Introduction
This page is for security researchers interested in reporting application security vulnerabilities. If you have reported an issue determined to be within program scope, is determined to be a valid security issue, and you have followed program guidelines, we will recognize your finding and you will be allowed to disclose the vulnerability after a fix has been issued. Please refer all questions to support@mercemur.com.
In Scope
On Mercemur (as defined in the Terms and Conditions) web apps.
Domains
- mercemur.com
- *.mercemur.com
Focus Area
Automated tools or scripts (e.g.: Nuclei or Automated scanners) are strictly prohibited, and any POC submitted to us should have a proper step-by-step guide to reproduce the issue.
- OWASP Top ten
- SQL Injections.
- Shell Upload vulnerabilities (only upload basic backend script that just prints some string, preferably try printing the hostname of the server and stop there!)
- Authentication and Authorization vulnerabilities including horizontal and vertical escalation. (Use 2 different test accounts created by you.
- Domain take-over vulnerabilities.
- Stored XSS.
- Any endpoint leaking bulk user sensitive information leak.
- Descriptive error messages (e.g.: Stack Traces, application or server errors).
- Other vulnerabilities with demonstrated impact.
Out of Scope
- Any service that is not mentioned in the In Scope domains section
- IDOR references for objects that you have permission to access.
- Duplicate submissions that are being remediated.
- Known issues.
- Multiple reports for the same vulnerability type with minor differences (only one will be rewarded).
- Open redirects without proper impact.
- Clickjacking and issues only exploitable through clickjacking.
- Issues without clearly identified security impact such as missing security headers.
- Missing CAA headers.
- Vulnerabilities requiring physical access to the victim’s unlocked device.
- Formula Injection or CSV Injection.
- DOM Based Self-XSS and issues exploitable only through Self-XSS.
System and Infrastructure Related
- Patches released within the last 30 days.
- Networking issues or industry standards.
- Password complexity.
Email related
- SPF OR DMARC records
- Email bombs
Information Leakage
- Fingerprinting / banner disclosure on common/public services
- Disclosure of known public files or directories, (e.g., robots.txt)
- Cacheable SSL pages.
Login and session related
- Forgot Password page bruteforce and account lockout not enforced
- Lack of Captcha
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
- Session Timeouts
Testing
A researcher can test only against customer account.
As a Researcher, in no event are you permitted to access, download or modify data residing in any other Mercemur customer account or that does not belong to you or attempt to do any such activities.
A responsible disclosure also does not include identifying any spelling mistakes, or any UI and UX bugs.
Rules
We require that all researchers must:
- Make every effort to avoid privacy violations, degradation of user or merchant experience, disruption to production systems, and destruction of data during security testing.
- Not attempt to gain access to any other person’s account, data or personal information
- Use their real email address to sign-up and report any vulnerability information to us.
- Keep information about any vulnerabilities you’ve discovered confidential between yourself and Mercemur. Mercemur will take a reasonable time to remedy such vulnerability (approximately 1 month as a minimum but this is dependent on the nature of the security vulnerability and regulatory compliance by Mercemur). The Researcher shall not publicly disclose the bug or vulnerability on any online or physical platform before it is fixed and prior written approval to publicly disclose from Mercemur.
- Not perform any attack that could harm the reliability, integrity and capacity of our Services. DDoS/spam attacks are STRICTLY not allowed.
Remember that you must never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
Please include the following information with your report:
- Detailed description of the steps required to help us reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us)
- Your email address
Report Template
The identified bug shall have to be reported to our security team by sending us a mail from their registered email address to support@mercemur.com (SUBJECT: SUSPECTED SECURITY ISSUE ON MERCEMUR) The mail should strictly follow the format below:
Individual Details
- Full Name:
- Mobile Number:
- Any Publicly Identifiable profile (LinkedIn, Twitter etc.):
Bug Details
- Name of the Vulnerability:
- Areas affected:
- Impact:
- Detailed steps to reproduce (you should upload the poc video in youtube and keep it private, add the private video link below):
Recognition - Hall of Fame
- By helping Mercemur continuously keep our data secure, once the security vulnerability is verified and fixed as a result of report, we would like to put your name on our Hall of Fame page.
- By helping Mercemur continuously keep our data secure, once the security vulnerability is verified and fixed as a result of report, we would like to put your name on our Hall of Fame page.
- We currently do not offer any monetary compensation.
Visit our HoF [Mercemur Hall of Fame site].
Consequences of complying with this policy
We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorised” conduct under the Computer Fraud and Abuse Act. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.
By default, this program is in “PUBLIC NONDISCLOSURE” mode which means:
“THIS PROGRAM DOES NOT ALLOW PUBLIC DISCLOSURE. ONE SHOULD NOT RELEASE THE INFORMATION ABOUT VULNERABILITIES FOUND IN THIS PROGRAM TO PUBLIC, FAILING WHICH WE SHALL BE PERMITTED TO TAKE NECESSARY LEGAL ACTION!”
Fine Print
We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.