Responsible Disclosure Program

 

We take the security of our systems, products, our employees and customers’ information seriously, and we value the security community. We appreciate and encourage security researchers to contact us to report potential vulnerabilities identified in any product, system, or asset belonging to Worldline group and affiliate companies. If you believe you have identified a potential security vulnerability, please submit it pursuant to our Responsible Disclosure Program.

Please note, Worldline does not operate a public bug bounty program and we make no offer of reward or compensation in exchange for submitting potential issues.

 

Responsible Disclosure Program Guidelines

We require that all researchers:

  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
  • Do not engage in any activity that can potentially or actually cause harm to Worldline, our customers, or our employees;
  • Do not initiate a fraudulent financial transaction;
  • Do not store, share, compromise or destroy Worldline or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Worldline. This step protects any potentially vulnerable data, and you;
  • Do not engage in any activity that violates (a) European, federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) the researcher is conducting research activity;
  • Perform research only within the scope set out below;
  • Use the identified communication channels to report vulnerability information to us; and
  • Keep information about any vulnerabilities you’ve discovered confidential between yourself and Worldline group.

If you follow these guidelines when reporting an issue to us, we commit to:

  • Not pursue or support any legal action related to your research;
  • Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 5 business days of submission);
  • Recognize your contribution on our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.

 

Disclosure Policy

  • Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue;
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party;
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

 

Who can participate in the program 

Anyone who doesn't work for Worldline group or partners of Worldline who reports a unique security issue in scope and does not disclose it to a third party.

Scope

  • Any public-facing website owned, operated, or controlled by Worldline and affiliate companies, including web applications hosted on those sites.
  • All consumer accessible systems of Software-based PIN Entry on COTS, including the PIN CVM Application itself as well as the protocols used to communicate between the PIN CVM Application, SCRP and back-end monitoring systems.

Out of scope

Any client sites or services hosted by 3rd party providers and services are excluded from scope.

In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:

  • Findings from physical testing such as office access (e.g. open doors, tailgating)
  • Findings derived primarily from social engineering (e.g. phishing, vishing)
  • Findings from applications or systems not listed in the ‘Scope’ section
  • UI and UX bugs and spelling mistakes
  • Resource Exhaustion Attacks
  • Network level Denial of Service (DoS/DDoS) vulnerabilities
  • You do not exfiltrate any data under any circumstances
  • You do not intentionally compromise the privacy or safety of Worldline personnel or any third parties
  • You do not intentionally compromise the intellectual property or other commercial or financial interests of any Worldline personnel or entities, or any third parties.

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep Worldline group and our users safe!

Please submit your report to: security@worldline.com

 

Report a vulnerability

If you wish to report a security vulnerability, and also be in our Hall of Fame, you can submit your report to Worldline security. Submit your report

 

Hall of fame

Worldline would like to thank security researchers for responsibly disclosing security issues to us. View Hall of Fame