Responsible Disclosure Policy

  1. Introduction

    Razorpay takes the security of our systems and its data very seriously. We are continuously striving to maintain and ensure that our environment is safe and secure for everyone to use. If you’ve discovered any security vulnerabilities associated with any of our Razorpay services, we do appreciate your help in disclosing it to us in a responsible manner.

    Razorpay will engage with you as external security researchers (the Researcher) when vulnerabilities are reported to us in accordance with this Responsible Disclosure Policy.

    If a Researcher follows the rules set out in this Responsible Disclosure Policy when reporting a security vulnerability to us, unless prescribed otherwise by law or the payment scheme rules, we commit to:

    • promptly acknowledging receipt of your vulnerability report and work with the researcher to understand and attempt to resolve the issue quickly;
    • validating, responding and fixing such vulnerability in accordance with our commitment to security and privacy. We will notify you when the issue is fixed
    • unless prescribed by law otherwise, not pursue or take legal action against you or the person who reported such security vulnerabilities;
    • not suspend or terminate access to our service/services if you are a merchant. If you are an agent, not suspend or terminate merchants access to our services to which the agent represents;
    • publicly acknowledge and recognise your responsible disclosure in our Hall of Fame page.
  2. In Scope of this Policy

    Any of the Razorpay services iOS, Android or Web apps, which process, store, transfer or use in one way or personal or sensitive personal information, such as card data and authentication data.

    Domains

    Focus Areas

    Automated tools or scripts ARE STRICTLY PROHIBITED, and any POC submitted to us should have a proper step-by-step guide to reproduce the issue. Abuse of any vulnerability found shall be liable for legal penalties

    • Able to bypass payment flow
    • Price manipulation with a successful transaction (transaction id required)
    • SQL Injections
    • Remote Code Execution (RCE) vulnerabilities
    • Shell Upload vulnerabilities (only upload basic backend script that just prints some string, preferably try printing the hostname of the server and stop there ! YES STOP THERE ! )
    • Authentication and Authorization vulnerabilities including horizontal and vertical escalation. (Use 2 different test accounts created by you)
    • Domain take-over vulnerabilities
    • Stored XSS
    • Bulk user sensitive information leak
    • Descriptive error messages (e.g. Stack Traces, application or server errors)
    • Any vulnerability that can affect the Razorpay Brand, User (Customer/Merchant) data and financial transactions
  3. Out of Scope

    General

    1. Price manipulation WITHOUT SUCCESSFUL TRANSACTION
    2. Any services hosted by 3rd party providers and services not provided by Razorpay
    3. Any service that is not mentioned in the In Scope domains section
    4. IDOR references for objects that you have permission to access
    5. Duplicate submissions that are being remediated
    6. Known issues
    7. Rate limiting (Unless it implies severe threat to data, business loss)
    8. Multiple reports for the same vulnerability type with minor differences (only one will be rewarded)
    9. Open redirects
    10. Clickjacking and issues only exploitable through clickjacking
    11. Only session cookies needed http and secure flags. Apart from these, for other cookies we won’t consider as vulnerability
    12. Issues without clearly identified security impact such as missing security headers.
    13. Missing CAA headers
    14. Vulnerabilities requiring physical access to the victim's unlocked device.
    15. Formula Injection or CSV Injection
    16. DOM Based Self-XSS and issues exploitable only through Self-XSS.

    System and Infrastructure Related

    1. Patches released within the last 30 days
    2. Networking issues or industry standards
    3. Password complexity
    4. Email related:
      • SPF or DMARC records
      • Gmail "+" and "." acceptance
      • Email bombs
      • Unsubscribing from marketing emails
    5. Information Leakage:
      • HTTP 404 codes/pages or other HTTP non-200 codes/pages
      • Fingerprinting / banner disclosure on common/public services
      • Disclosure of known public files or directories, (e.g. robots.txt)
    6. Cacheable SSL pages

    Login and Session Related

    1. Forgot Password page bruteforce and account lockout not enforced
    2. Lack of Captcha
    3. Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
    4. Session Timeouts
  4. Testing

    A Researcher can test only against a merchant account if they are an account owner or an agent authorised by the account owner to conduct such testing.

    As a Researcher, in no event are you permitted to access, download or modify data residing in any other account or that does not belong to you or attempt to do any such activities.

