Vulnerability Disclosure Policy
Welcome to CardUp Vulnerability Disclosure Program (VDP). This policy is designed to encourage security researchers and the general public to responsibly report security vulnerabilities they may discover on our Website/Cloud Assets. Your efforts help us maintain a safe and secure environment for our users.
-
Ensuring our customers' data is safe and our products and services are dependable is a top priority for CardUp. Therefore, we aim to design and make products and services with the highest levels of security and reliability.
-
This policy describes CardUp' approach to requesting and receiving reports related to potential vulnerabilities and errors in its products and services.
Customers, users, researchers, partners, and any other person that interacts with CardUp' products and services are encouraged to report identified vulnerabilities and errors by details provided on this page. -
CardUp highly appreciates the efforts made by the reporting party in identifying the vulnerability or error. This will contribute to improving the security and reliability of our products and services.
Rules of engagement:
-
Responsible Reporting: When reporting potential vulnerabilities and errors in CardUp' products and services, adhere to certain guidelines. The first rule is that you should not exploit or utilise any discovered vulnerabilities or errors for any purpose other than reporting them to CardUp.
-
Ethical Testing: Avoid any testing or research with the intent to harm CardUp, its stakeholders, or partners. Ethical reporting ensures a secure environment.
-
Data Integrity: Maintain data integrity. Do not tamper, delete, alter, or destroy accessed data related to vulnerabilities. This upholds the integrity of the investigation.
-
Prohibited Activities: Prohibited activities include social engineering, spamming, phishing, denial-of-service, resource-exhaustion attacks, running automated fuzzers / tools / scripts. These actions are strictly off-limits for the testing.
-
Legal Compliance: Adherence to all applicable laws is mandatory. Actions leading to your report should not violate any relevant laws or regulations.
-
Confidentiality: Maintain confidentiality. Do not disclose information about your report, the vulnerabilities, or that you've reported them to CardUp. Do not disclose the vulnerability or details about it publicly.
-
Limited Exploitation: Only exploit the vulnerability to the extent necessary to prove its existence; do not exploit it further than necessary.
-
Service Integrity: Do not intentionally damage or degrade the integrity of CardUp' services.
-
No Denial-of-Service (DOS) Attacks: Do not engage in any form of Denial-of-Service (DOS) attack against CardUp' services.
-
Respect for Privacy: Don't violate the privacy of other users, destroy data, disrupt services, or engage in any harmful activities.
Reporting Process
If you believe you have discovered a security vulnerability, please submit a report by sending an email to security@cardup.co with the following information: a detailed description of the vulnerability, including steps to reproduce it, any relevant screenshots, videos, or proof of concept code, and your contact information. Our security team will then investigate the report and provide you with updates on our progress. Reporting a security issue to CardUp implies your acceptance of the terms and conditions outlined in the Vulnerability Disclosure Policy and Rules of Engagement.
We thank you for your time & expertise in improving the security of our company and customers.
Appreciation
As a token of our appreciation for your responsible disclosure, we offer an acknowledgment via email. Additionally, individuals who make substantial contributions to the security of our services, such as identifying and reporting impactful vulnerabilities, will be featured on our Hall of Fame subjected to user consent.
Contact
If you have any specific questions pertaining to the program scope and vulnerabilities, you can reach out to the CardUp team at security@cardup.co
Hall of Fame:
Year 2024
Out of scope:
-
Subdomain takeover without actual proof
-
Account harvesting (e.g. enumerating WordPress usernames)
-
Access to keys and credentials without proof that they are valid
-
Lack of rate-limiting on API endpoints, unless it is for brute-forcing of a pass token with insufficient entropy (e.g. 4 digit passcode without invalidation and rate-limiting)
-
Vulnerabilities found in rooted mobile devices
-
UUID enumeration of any kind.
-
Invite/Promo code enumeration.
-
Open redirects. 99% of open redirects have low security impact. For the rare cases where the impact is higher, e.g., stealing oauth tokens, we do still want to hear about them.
-
Reports that state that software is out of date/vulnerable without a proof-of-concept.
-
Reports that affect only outdated user agents or app versions -- we only consider exploits in the latest browser versions for Safari, FireFox, Chrome, Edge, IE and the versions of our application that are currently in the app stores.
-
Stack traces, path disclosure, and directory listings.
-
CSV injection.
-
Best practices concerns.
-
Highly speculative reports about theoretical damage -- please always provide a proof-of-concept.
-
Vulnerabilities that cannot be used to exploit other users or CardUp -- e.g. self-xss (having a user paste JavaScript into the browser console).
-
Most vulnerabilities within our sandbox or staging environments.
-
Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.
-
Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.
-
Distributed denial of service attacks (DDOS) or any activity that will cause service disruptions..
-
Content injection issues.
-
Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)
-
Missing cookie flags on non-authentication cookies.
-
Email Spoofing.
-
Missing HTTP security headers.
-
Lack of HTTPOnly and Secure cookie flags.
-
Issues that require physical access to a victim’s computer/device.
-
SSL/TLS scan reports (this means output from sites such as SSL Labs).
-
Banner grabbing issues (figuring out what web server we use, etc.).
-
Open ports without an accompanying proof-of-concept demonstrating vulnerability.
-
Broken Link Hijacking.
-
Entering the CardUp offices, throwing crisps everywhere, unleashing a bunch of hungry raccoons, and hijacking an abandoned terminal on an unlocked workstation while staff are distracted.(social engineering etc )