Coordinated Vulnerability Disclosure

Introduction

At Bottlepay, the security of the Bottlepay application and of our customers’ personal data is a top priority. We do realise that no matter how much effort we put into application security, there can still be vulnerabilities present.

We value those who take the time and effort to report security vulnerabilities according to this policy. However, we do not usually offer monetary rewards for vulnerability disclosures.

If you discover a vulnerability, we would like to know about it so we can take steps to resolve the issue as quickly as possible.

Reporting

If you believe you have found a security vulnerability in our mobile application (iOS, Android) or in any other service handling reasonably sensitive Bottlepay customer data, please email your findings to [email protected]. We have a PGP key you can use to encrypt your findings. You can find our PGP key here.

In your report please include details of:

• The version of the application on which the vulnerability occurs, and the device and OS on which you are running the application.

• A brief description of the vulnerability.

• Steps to help us reproduce the vulnerability. This should be a non destructive proof of concept.

• A CVSS calculation for the vulnerability.

Guidance

We authorise you to test the Bottlepay application and other services handling reasonably sensitive customer data, provided that you:

• Only test against your own account. Do not interact with any account that you do not own.

• Do not access or attempt to access data that does not belong to you.

• Do not exploit a security issue that you discover for any reason.

• Do not perform actions that may negatively impact Bottlepay or our users, for example (but not limited to): denial of service, sending any malicious software and/or files, testing third party applications that we have integrations with or that integrate with us.

• Do not reveal the problem to others until it has been resolved.

• Do not use social engineering, spam or attacks on physical security.

What you can expect from us

If you have followed the guidance above:

• We will not take any legal action against you in regard to the report.

• We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission.

• We will keep you informed of progress towards resolving the problem.

• We will strive to resolve all problems as quickly as possible.

Acknowledgement

We currently do not maintain a public wall of thanks for reported issues and security researchers. However, if we deem your finding to be material and choose to publicly disclose the issue, we will credit you as the discoverer using your agreed handle. You can of course choose to remain anonymous.

Policy

This policy was last updated onand the most current version is hosted at here.

Last updated: 3 March 2023