This bounty program is for Chargezoom’s PayPortal Software-as-a-service. The product is used primarily by small businesses but also other types of online businesses. It is a hosted PHP based application installed and managed by Chargezoom.
As a Researcher, you will utilize your knowledge and skill to find security flaws in the implementation of the software, whose design is to provide automation around financial processes.
Reports will be reviewed and evaluated on an individual basis. You can expect valid security flaws to be rewarded base on both technical and business impact.
When registering for a free Chargezoom account, you must use @cztester.com domain. This disposable email service is dedicated for testing and hosted by mailsac.com. There is no need to create an email account before, just go to https://cztester.com and enter the temporary email address you used to check your inbox.
Website Testing: *.payportal.net
API Testing: api.payportal.net
·Unauthenticated and client authenticated areas are the most valued focuses.
·Each report will be evaluated & variably rewarded based on both technical and business impact given the focus and trust outlined in the above paragraph. The reward structure is provided in the Reward section below. It is a good example of what researchers with valid reports can expect.
·Below is a list of some of the vulnerability classes that we are seeking reports for:
-Server-side Remote Code Execution (RCE)
-SQL Injection (SQLi)
-Cross-site Request Forgery (CSRF)
-Cross-site Scripting (XSS)
The following targets and vulnerabilities are specifically excluded from scope and should not be tested:
·Live production payportal.com: Testing against live production is STRICTLY forbidden. Not only is testing against production systems disruptive for operators but also problematic from a research standpoint. Observed flawed behavior of a production system outside your control might be due to issues not related to the product and thus not reproducible (and thus not eligible for reward).
·External services/APIs utilized by the Chargezoom application for integration to vendor services, such as merchant gateways, SASS platforms, etc.
·External services offered through the reseller channel
·Server environment context or behaviors, such as the LAMP stack, OpenSSL or cURL libraries, etc.
·General product bugs that do not have a security impact
·Miscalculation of payment, tax, or other bug related to improper billing for access to services.
·License circumvention by means of deobfuscation, core code replacement, other means for product mutation.
·Self-XSS and issues exploitable only through Self-XSS.
·Stored XSS created by Admin (whose privileges allow content creation for use by lesser or equally privileged admins, clients, or site visitors).
·CSRF on forms that are available to anonymous users or for customization (i.e. the contact form, login form, etc).
·SSRF by Admin with privilege to access or manage 1) remote servers/3rd-party integrations and/or B) configurations within Chargezoom for servers or integrations.
·Presence of application or web browser ‘autocomplete’ or ‘save password’
·Impact from third-party code that augments core functionality (i.e, hooks, modules)
·Any flaw requiring access to, or execution of, files or routines of the manual installer/updater.
·Disclosure of access credentials for remote systems to Admins authorized to access respective system.
The Chargezoom application has many service integrations (modules). In most cases, these integrations will be managed by Chargezoom. Of course, the design of the services’ API will be a limiting factor to the level of security that may be possible and practical for Chargezoom. In other cases the integration code will have been provided directly from the service provider and maintenance/security will need to be handled by them; Chargezoom simply provides the integration as part of the packaged application. Reports against these integrations will be evaluated for scope applicability. Researchers will be provided an appropriate contact when available if it is not applicable for the Chargezoom security team.
Please Note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.
If a researcher wants to retain disclosure rights, they may put forth a proposal that will be considered under the most extreme and convincing circumstances.
In summary: all submissions rewarded or not, including Duplicates, Out of Scope, and Not Applicable submissions, are not to be disclosure at any level of detail to the public at any time unless guided by Chargezoom following explicit, written permission.
If this is unacceptable, we humbly request researchers find another Program that is more aligned to their needs and perspective.
Monetary rewards are variable and guided by the following severity criteria.
Tier 1 – Critical: Up to $5,000
Tier 2 – Severe: Up to $2,500
Tier 3 – Moderate: Up to $1,000
Tier 4 – Low: Up to $500