Deferit Vulnerability Disclosure Policy

Introduction

Deferit strives to maintain our customers’ trust by proactively ensuring the integrity of our systems. To facilitate this, we want to encourage responsible disclosure of security vulnerabilities. If anyone believes they have discovered a potential security vulnerability within Deferit’s applications or infrastructure, we strongly encourage them to disclose it to Deferit’s security team as soon as possible and in a responsible and conducive manner. This policy only applies to any digital assets owned, operated or maintained by Deferit. Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate vendor or applicable authority.

Deferit appreciates the important role that security researchers play and are committed to reviewing all disclosure reports. We will attempt to address each issue in a timely manner, and request that individuals wait for confirmation from the Deferit security team that the issue has been resolved before engaging in any form of public disclosure. A key element of these Responsible Disclosure Guidelines is that any disclosure (either publicly or to any other third party) of the details of any potential security vulnerabilities must not be made without express written consent from Deferit’s security team.

Safe Harbour

To encourage responsible disclosure, we will not take legal action against security researchers in relation to the discovery and reporting of a potential security vulnerability, where both the relevant discovery, and reporting, are conducted strictly in accordance with these Responsible Disclosure Guidelines, and within applicable laws and regulations. In the event of any non-compliance, we reserve all of our legal rights.

The Safe Harbor applies only to legal claims under the control of Deferit and does not bind independent third parties.

Reporting a vulnerability:

To responsibly disclose potential security vulnerabilities, please contact the Deferit Security Team by emailing security@deferit.com. In your email, include specific details of the potential security vulnerability and provide sufficient information to enable the Security Team to reproduce your steps.

In your report disclosing a potential security vulnerability, please include as much information as possible, including:

  • An explanation of the potential security vulnerability;
  • Any products and services that may be affected (if possible);
  • How to reproduce the vulnerability;
  • Proof-of-concept code (as applicable);
  • The names of any test accounts you created (if applicable); and
  • Your contact information (Identifying an email is sufficient).

Responsible Disclosure Guidelines

While we encourage responsible security research by independent research on our products and services, it must be conducted in accordance with the following guidelines:

  1. Only conduct Vulnerability research and testing on services and products to which you have authorised access. Do not engage in any activity that causes harm (or could potentially cause harm) to Deferit, our customers, suppliers, third parties, or our employees.
  2. Do not engage in any activity that can potentially or actually stop or degrade Deferit’s services or assets.
  3. Do not engage in any activity which could damage Deferit’s reputation or brand or the reputation and brand of any of Deferit’s related companies, partners or customers.
  4. Do not engage in any activity that violates:
    1. federal or state laws or regulations
    2. the laws or regulations of any country where
      1. data, assets or systems;
      2. data traffic is routed or
      3. the researcher is conducting research activity.
  5. Do not store, share, compromise or destroy Deferit or customer data. If personal data that is not publicly available is encountered, you must immediately contact the Deferit security team, immediately halt your activity and purge any related data from your system. This step protects any potentially vulnerable data, and you.
  6. Do not initiate a fraudulent financial transaction.
  7. Do not share any information regarding the security vulnerability publicly or to a third party before confirmation from the Deferit Security Team, that the issue has been resolved.

Activities not covered

The following activities are strictly prohibited, any attempt to engage in one of these activities will be considered to be a breach of these Responsible Disclosure Guidelines:

  • Physical Testing
  • Social Engineering
    • Including but not limited to attempts to steal cookies and the use fake login pages to collect credentials
  • Phishing
  • Denial of service attacks (E.g. Syn Flood)
  • Resource Exhaustion Attacks lasting longer than 1 second or across a large volume of requests
  • Any actions which harm or may harm Deferit’s systems, applications, infrastructure, property, or employees.
  • Any actions which may lead to the exposure, compromise, damage or destruction of Deferit data including but not limited to:
    • Customer Data;
    • Merchant Data;
    • Deferit Source Code; or
    • Deferit IP.