Wegofin Digital strives to maintain a safe and secure environment for all users by taking system security seriously. We welcome any reports of security vulnerabilities associated with our Wegofin Digital services, but ensuring system security is a continuous process.
Wegofin Digital invites skilled security researchers to participate in its Vulnerability Disclosure Program. If you are an external security researcher, you can report any vulnerabilities to Wegofin Digital according to our Responsible Disclosure Policy. Wegofin Digital reserves the right to validate the report's validity based on the impact of the vulnerabilities.
To keep our systems secure, Wegofin Digital sincerely appreciates the help of security researchers and other members of the security community. When reporting a security vulnerability to us, researchers must adhere to the rules set forth in this Responsible Disclosure Policy.
- We would like to know if you are aware of any vulnerabilities in our product or infrastructure that meet the criteria listed below. Please contact us at info@wegofin.com
- Our security team will acknowledge your submission within 24 hours. Within 24 hours, we will acknowledge your submission.
- Wegofin Digital determines whether the issue is severe and easy to exploit based on its impact.
- We will validate the reported issue within 3 to 5 days.
- Do not access sensitive information (by using a test account and/or system), take actions that may negatively affect other users (such as denial of service), or send automated reports.
- Security vulnerabilities should not be exploited.
- Below is a scope for research that should be followed.
- Researcher accounts may not be accessed, downloaded, or modified by researchers other than their own.
- Any vulnerability information should be kept confidential until the issue has been resolved. If you have reported a security vulnerability to Wegofin Digital, do not disclose the details publicly.
- Wegofin Digital commits to publicly acknowledge and recognize your responsible disclosure.
- A variety of factors are considered when determining recognition in the Hall of Fame, including (but not limited to) impact, ease of exploitation, and quality. Vulnerabilities with extremely low risk may not qualify.
- Whenever a vulnerability is reported twice, we recognize the first reporter. Duplicate reports are determined by Wegofin Digital and may not share details.
If you find a vulnerability, please notify info@wegofin.com Wegofin Digital security team can only be contacted using the registered email address after registration. You should not use your personal emails, social media accounts, or other private connections to contact members of the security team about vulnerabilities or any program-related issues, unless instructed to do so.
Here are the details you should include in your report :
- Defining the vulnerability and its potential impact.
- Detailed steps for reproducing the vulnerability.
- If available, screenshots and video POCs.
- Please let us know your preferred name/handle for our Security Researcher.
In order to assess security vulnerabilities, researchers should examine the following areas:
Third-party software is excluded :
Wegofin Digital integrates third-party software to provide services to its customers. A bug or vulnerability found in third-party software will not be considered valid as part of this program. Any vulnerabilities communicated to Wegofin Digital may be transmitted/informed to a third-party service provider.
- An overview of in-scope vulnerabilities
- Execution of code remotely (RCE)
- Flow of payments can be bypassed
- Attacks on accounts (ATOs)
- Manipulation of price with successful transaction (transaction ID required)
- Injection of SQL/XXE and commands
- A stored cross-site scripting attack and an impactful reflected XSS attack
- SSRF (server-side request forgery)
- Server and application misconfigurations
- Authentication and authorization vulnerabilities are both horizontal and vertically escalating
- CSRF (cross-site request forgery)
- Leak of sensitive information and IDOR
- Vulnerabilities in domain takeover
- Wegofin Digital Brand, User (Customer/Merchant) data, and financial transactions may be vulnerable to vulnerability
- A vulnerability that is out of scope
- Any employee or contractor of Wegofin Digital who is being socially engineered (including phishing) should be on guard
- Distributed denial of service
- Cookies with non-sensitive flags are missing due to X-Frame-Options;
- A missing security header that does not lead directly to a vulnerability (unless a proof-of-concept is delivered)
- Exposure to version (unless you demonstrate a working exploit)
- Publicly readable directory listings
- Injection of HTML and self-XSS
- Non-vulnerability related information, such as stack traces, application errors, robots.txt, etc.
- Without proof of exploitation, known-vulnerable libraries such as OpenSSL are used
- Account lockout and login brute force are not enforced on the forgotten password and log-in pages
- Users' accounts are locked as a means of denying service to an application
- Scanned or automated reports
- Issues that can only be exploited through clickjacking
- Captcha is missing/weak/bypassed
- Weak/insecure cipher suites, BEAST, BREACH, renegotiation attacks, and missing best practices are some of the SSL issues.
- Enable HTTP TRACE or OPTIONS
- Login/logout CSRF
- Open ports without a proof-of-concept to demonstrate vulnerability
- You must demonstrate impact of reflected XSS through a proof of concept
- Injection of formulas or CSVs
- Images do not lose EXIF data
- Rate limiting
- A cookie without a security header and one without a cookie flag
- SPF/DKIM/DMARC issues in email
- Enumeration of user email addresses
- Wegofin Digital reserves the right to add more exclusions to this list as needed.
Whenever possible, we strive to resolve all problems as quickly as possible, and we appreciate reporting your experiences to us and assisting in the final publication if necessary.