Please note, Ingenico does not operate a public bug bounty program and we make no offer of reward or compensation in exchange for submitting potential issues.
Responsible Disclosure Program Guidelines
We require that all researchers:
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
- Do not engage in any activity that can potentially or actually cause harm to Ingenico, our customers, or our employees;
- Do not initiate a fraudulent financial transaction;
- Do not store, share, compromise or destroy Ingenico or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Ingenico. This step protects any potentially vulnerable data, and you;
- Do not engage in any activity that violates (a) European, federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) the researcher is conducting research activity;
- Perform research only within the scope set out below;
- Use the identified communication channels to report vulnerability information to us; and
- Keep information about any vulnerabilities you’ve discovered confidential between yourself and Ingenico Group.
If you follow these guidelines when reporting an issue to us, we commit to:
- Not pursue or support any legal action related to your research;
- Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 hours of submission);
- Recognize your contribution on our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.
- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue;
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party;
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Who can participate in the program
Anyone who doesn't work for Ingenico Group or partners of Ingenico who reports a unique security issue in scope and does not disclose it to a third party.
- Any public-facing website owned, operated, or controlled by Ingenico and affiliate companies, including web applications hosted on those sites.
- All consumer accessible systems of Software-based PIN Entry on COTS, including the PIN CVM Application itself as well as the protocols used to communicate between the PIN CVM Application, SCRP and back-end monitoring systems.
Out of scope
Any client sites or services hosted by 3rd party providers and services are excluded from scope.
Since the 1st of November 2020 Ingenico is part of Worldline, but until further notice any public-facing website owned, operated, or controlled by Worldline and Worldline affiliate companies, including web applications hosted on those sites are excluded from the program.
In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:
- Findings from physical testing such as office access (e.g. open doors, tailgating)
- Findings derived primarily from social engineering (e.g. phishing, vishing)
- Findings from applications or systems not listed in the ‘Scope’ section
- UI and UX bugs and spelling mistakes
- Resource Exhaustion Attacks
- Network level Denial of Service (DoS/DDoS) vulnerabilities
- You do not exfiltrate any data under any circumstances
- You do not intentionally compromise the privacy or safety of Ingenico personnel or any third parties
- You do not intentionally compromise the intellectual property or other commercial or financial interests of any Ingenico personnel or entities, or any third parties.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep Ingenico Group and our users safe!
Please submit your report to: [email protected]