A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

Paymenttools Bug Bounty Program

--------------------------------------------------------
Contact: mailto:security@paymenttools.com
PGP key: https://www.paymenttools.com/pgp_key.txt
Preferred languages: English, German
Hiring: https://www.paymenttools.com/careers
--------------------------------------------------------

# Program overview

Your expertise and dedication contribute significantly to the security of our systems. If you've discovered a security issue within Paymenttools services, we encourage you to report it to us in a responsible manner. We're committed to working with the security team to understand and resolve reported issues. Your submissions are invaluable to us, so we offer bounties for each submission based on their severity according to CVSS v4.
Each submission should include the following:

# Bug description

    * Provide a clear and concise description of the identified security issue.

# Severity assessment

    * Include your assessment of the vulnerability's severity and potential impact.
    * Explain your reasoning behind the severity assessment.


# Steps to reproduce

    * Provide detailed steps to reproduce the issue, including:
    * Affected API(s).
    * Specific configurations or prerequisites.
    * Step-by-step instructions.

# Supporting material

    * Include relevant screenshots, code snippets, or any other materials that help demonstrate the reported issue.
    * If possible, provide a proof-of-concept video showcasing the vulnerability.

# Remediation suggestions (optional)

    * If you have suggestions for remediation, please include them. The provided solution may increase the bounty.


# Submission instructions:

    * Please send your bug report to the contact address provided at the top of this file.
    * Use the subject line: "Bug bounty submission - [brief description of issue]."
    * Attach all relevant materials and ensure the report is clear and well-structured.
    * Encrypt your message using the PGP key, which can be found at the path specified above in this file.

# Reward system:

    * Our security team will assess each submission's severity based on its impact and exploitability, according to CVSS v4.
    * Bounty rewards will be determined according to the severity level, with higher  rewards for more severe vulnerabilities.
    * Payment methods and terms will be communicated after the assessment is complete.

# Privacy notice:

    * We prioritise your privacy. All information provided will be kept strictly confidential and will be used solely to address the reported security issues.

We appreciate your efforts in making our services more secure and will contact you as soon as possible.