Responsible Disclosure Policy

Security Vulnerabilities

OneATM makes non-stop efforts to make sure that our environment is safe and secure for everyone to use. The security of our data and system is of great importance to us. We appreciate you disclosing the security vulnerabilities to OneATM in a responsible manner that you have discovered in any of OneATM services. When you report the vulnerabilities to OneATM as per this Responsible Disclosure Policy, we will engage with you as external security researcher (the Researcher).

Responsible Disclosure Policy

Given that a Researcher when reporting the security vulnerabilities to OneATM abides by the rules prescribed in this Responsible Disclosure Policy unless specified otherwise by the law or the payment scheme practices, OneATM commits to:

• Acknowledge the receipt of the vulnerability report immediately and work with the researcher to understand and attempt to fix the issue expeditiously;
• Validate and verify, respond and fix that vulnerability in accordance with our commitment to privacy and security. We will inform you when the issue is resolved;
• Not proceed or take legal action against you or the person who reported such security vulnerability unless specified otherwise by the law;
• Not stop, suspend or hold the access to the OneATM services if you are a merchant and not to stop, suspend or hold the access of the merchants to the OneATM services to which you represent, if you are an agent;
• Acknowledge and appreciate you disclosing the vulnerabilities to OneATM in a responsible manner in our Hall of Fame.

In Scope of this Policy

Out of Scope

Testing

To perform any testing or research, a Researcher can use their own merchant accounts and do not access the account or data of which they are not the owner. A Researcher testing the merchant account can be the account owner or an agent approved by the account owner. The Researcher, in no case, is authorized or granted access to the merchant account or can download or modify the data in any other account, the account that does not belong to the Researcher, or try to do any such activities.

The Researcher must not infringe any applicable laws or regulations. The test types are excluded explicitly from the scope and testing for the best interests of the safety of our merchants, users, employees, the internet at large, and you as a Researcher:

• Any findings from physical testing (office access, tailgating, open doors)
• DOS or DDOS vulnerabilities
• Identifying any spelling mistakes or any UI and UX bugs are excluded from this responsible disclosure

Rules

The Researchers must abide by the below terms and conditions:

1. Must not violate the privacy policy, the user and merchant experience should not be impacted in any way, must not interrupt with or deny services to any user, must not disturb our production system, and must not delete, compromise or misuse data during testing.
2. Most not actually exploit a vulnerability, you could only show or explain that it could be exploited.
3. Must not incur the loss of funds that are not your own.
4. Must not try to have access, download, copy, delete, compromise or misuse others' data, account, or personal information.
5. Must use your own email ID and other information for the account sign up to report such vulnerability information to OneATM.
6. Must keep such vulnerability information confidential between you and OneATM. Must not reveal the information, discovery, or the contents of such vulnerability publicly, to any third parties without OneATM's prior written approval. OneATM will take a reasonable time to solve the vulnerability (approximately 1 month as a minimum) depending on the nature of the vulnerability and regulatory compliance by OneATM.
7. Must not make any attack that could impact the integrity, reliability and our service delivery. DDoS/SPAM attacks are strictly not allowed.
8. Must not use automated tools or scanners to find vulnerabilities (noisy and your account and IP address will be suspended automatically).
9. By reporting the vulnerability, the Researcher grant OneATM and its affiliates a permanent, irrevocable, worldwide, royalty-free, transferable, sublicensable right to use, copy, adapt, develop, create derivative work from or share your submission for any purpose. You waive all claims, including breach of contract or implied-in-fact contract, or quasi-contract arising out of your submission.
10. Must not attack in no-technical manner such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.

Report

Recognition

This Responsible Disclosure Policy is non compliant to the monetary requests or demands for the identified or alleged vulnerability.

OneATM appreciates your help to keep our environment safe and secure by identifying and reporting the security vulnerabilities in a responsible manner. And so, as a result of the report once the vulnerability is verified and fixed we would like to express our gratitude by putting your name on our Hall of Fame page.

Policy Compliance and Consequences

OneATM will not take complaint to law or take any civil action for the accidental violation of this policy happened in good faith. We take the activities undertaken in consistence with this policy to represent "authorized" conduct under the Computer Fraud and Abuse Act. We will not bring a Digital Millennium Copyright Act (DMCA) claim against you for bypassing the technological measure used to protect the applications in subject.

Penalty

If a third party initiates any legal action against you and you have aided by the OneATM Responsible Disclosure Policy, OneATM will take steps to let it be known that the Research and actions were taken complying with this policy.

Public NonDisclosure

Important Guidelines Summary