Responsible Disclosure

At Softpay we take security seriously and strive to continuously improve.

How do you report?

Send an email to us at responsible-disclosure@softpay.io. We prefer that you use our public PGP key to encrypt and protect the information you send. Please, make sure to include the following information:

  • Detailed description of the vulnerability, containing such info as URL and type of vulnerability.
  • CVSS3 SCORE (Common Vulnerability Scoring System)
  • The necessary information that we need in order to reproduce the problem.
  • If applicable, a screenshot of the vulnerability you have found.
  • Contact information, name, email, phone number, and your public PGP key (if you have one)
  • Technical details (endpoint, vulnerable part – get/post-parameters, cookie, header, path, http-method)

How do you report?

You can report security flaws that you have found on Softpay’s homepage or application. Examples of security flaws are cross-site scripting, flaws in encryption or flaws with security implications in logic controls. The reporting service is not for other logical errors, errors in texts, questions about our services, questions about the security of our services or similar.

What can you expect of Softpay?

We will confirm that we have received your description, continuously keep you updated while we process the issue, and inform you when the issue is fixed.

Claims for compensation as a condition for sending in a vulnerability will not be accepted.

What is required of you?

For the security of Softpay and our customers it’s important that you follow good practice, i.e. that:

  • You do not use the vulnerability to access or attempt to access information that does not belong to you
  • You do not use the vulnerability to remove or modify information
  • You do not affect the availability of our services through denial of service attacks
  • You give us an opportunity to fix the reported vulnerability before going public with it.

What is in scope?

Softpay’s app and website.

Can you file a report anonymously?

Yes, but then we cannot respond back and keep you updated on the status.

PGP key

Key ID: ###