s environment, including, but not limited to, BOBPEY's websites, APIs, and mobile applications. We recognize security researchers who help us keep users safe by reporting vulnerabilities in our services. The recognition for these reports is entirely at Rellancer Software Solution Pvt. Ltd.'s discretion and is determined based on factors such as severity, likelihood, and business impact of the reported finding.

Typically, in-scope submissions will include high-impact vulnerabilities. However, any vulnerability that could realistically place our customers’ security or their data at significant risk is in scope and might be rewarded. Vulnerabilities that directly or indirectly affect the confidentiality or integrity of user data or privacy are prime candidates for a reward. Some characteristics that are considered when “qualifying” vulnerabilities affect the following aspects:

• Directly or indirectly affect the confidentiality or integrity of user data or privacy;
• Compromise the integrity of the system;
• Enable unauthorized access to significant data or resources;
• Enable the running of unauthorized code;
• Increase privileges or access beyond that which is intended;
• Interfere with or bypass security controls or mechanisms;
• Are exploitable (i.e. not purely theoretical);
• Can be launched remotely; and
• Could cause damage to a user’s system

To be eligible for the Bug Bounty Program, you MUST meet the following requirements:

• Adhere to BOBPEY Responsible Disclosure Policy
• Your report must describe a security vulnerability involving and/or affecting one of the products or services listed under “Scope”.
• We expressly exclude certain types of security findings; these are listed under “Program Exclusions”.
• If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations, or other confidential information) while investigating a vulnerability, make sure that you disclose this in your report.

In addition, you MUST NOT:

• Be in violation of any national, state, or local law or regulation;
• Be employed by Rellancer Software Solution Pvt. Ltd. or its subsidiaries;
• Be an immediate family member of a person employed by Rellancer Software Solution Pvt. Ltd., or its subsidiaries or affiliates.

Our commitment

If you identify a valid security vulnerability in compliance with this Responsible Disclosure Policy, BOBPEY commits to:

• Working with you to understand and validate the issue
• Addressing the risk (if deemed appropriate by BOBPEY)
• Rellancer Software Solution Pvt. Ltd. Security Team will investigate and respond to all valid reports. Our TAT for a new report is usually 3-5 business days; however, we prioritize investigations based on risk and other factors.
• In the event of duplicate reports, we recognize the first person (or submitter) of a qualifying security vulnerability. (BOBPEY determines duplicates and may not share details of the other reports.)
• Note that the use of BOBPEY services, including for the purposes of this program, is subject to BOBPEY Terms and Policies. We may retain any communications about security vulnerabilities that you report for as long as we deem necessary for program purposes, and we may cancel or modify this program at any time.

• BOBPEY Consumer Web app & Website
• BOBPEY For Merchant Web app & Website
• bobpey.com
• merchant.bobpey.com
• onboard.bobpey.com
• bobpey.com/shop

The BOBPEY Security Team might consider submissions outside the above scope for further processing at its discretion without any commitment to bounty or recognition.

If you happen to have identified a vulnerability on any of our web or mobile app properties, we request you to follow the steps outlined below:

• Please submit the vulnerability report form with the necessary details to recreate the vulnerability scenario. This may include screenshots, videos or simple text instructions.
• If the reported finding (vulnerability) can potentially extract information about our customers or systems or impair our system’s ability to function normally, please refrain from exploiting it. We must consider your disclosure a responsible one.
• While we appreciate the input of Whitehat hackers, we may pursue legal recourse if the identified vulnerabilities are exploited for unlawful gains, access to restricted customer or system information, or impairment of our systems.

Any design or implementation issue that is reproducible and significantly impacts the security of BOBPEY customers falls within the scope of the program. The Vulnerability Rating Taxonomy serves as the standard framework for assessing technical severity.

• Injection vulnerabilities, including SQL and XML injection
• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
• Server-side or Remote Code Execution (RCE)
• Authentication/Authorisation flaws, including IDOR and authentication bypass
• Domain take-over vulnerabilities
• Account Takeover (while testing, use a test account for PoC)
• Directory Traversal
• Sensitive Information Disclosure that can affect BOBPEY's customers, merchants, and/or overall BOBPEY brand
• Significant security misconfiguration with a verifiable/exploitable vulnerability (must be having PoC)
• Sensitive/Internal Credentials disclosed by BOBPEY or its employees posing a valid/verifiable risk to an in-scope asset (subject to investigation/authenticity of data).

