Vulnerability Disclosure Policy
We take the security of our systems seriously, and we value the security community. The disclosure of security vulnerabilities helps us ensure the security and privacy of our users
Guidelines
We require that all researchers:
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
- Use the identified communication channels to report vulnerability information to us; and
- Keep information about any vulnerabilities you’ve discovered confidential between yourself and Eway until we’ve had 90 days to resolve the issue.
If you follow these guidelines when reporting an issue to us, we commit to work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 hours of submission).
In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:
- Findings from physical testing such as office access (e.g. open doors, tailgating);
- Findings derived primarily from social engineering (e.g. phishing, vishing);
- UI and UX bugs and spelling mistakes; and
- Network level Denial of Service (DoS/DDoS) vulnerabilities
Things we do not want to receive:
- Personally identifiable information (PII)
- Credit cardholder data
How to report a security vulnerability?
If you believe you’ve found a security vulnerability in one of our products or platforms please send it to us by emailing security@eway.io. Please include the following details with your report:
- Description of the location and potential impact of the vulnerability; and
- A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us).
If you’d like to encrypt the information, please use our PGP key.
—–BEGIN PGP PUBLIC KEY BLOCK—–
mQGNBFyF4gABDACSJuys6JIwlI3qX+FmgCcG/Miwatq/bAitbeb0y9c7Jayo/Co1
iuBT89fgFTPqx9Vb2Pe1HayB/7HE605KeCU2rwJRoCYRxgYmWbgroschshnEcCxv
xwX7PdzUtFkF03KzxXghzTh6kUCBS0M2JcgmkL6WDPs3OGq0cSdw4z446n6shhZS
/4B7wgjcOkgu2DnnMQlZWcNUGxkg3R3wTdgbKn6aJPsD45Tye9hX7PHWymKMS/rO
OStjv5W+ToFUuGL1PsMouRYz8abKmqz5DAHSo1Sjnw/OlDSeWsGawN2ILD7e9dX9
xxNvx1XZ+0ZBGSzjwdG4Y4l4stkVqzvsKaI6ThY6JUyzZ1itixMSKVvNnP9DuHtg
3Jv11hPBOq7Q/aEC7iK13gtij3vUo6mjvCfAJXxtKi7eH5qphGm4BPaZBjEB9nNs
k9Ctk+UdHq6pEPAwg5yJjgm2daaF29SNOwdub922neBY9j2DHV3WJjR1R2GnDa66
LYmrZVpoOjDakGUAEQEAAbQkRXdheSBTZWN1cml0eSA8c2VjdXJpdHlAZXdheS5j
b20uYXU+iQHUBBMBCgA+FiEEKzNVvd/STG+mL/vqEPu8qvbFdZcFAlyF4gACGwMF
CQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQEPu8qvbFdZfUpgwAinMZ
XJ9/kzfqRQ5qrVJ/6o1+n+EN8kvboblSEHrHQeMtqYeLdRM7H/O4/j+6gQEw9H9Q
UuYIPIHCZ1xFhRg+bfVqwhYv38N+Lw2fuOfd+VG3iDkPExFGcBfaWbUVk0AKZG/d
FEGf2yTIkhD4OQmIN7mwl0naSwYVjRv5lLo5DImWB7cUt5aUvHOpuLbUrQGneo+3
Ucyt/5I13Sl67RyDuOr2d20Mf7zcDhoO7uRDPkj4izz4hfy78tw19gkbJhCvDxDo
kSxy37AnqyaQWNKcln67tkNNPmpqheMlP1PMwdEwaXeNpv43CAcD4+iVHr5Vl9WQ
J/ksJYdEg3PmCEcDDg/fmZSnb6VG3m6Ne4mfeH8/dJQv7mIxkwy+qAGLpfMWokQ6
FhlVN6Sw/m8mFkJp2kBoIphHajJPFul41rkeIHmMtIOzH5Ol9RrebJ2+ruTwlJmM
VwwTEhq6oJuPzlt1IBsTOAhrF9otBCf+G3Lp0NFORZ+ooeWmh0/YQ/98qFWguQGN
BFyF4gABDACxDphzOszwFJ0ZNTrE4IHtm8/6bGpzCPdK/IQ/DIrQnHhXKpZbd9PK
wLtpCgZA2a83QYweU6YTkqMvVyEHBxbz8/QWX9cQJOyodma6FAKxeJhUJe77sCy8
sfOKkvy7645sQkjp3bCRWffmtNjguZIZsJs3iY55iR/Fa//zOwKqc1Z2scB8BvGZ
DKPFlOW/ATjsV8H0lTZGS4GAhmD0Wi8Cb1PjkIhqdnM6wMITAiSV08HdB44r7Ij/
AH0yOADjAUNQWi6UjJOHfnptjdh8Z4CagRN3z5y7We629ctQ3FDmKTb0bUwejMib
Ma6MWksXajrl/La4PUCojrMFU4ITmfjgHlVHd4DeReGinOoOPKeYPt6yTRKjze5J
vzQ3ia2NKvSOdnVCiyRnbH42QXpk30+3qWFAazIiZBLIsGahedlGPL5tebKGEsF/
5vaGQW2bYHGoyvRrhgRpYsh/9qVVCJp2rBUjrZmT+/NsSg7i7HPFsmd8rxEPDaqr
LA4g0+qN8pcAEQEAAYkBvAQYAQoAJhYhBCszVb3f0kxvpi/76hD7vKr2xXWXBQJc
heIAAhsMBQkDwmcAAAoJEBD7vKr2xXWX3rgL/2GPUGPSjsdTBsjydExJBkIAp9/t
4BEN+5QeU/mp88JgBozvGrtZLYtNirzENPzAaHL0cReWcktm/1MwfOayoHkfbfgJ
/fJImULrlxCxkVN+ofPVHzd5E+66hDOfnXwtidDN40IYPe2SyyQPacktZk/29zgc
bbWGgJ/9Yll4U+WMEn6/ruXEBCkjlUirpUQQuBLrbLmtM/GYeZ+Tvq8+vw64v59J
ca2/aEUT9dJapSxt+Ue7p7yGPo0p19i5ZNR6wNxGTWlK7KCpI2pXmKjhe1JPgZWb
SvT3oRxWB7qKPtnKG5Atiwo9trPmbRcLgFlnjztn8ryPLBTQnSE7VQ/KrCxjjf0x
Q6umaTOAPHSzJUxMHVUt22vOEEZrbqdoBQ9J/pM8XF8EGYifKutb9igTUTVqvtmW
VibznQ/FvbRv8NQjvuslnMQ6mqDxT+iyoC8VxmPPmXNdB3XDxOzSr63DyqntqYOG
nDA8RtYTKt4DbiCbvjpDMTIuwHYgOOdwo/0r+A==
=CZCr
—–END PGP PUBLIC KEY BLOCK—–