bug bounty policy
We have temporarily suspended our bug bounty programme. We have not launched any new services in 2023 and we have not received any new reports, i.e. not priorly reported bugs. The programme will restart in 2024
We strive to keep its services safe for everyone, and data security is of utmost priority.We appreciate your help in disclosing security vulnerabilities to us privately and giving us an opportunity to fix it before publishing technical details.pensopay will validate, respond, and fix vulnerabilities and will not take legal action against, suspend, or terminate access to the service of those who discover and report security vulnerabilities responsibly.
Reporting
Share the details of any suspected vulnerabilities with pensopay via mail: bugbounty@pensopay.com. Please do not publicly disclose these details outside of this process without explicit permission. In reporting any suspected vulnerabilities, please include the following information:
• Vulnerable URL – the endpoint where the vulnerability occurs;
• Vulnerable Parameter – if applicable, the parameter where the vulnerability occurs;
• Vulnerability Type – the type of the vulnerability;
• Steps to Reproduce – step-by-step information on how to reproduce the issue• Screenshots or Video – a demonstration of the attack; and • Attack Scenario – an example attack scenario may help demonstrate the risk and get your issue resolved faster.
• Your name & address (AML concerns)
If you several finding please group them in a document, e.g. pdf, text or word.
In order for pensopay to payout any bounties you need to have a bank account with Swift and IBAN. After a bug is claimed and confirmed by pensopay you can send us an invoice containing your name, address, company, VAT-number and the payout (determined by pensopay)
Bounty Ineligible Issues
The following items are known issues or accepted risks where we will not reward you:
• Clickjacking or sessionhijacking
• Cookie flags.
• SPF, DKIM, DMARC issues.
• Malicious attachments on file uploads or attachments.
• Missing additional security controls, such as HSTS or CSP headers.
• Server- and software- versions
• Mobile issues that require a Rooted or Jailbroken device.
• Brute-force, / Rate-limiting, / Velocity throttling, and other denial of service based issues.
• XSS (or a behavior) where you can only attack yourself (e.g. “Self XSS”).
• XSS on pages where admins are intentionally given full HTML editing capabilities, such as custom theme editing
• Test and dev urls
Scope
The following areas is where we will reward you:
• app.pensopay.com
• pensopay/shopify apps
Out of scope is pensopay.com and dashboard.pensopay.com, as both of these will be replaced.
Bounties
We gladly offer a bounty for vulnerability information that helps us protect our customers as a thanks to the security researchers who choose to participate in our bug bounty program.
pensopay will decide the bounty amounts at our discretion, and all decisions are final.We will reward you for the following types of vulnerabilities (except where noted otherwise in our bounty ineligible section)
Rewards
We only reward the first reporter of a valid vulnerability who demonstrates the issue using their own account. Duplicate reports will not be rewarded.You are responsible for paying any taxes associated with the reward. Submissions from countries where we are prohibited by Danish or European law from making payments.
Critical €120
High €100
Medium €60
Low €40
Our Commitment
If you identify a verified security vulnerability in compliance with this Bug Bounty Policy, pensopay commits to:
• Acknowledge receipt of your vulnerability report in a timely manner