The following bugs are unlikely to be eligible:

The following categories of vulnerabilities are excluded from recognition in the Program unless otherwise directed by BOBPEY:

• Findings/Reports generated by automated scanner tools.
• Mobile client findings that require a ROOTED device.
• Outdated OS versions/App versions related vulnerabilities.
• Findings that cannot be utilised to exploit other users/customers of BOBPEY – e.g., self-XSS.
• Publicly released CVEs and 0-days (zero-day vulnerabilities) within 90 days of their disclosure.
• “Advisory” or “Informational” reports that do not include any BOBPEY testing or context.
• Threat Intel Reports.
• Vulnerabilities requiring MITM or physical access to the victim’s unlocked device.
• Any form of Denial of Service attacks/exploits.
• SPF and DKIM issues.
• Content injection.
• Hyperlink injection in emails.
• IDN homograph attacks.
• RTL Ambiguity.
• Content Spoofing.
• Password Policy related issues in Applications.
• Full-Path Disclosure on any property.
• Version number information disclosure.
• Clickjacking on pre-authenticated pages, the non-existence of X-Frame-Options, or other non-exploitable clickjacking vulnerabilities.
• CSRF-able actions that do not require authentication (or a session) to exploit.
• Login/logout CSRF.
• Reports related to the following security-related headers, Strict Transport Security (HSTS) XSS mitigation headers (X-Content-Type and X-XSS-Protection) X-Content-Type-Options Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario)
• Bugs that do not represent any security risk – e.g. functional bugs, logical bugs, workflow bugs, feature bugs, etc.
• Open Redirect vulnerabilities (Phishing). Security bugs in third-party applications or services built on the BOBPEY API: Please report them directly to the company that built the application or service.
• Security bugs in software related to an acquisition for 90 days following any public announcement.
• Findings related to HTTP TRACE or OPTIONS methods.
• Non-sensitive (i.e., non-session) cookies are missing the Secure or HttpOnly flags.
• Tap jacking.
• Subdomain takeovers without supporting evidence.
• Missing best practices in SSL/TLS configuration.
• Open ports without an accompanying proof-of-concept demonstrating vulnerability.
• BOBPEY Web App-specific Exclusions:
• BOBPEY Web app does not have control over verifying the CVV of Credit Cards because this verification can only be done by the card issuing bank.
• Vulnerabilities requiring a rooted, jailbroken, or otherwise modified device.
• Username enumeration on customer-facing systems (i.e. using server responses to determine whether a given account exists).
• Vulnerabilities requiring extensive user interaction.
• Exposure of non-sensitive data on the device.
• Vulnerabilities on third-party libraries without showing specific impact on the target application (e.g. a CVE with no exploit).

Reports not Eligible for Recognition

All out-of-scope assets and vulnerabilities mentioned above are NOT eligible for recognition/rewards. Multiple reports of the same bug on different endpoints will be closed as duplicates if they require one fix.

Reporting a security finding

We encourage security researchers to report any suspected vulnerabilities to the BOBPEY Security Engineering Team by submitting the form under the "How to Report a Security Vulnerability?" section. Rellancer Software Solution Pvt. Ltd. will review the submission to verify its validity and ensure it has not been previously reported. At our discretion, you may be eligible for monetary compensation for your efforts. However, employees of Rellancer Software Solution Pvt. Ltd., its subsidiaries, and vendors currently working with BOBPEY are not eligible for financial compensation. If you fall into any of these categories, you must disclose it in your report. We require security researchers to provide detailed information, including step-by-step instructions, to help us reproduce the vulnerability.

We do not have a bounty/cash reward program for such disclosures, but we express our gratitude for your contribution in different ways. For genuine ethical disclosures, we would be glad to publicly acknowledge your contribution in this section on our website. Of course, this will be done if you want a public acknowledgement.

Rellancer Software Solution Pvt. Ltd. thanks the following individuals for identifying and responsibly disclosing security vulnerabilities in BOBPEY-owned apps, products, or services. We sincerely appreciate their contributions and efforts in enhancing the security of BOBPEY.

• Chandan Roy
• Koushik Kumar Roy