Responsible Disclosure of Security Vulnerabilities
If you have discovered a vulnerability, we request that you responsibly disclose the vulnerability to our security team by taking the following steps:
- Do not attempt to exploit the vulnerability. Do not share the suspected vulnerability or any data with others. Do not store or copy any unauthorized data. Doing any of these things will void eligibility for a bounty program reward.
- Email the details to our Security Incident Response Team at email@example.com.
- If the contents of the vulnerability are sensitive in nature, please use our PGP key found below to encrypt the information.
Patron Technology incentivizes responsible disclosure of vulnerabilities through reward payments. The following describes the process for determining reward bounty and eligibility.
All reported vulnerabilities are checked for validity, ranked, and then reviewed for reward eligibility by the Patron Technology InfoSec team. The severity of the vulnerability dictates the amount of the reward bounty.
Patron Technology has established a Vulnerability Ranking Matrix based on NIST’s Common Vulnerability Scoring System V3. The Vulnerability Ranking Matrix is defined below. Vulnerabilities are ranked using the guidelines below with assistance from the NIST CVSS Calculator. The final ranking for a vulnerability is the sole discretion of Patron Technology InfoSec.
CVSS >= 9.0
Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, large scale access to PII, etc.. At the discretion of Patron Technology, vulnerabilities that demonstrate a critical, widespread risk to information security may be eligible to receive a reward greater than the standard bounty.
Example: Vulnerabilities that result in unrestricted Remote Code Execution such as Vertical Authentication bypass, SSRF, XXE, SQL Injection, User authentication bypass.
CVSS 7.0 – 8.9
Vulnerabilities that affect the security of the platform including the processes it supports.
Example: Lateral authentication bypass, Stored XSS, some CSRF depending on impact.
CVSS 5.0 – 6.9
Vulnerabilities that affect multiple users, and require little or no user interaction to trigger.
Example: Some reflective XSS, Some direct object reference, URL Redirect, some CSRF depending on impact.
CVSS < 5.0
Issues that affect singular users and require interaction or significant prerequisites (MITM) to trigger.
Example: Common flaws, Detailed debug information.
Non-exploitable weaknesses and “won’t fix” vulnerabilities.
Best practices, mitigations, issues that are by design or acceptable business risk to the customer such as use of CAPTCHAS.
In Scope Domains
The following domains are eligible for the reward program. Vulnerabilities reported on other domains, even if they appear to be owned by Patron Technology may not be eligible for reward payments.
In Scope Mobile Applications
Terms of Eligibility
Each vulnerability report must meet the following conditions in order to be eligible to receive a reward payment. The decision for eligibility is ultimately at the discretion of the Patron Technology InfoSec Team.
- The vulnerability must be at least a severity P4 or greater to be eligible for a reward payment.
- The vulnerability must be on an in-scope domain or mobile app.
- The reporter must not attempt to exploit the vulnerability.
- The reporter must not disclose the vulnerability with others.
- The reporter must not copy or store unauthorized data.
- The reporter must not be a current or previous employee of Patron Technology.
The Patron Technology InfoSec Team will respond to all reports in a timely fashion. Patron Technology InfoSec will notify the reporter if the vulnerability is confirmed and eligible for reward payment. If the vulnerability is eligible, Patron Technology InfoSec will coordinate with the reporter to pay the reward.
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1
mQENBF1j//MBCACxqIOVGeab36yHCMqfRndP7H8o1XuQenT0O1yIZf6+27Z9Qn0x wPB4y477I8BrIapHf4lB6nObFs3IrCvEfBwF4/QXgR5EG6ZesvqnYNYvnqWOmywy o0BSpE03h1CTDvbqstINmjsqRLFcLs8pC78xw7Ao/mvxg3bmNk44V0lDU4Q0GjSI +F252OFcos/JkikGPL4TZorRa+OKyJDZnBRE2WyFpBtrQ4g5BG029rlX6WjuSCKs v6TPgS2o8yoksQD2tbLYEEQ3wIwTfhE+GI28qgrK/c+SNY2qskhfJ85WGc7l87+d Ilfgj6jGnEg5P1UUM6l+epFklih3QYxeAB/LABEBAAG0RlBhdHJvbiBUZWNobm9s b2d5IEluZm9ybWF0aW9uIFNlY3VyaXR5IDxzZWN1cml0eUBwYXRyb250ZWNobm9s b2d5LmNvbT6JATgEEwECACIFAl1j//MCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4B AheAAAoJEKO1jLZ11HH46IgH+wVppvN8tpPjUKkTGUtAmoHUt4dysWEylafzEMCD oJwGDkDNnthsEIx6zfekFXyWD9Ievv/3+EIbonsw8lw0EzGkN3lXqvDdTCEogfp/ LhkTA2xEWNI7Vic8CdXM1P9xE+T1NpWVSx+FbvP1ygA6i67oEYN+IzWwmwG/AgRU IU89W1p9vdJLQl8HVkl6E0Zo1QKZlglU3Hd9W1IBiF68z3ounc786DV+QwhnUT4z HylB+sgiOD1SLPQV+WLtCms3gTNecJi3/IO8BBaylXmkvqbqdPTrkoq3+iSLyq3c bsVszrS/xxnR2c7cbIlUB25tazmNOJYaB2jeK0CG0g3tBNm5AQ0EXWP/8wEIALxV iyBnQLfXhP/ZK/vsQUXkd5gB0nmdn79w8LYes7uW5MZWmoD6wqumNZxzzR5TG0pg D4WdegjqXLs/XJTGj0EHjAr1peQhtoHbcRcZTC/oan9wjGCTCuB2bS/8GLlcSRHC 6MO3Q9vWmVf8yQUfNBP59P/gv+vbvyu68Ud8gsz7PkisnxF06IvX3JfFR42tctbe BViPWl/FwLqu4fHr/pjdR8XkE7Xozhor+coR77uEIGnwxLGj0f6conI7yrVDqf/i +ToucemElNYgWz0zrY1oh4liM8DI82WyXsAc098Bw3EXPadtOeZFm00XjqD5+G6q j1oPz98yeUdHNXai06EAEQEAAYkBHwQYAQIACQUCXWP/8wIbDAAKCRCjtYy2ddRx +MzDB/9J5u7eBU+GEU7YxQKioZHaszQeQfhWBSHAKlY1N2WlB+YX4YVcHC+8NWvf H8aYM3sIEdpFBwQyHS4KieQ4oqGNxd89lEor+q3l0WH7CUF86BfaTsOs6mIL/lDE bDTbzhNgiB3X46SlVRe8opFY4H2LZJdirtkZTHGMhTxECFTrwT5XTI0ylINMe1cf C1FGeAw1SGoRSIHX4CXSIBmkn8QeW+ls1L3neCysWo207/4RW1hlgngvqVmcCum/ t92SKmAFWoMJ0T5KtkKmnjwIeIkVlbLms9vaqyHFN1YQW7S86BJO+Jwc3vbGSGWm tCg3+aUBuGgaNb5gJOdSkAZQCn/u =EcV3 -----END PGP PUBLIC KEY BLOCK-----