The following targets and vulnerabilities are specifically excluded from scope and should not be tested:
·Live production payportal.com: Testing against live production is STRICTLY forbidden. Not only is testing against production systems disruptive for operators but also problematic from a research standpoint. Observed flawed behavior of a production system outside your control might be due to issues not related to the product and thus not reproducible (and thus not eligible for reward).
·External services/APIs utilized by the Chargezoom application for integration to vendor services, such as merchant gateways, SASS platforms, etc.
·External services offered through the reseller channel
·Server environment context or behaviors, such as the LAMP stack, OpenSSL or cURL libraries, etc.
·General product bugs that do not have a security impact
·Miscalculation of payment, tax, or other bug related to improper billing for access to services.
·License circumvention by means of deobfuscation, core code replacement, other means for product mutation.
·Self-XSS and issues exploitable only through Self-XSS.
·Stored XSS created by Admin (whose privileges allow content creation for use by lesser or equally privileged admins, clients, or site visitors).
·CSRF on forms that are available to anonymous users or for customization (i.e. the contact form, login form, etc).
·SSRF by Admin with privilege to access or manage 1) remote servers/3rd-party integrations and/or B) configurations within Chargezoom for servers or integrations.
·Presence of application or web browser ‘autocomplete’ or ‘save password’
·Impact from third-party code that augments core functionality (i.e, hooks, modules)
·Any flaw requiring access to, or execution of, files or routines of the manual installer/updater.
·Disclosure of access credentials for remote systems to Admins authorized to access respective system.
The Chargezoom application has many service integrations (modules). In most cases, these integrations will be managed by Chargezoom. Of course, the design of the services’ API will be a limiting factor to the level of security that may be possible and practical for Chargezoom. In other cases the integration code will have been provided directly from the service provider and maintenance/security will need to be handled by them; Chargezoom simply provides the integration as part of the packaged application. Reports against these integrations will be evaluated for scope applicability. Researchers will be provided an appropriate contact when available if it is not applicable for the Chargezoom security team.