Payhawk greatly appreciates investigative work into security vulnerabilities which are carried out by well-intentioned, ethical security researchers. We are committed to thoroughly investigating and resolving security issues in our platform and services in collaboration with the security community. This document aims to define a method by which Payhawk can work with the security research community to improve our online security.
Vulnerabilities in Payhawk products and services are only within the scope of the Bug Bounty Scheme when they meet the following conditions:
The following security issues are currently not in scope (please don’t report them):
Unfortunately, due to the Payhawk funding structure, it is not currently possible for us to offer a paid bug bounty program. We would, however, like to offer a token of our appreciation to security researchers who take the time and effort to investigate and report security vulnerabilities to us according to this policy. Reporters of qualifying vulnerabilities will be offered a unique Payhawk reward.
If you have discovered an issue that you believe is an in-scope security vulnerability (please see section 2 above for more detail on scope), please email security@payhawk.com ensuring the communication is encrypted with our public key hosted at: https://payhawk.com/.well-known/pgp_key.asc.txt with serial: 29E9A9EE82D1DC0A
In accordance with industry convention, we ask that reporters provide benign (i.e. non-destructive) proof of exploitation wherever possible. This helps to ensure that the report can be triaged quickly and accurately whilst also reducing the likelihood of duplicate reports and/or malicious exploitation for some vulnerability classes (e.g. sub-domain takeovers). Please ensure that you do not send your proof of exploit in the initial, plaintext email if the vulnerability is still exploitable. Please also ensure that all proof of exploits is in accordance with our guidance (below), if you are in any doubt, please email security@payhawk.com for advice.
Please read this document fully prior to reporting any vulnerabilities to ensure that you understand the policy and can act in compliance with it.
In response to your initial email to security@payhawk.com, you will receive an acknowledgment reply email from the Payhawk Security Team, this is usually within 24 hours of your report being received. The acknowledgment email will include a ticket reference number which you can quote in any further communications with our Security Team.
Following the initial contact, our Security Team will work to triage the reported vulnerability and will respond to you as soon as possible to confirm whether further information is required and/or whether the vulnerability qualifies as per the above scope, or is a duplicate report. From this point, necessary remediation work will be assigned to the appropriate Payhawk teams and/or supplier(s). Priority for bug fixes and/or mitigations will be assigned based on the severity of impact and complexity of exploitation. Vulnerability reports may take some time to triage and/or remediate, you’re welcome to enquire on the status of the process but please limit this to no more than once every 14 days, this helps our Security team focus on the reports as much as possible.
Our Security Team will notify you when the reported vulnerability is resolved (or remediation work is scheduled) and will ask you to confirm that the solution covers the vulnerability adequately. We will offer you the opportunity to feedback to us on the process and relationship as well as the vulnerability resolution. This information will be used in strict confidence in order to help us improve the way in which we handle reports and/or develop services and resolve vulnerabilities. We will also offer to include reporters of qualifying vulnerabilities on our acknowledgments page and we’ll ask for the details you wish to be included.
Security researchers must not:
We request that any and all data retrieved during research be securely deleted as soon as it is no longer required and at most, 1 month after the vulnerability is resolved, whichever occurs soonest.
If you are unsure at any stage whether the actions you are thinking of taking are acceptable, please contact our security team for guidance (please do not include any sensitive information in the initial communications): security@payhawk.com
This policy is designed to be compatible with common good practices among well-intentioned security researchers. It does not give you permission to act in any manner that is inconsistent with the law or cause Payhawk to be in breach of any of its legal obligations, including but not limited to:
If you wish to provide feedback or suggestions on this policy, please contact our security team: security@payhawk.com. This policy will evolve over time and your input will be valued to ensure that it is clear, complete, and remains relevant.