Vulnerability Disclosure Policy

Reporting a vulnerability

To report a vulnerability, please email security [at] shieldpay.com with the following details:

• The affected service, such as the URL, IP address, or product version.
• A clear description of the issue, e.g. “SQLi vulnerability”, including the potential impact.
• Steps to reproduce the vulnerability, including tools that were used, any supporting evidence such as screenshots or proof-of-concept code.

For secure communication, we provide an encryption key in our security.txt file.

---

What you can expect from us

When a valid security vulnerability is reported in good faith, we will:

• Acknowledge receipt of the report within 5 business days.
• Provide an initial assessment of the report within 10 business days.
• Work to resolve confirmed vulnerabilities within a reasonable timeframe, based on severity and impact.
• Keep the reporter informed of progress where appropriate.

Safe harbour

Provided that you comply with this policy, we consider your research to be authorised and will not pursue or support any legal action related to it. If legal action is initiated by a third party against you in connection with any activities carried out under this policy, we will make it clear that your actions were undertaken in compliance with this policy.

Rewards

We do not currently offer financial compensation or rewards for vulnerability submissions, nor do we reimburse any expenses incurred during research. We appreciate those who contribute to the security of our systems and may provide public recognition for valid reports. Any acknowledgment will only be given with your consent, and we will discuss the details with you in advance if appropriate.

---

What we expect from you

We ask researchers to:

• Act responsibly – do not exploit vulnerabilities beyond what is necessary to prove their existence.
• Avoid disruption – do not perform tests that could degrade system performance or impact users.
• Respect privacy – do not access or modify data that does not belong to you.

You must NOT:

• Break any applicable law or regulations.

• Access unnecessary, excessive or significant amounts of data.
• Retain or store any data acquired during testing beyond what is necessary for verification and reporting.
• Modify data in the Organisation's systems or services.
• Use high-intensity invasive or destructive scanning tools to find vulnerabilities.
• Attempt or report any form of denial of service, e.g. overwhelming a service with a high volume of requests.
• Disrupt the Organisation's services or systems.
• Communicate any vulnerabilities or associated details other than by means described in the published security.txt.
• Engage in social engineering, phishing or physically attack the Organisation's staff or infrastructure.
• Demand financial compensation in order to disclose any vulnerabilities.

---

What not to report

Shieldpay welcomes vulnerability reports that demonstrate a clear security impact. Please refrain from submitting issues that are purely theoretical or represent a deviation from best practices without demonstrated exploitability and impact. The following categories are outside the scope of this policy and may not receive a response:

Unclear report

• Reports without clear evidence of exploitation or security risk.
• Reports indicating that the services do not fully align with best practice.
• Complaints, queries or reports not relevant to security vulnerabilities.

Reconnaissance findings

• Disclosure of public information that does not present risk (e.g. web server type or version)
• Reports from automated scanning tools (e.g. ZAP, Nuclei) without valid proof of concept.
• Presence or absence of SPF, DKIM, DMARC, DNSSEC configurations.

• Missing security headers, best practice recommendations, or non-exploitable weaknesses (e.g., lack of HSTS, missing HTTP-only flags on non-sensitive cookies).
• Reports of insecure SSL/TLS ciphers (unless backed by a working proof of concept)

Non-impactful risks

• CSRF on non-sensitive actions.
• Clickjacking on non-authenticated or non-sensitive pages.
• Content spoofing or text/image injection without security impact.
• Phishing risks based on Unicode, Punycode, or RTLO issues.

• Ability to learn if a username or email exists on our platform.
• HTML character set vulnerabilities.
• Cacheable HTTPS pages that do not involve sensitive transactions.
• Self-XSS (unless shown to affect another user).
• Use of known vulnerable libraries without proof of exploitability.
• Presence of autocomplete attributes on web forms.
• Open redirects that do not lead to credential theft, session hijacking, or data exposure.

Client-side risks outside of our control

• Vulnerabilities affecting users of outdated browsers.
• Reports requiring a jailbroken or rooted device, unless it leads to a server-side compromise.
• Attacks requiring physical access to a user’s device.
• Vulnerabilities contingent on a client system previously being compromised.

Rate limiting

• Absence of rate limiting, unless related to authentication or sensitive operations.

Non-production and third-party services

• Reports affecting third-party services or applications outside Shieldpay’s control.
• Findings in sandbox, test or demo sites.

---

Legalities

Shieldpay will not take legal action against researchers who follow this policy in good faith. However, we reserve the right to take action against activities that:

• Involve exploiting vulnerabilities beyond what is necessary to demonstrate an issue.
• Result in data theft, service disruption, or harm to our users.
• Violate applicable laws or regulations.

By submitting a report, you agree to keep all communications with Shieldpay confidential and to not publicly disclose any vulnerabilities without prior written approval. 

---

Questions

We appreciate your efforts in helping us maintain a secure platform. If you have any questions, please reach out to security [at] shieldpay.com