    In the interest of the safety of our merchants, users, employees, the Internet at large and you as a Researcher, the following test types are expressly excluded from scope and testing: any findings from physical testing (office access, tailgating, open doors) or DOS or DDOS vulnerabilities. A responsible disclosure also does not include identifying any spelling mistakes, or any UI and UX bugs.

  5. Rules

    We require that all Researchers must:

    • Make every effort to avoid privacy violations, degradation of user or merchant experience, disruption to production systems, and destruction of data during security testing.
    • Not attempt to gain access to any other persons account, data or personal information.
    • Use their real email address to signup and report any vulnerability information to us.
    • Keep information about any vulnerabilities you’ve discovered confidential between yourself and Razorpay. Razorpay will take a reasonable time to remedy such vulnerability (approximately 1 month as a minimum but this is dependent on the nature of the security vulnerability and regulatory compliance by Razorpay). The Researcher shall not publicly disclose the bug or vulnerability on any online or physical platform before it is fixed and prior written approval to publicly disclose from Razorpay.
    • Not perform any attack that could harm the reliability, integrity and capacity of our Services. DDoS/spam attacks are STRICTLY not allowed
    • Not use scanners or automated tools to find vulnerabilities (noisy and we may automatically suspend your account and ban your IP address)
    • As a Researcher, you represent and warrant that you have the right, title and interest to disclose any vulnerability found and to submit any information, including documents, codes, among others, in connection therewith. Once you inform a vulnerability, you grant Razorpay, its subsidiaries and affiliates an irrevocable, worldwide, royalty-free, transferable, sublicensable right to use in any way Razorpay deems appropriate for any purpose, such as: reproduction, modification, distribution, adaptation among other uses, the information related with the vulnerabilities. Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure accepted by Razorpay.
    • Include a custom HTTP header in all your traffic with an ID. (Burp and other proxies allow easy automatic addition of headers to all outbound requests.)
      A header that includes a random uuid:
      X-Bug-Bounty: RDP-<random_uuid>

    Remember that you must never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.

    Please include the following information with your report:

    • Detailed description of the steps required to help us reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us)
    • Your email address.
    • If you’d like to encrypt the information, please use our PGP key from the link below: https://keybase.io/razorpay/key.asc
  6. Report Template

    The identified bug shall have to be reported to our security team by sending us a mail from their registered email address to disclosures@razorpay.com (Subject: Suspected Vulnerability on Razorpay) (without changing the subject line else the mail shall be ignored and not eligible for bounty). The mail should strictly follow the format below:

      Individual Details:
        Full Name:
        Mobile Number:
        Any Publicly Identifiable profile(LinkedIn, Github etc.):
      Bug Details:
        Name of the Vulnerability:
        Areas affected:
      Impact:
        Detailed steps to reproduce (transaction id’s can also be provided here):
    
  7. Recognition – Hall of Fame Page

    • By helping Razorpay continuously keep our data secure, once the security vulnerability is verified and fixed as a result of report, we would like to put your name on our Hall of Fame page

    • Of course, we will need to know if you want the recognition, in which case you will be required to give us your name and Twitter handle, LinkedIn Profile as you wish it to be displayed on our Hall of Fame page.

    We currently do not offer any monetary compensation. However, we may send out Razorpay swag in some cases.

    Requests or demands for monetary compensation in connection with any identified or alleged vulnerability are non-compliant with this Responsible Disclosure Policy.

    Visit our Hall of Fame.

  8. Consequences of Complying with This Policy

    We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.

    If legal action is initiated by a third party against you and you have complied with Razorpay’s VDP, Razorpay will take steps to make it known that your actions were conducted in compliance with this policy.

  9. Public Disclosure Policy:

    By default, this program is in “PUBLIC NONDISCLOSURE” mode which means:

    "THIS PROGRAM DOES NOT ALLOW PUBLIC DISCLOSURE. ONE SHOULD NOT RELEASE THE INFORMATION ABOUT VULNERABILITIES FOUND IN THIS PROGRAM TO PUBLIC, FAILING WHICH SHALL BE LIABLE FOR LEGAL PENALTIES!”

  10. The Fine Print

    We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. Razorpay employees and their family members are not eligible for bounties.