United States Canada United Kingdom Puerto Rico
Payroc named an "Organization of the Year" at the 2023 Excellence in Customer Service Awards
Contact us

Security Disclosure Policy

Payroc greatly appreciates investigative work into security vulnerabilities that well-intentioned, ethical security researchers carry out. We are committed to thoroughly investigating and resolving security issues in our platform and services in collaboration with the security community. This policy defines how Payroc can work with the security research community to improve our online security.

Please note that Payroc currently does not provide rewards/bounties.

We follow the practice of responsible disclosure to best protect Payroc's partners and customers from the impact of security issues. On our side, this means:

  • We will respond to security incidents as a priority.
  • We will address the matter as soon as it is practical, keeping in mind that not all risks are created equal.
  • We will always transparently let the community know about any incident that affects them.

If you have found a security vulnerability within the Payroc ecosystem, we ask that you disclose it responsibly by emailing [email protected]. Optionally, if you want to encrypt your email, you can use our PGP key – see the end of this document. Please do not discuss potential vulnerabilities in public without validating with us first.

On receipt, our security team will:

  • Review the report, verify the vulnerability and respond with confirmation and further information requests; we typically reply within 24 hours.
  • Once the reported security bug is addressed, we will notify the Researcher, who is welcome to disclose it publicly.

The following is a list of known issues and things we do not consider to be an issue. Please do not send reports regarding the following:

  • Account squatting by preventing users from registering with specific email addresses
  • Attacks requiring MITM or physical access to a user's device
  • Best practice reports without a valid exploit (for example, use of "weak" TLS ciphers)
  • Clickjacking on pages with no sensitive actions
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
  • Denial of service
  • Disclosure of server or software version numbers
  • Hypothetical subdomain takeovers without supporting evidence
  • Issues that require unlikely user interaction
  • Missing best practices in Content Security Policy
  • Missing best practices in SSL/TLS configuration
  • Missing email best practices (invalid, incomplete, or missing SPF/DKIM/DMARC records, and so on)
  • Missing HttpOnly or Secure flags on cookies
  • Open redirect - unless an additional security impact can be demonstrated
  • Perceived security weaknesses without concrete evidence of the ability to compromise a user (for example, missing rate limits, missing headers, and so on)
  • Previously known vulnerable libraries without a working Proof-of-Concept
  • Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis
  • Rate limiting or brute force issues on non-authentication endpoints
  • Reports exploiting the behavior of, or vulnerabilities in, outdated browsers
  • Reports of spam
  • Self-XSS
  • Session invalidation or other improved security related to account management when a credential is already known (for example, password reset link does not immediately expire, adding MFA does not expire other sessions, and so on)
  • Social engineering
  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (for example, stack traces, application or server errors)
  • Tabnabbing
  • Unconfirmed reports from automated vulnerability scanners
  • User/merchant enumeration
  • Vulnerabilities only affecting users of outdated or unpatched browsers (less than two stable versions behind the latest released stable version)

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQGNBGKWBX4BDADhtCOq8nqsTDkwO1SKzRt/KV5VdQk2j0dMl2mriw0HJctXlUR8 UCbfnUZGjKFVikkUH6F1J9ihy7IubnAGchSnfdNhB+gH0ysAt9yYv/aQ7S1AaU2Z yCuHZsqG7mc66fpt4Qc85iqx/YlkP7pLBAegpFyFt1sjt+6aMHF/dwaOXTWysU3x D0aLhYNqb6Ltk69nAMbmoJtsHrIcA3MFV8bx3JCuLU5ZGlF6426t/l7S4pMl0eLL sSVa13HaN4pkeRMX/2ip5aHF6QAu8XcMBtoaNXoKC+TtLB1mQdrNwbhj4NjGq51q XFb+8o3s/jctB/4M0R1T4Z7Z87CHMYxpRYBURpqXuQcPuTXhsfugmZfJq0pRnNFe +o4IYEpLBYSAMgDu1iCczCcYMQxjhPhKWL6fQPWo6/RdMbgSDppEoGxGCJLUJAYV 82hCp4H+5quAQXtCcPzVp2ktMNEI/PSj1udA95abvIwmWm62husgiV3XlMmR/NUX A/dvhm7vUelgbCsAEQEAAbQcUGF5cm9jIDxzZWN1cml0eUBwYXlyb2MuY29tPokB 0QQTAQgAOxYhBM8Wge79onuWC7DOfpxM7lcFs2FyBQJilgV+AhsDBQsJCAcCAiIC BhUKCQgLAgQWAgMBAh4HAheAAAoJEJxM7lcFs2FyUfwMAKDN+lAi5HU0WepZJca+ ahBnliTSaY8mp4AXhUgW7O16qdINVCNUP1xgFBAB6j6ISmkJRKS/PG7FdVkGNZgH +euMWGUZycsHmj/NEyQWpnQ+5CKcWDD9+OIrT1MSAhjSfJgpf3AUpxychfmi76gM 2Oc5fI8TYDayEkOZ4pj9cMgeuuSK5wJ4T6pf8coCwJxCB39/0lkG9FpcpEpWc3ar PwnKf5EMrUwlWAtUr4xam6hJCZSZdDZbvVxsxjprwtV2HPkBhVRtGZzTP0aB0neC uFix0M5w3KGwodQ1pj9ZNLDRYxx4qDYWh1xpvaMV4ugtm0Hz0jhYnymETCSGvi5r l0jd2Goz9hRMjfoBcfFO7iqWSOYEGJ4hYbNCI0RG/aMHVbX/Pv6mkQ/3vSOF3RHU nAPK2GYiw/Z7WusRU2o1FuAfw4Q+mhXRqCpI1G8T7WaP+tXVQEWr48TVOevOncwa 4v6yt9nTxVTRh9R/ryiWkAsOZPj1NzN8s6Nt1nSu8LaVYrkBjQRilgV+AQwAmtOe vlakjZSJNdD15QI5upWf7twV0x01gpLqfyWG3KsVBQkSmwFDyq/urIkCv2G5pWRY mq9+gHGGnu20rSsuHpZaBVpu7WKrUfOW3rEJe2dJklUn7mV+NglpNDfHuix/OyhB keN68ixDZktKe8tXBcajHHBc3wcqpbQzEhDIcJ67e1zVYupuJ0SvS6CNZrdFp5CX HCe/23Po91zdB97Nt1QEQ76T6WAEsqqEEyOFtnWKUVk/oJC7H3dzeWhVyASLNn4V FeW/9kEkhdSmPPtFNGYOtYpMbMDYGQCkxGqQmJWeD+PQEWS6mU4NQ9pkyyqNDAzU +NnSnnf+VN/pPDEye27AqB+8IKuAXTExq/QRKZGV/dPezyn1eOWFKTXOoyAb6/Ti 8/zGMSjqIvlPPJGH2hhj3bxd/uYbT+KwRDBr6q2rLhqfqwT88bCxi3Ss28s4+I8u Lq0YRaaCmjykIT+qWSudul8mWfACORzWla4rMgqicMJSIE4rQvDjvTDz9gD3ABEB AAGJAbYEGAEIACAWIQTPFoHu/aJ7lguwzn6cTO5XBbNhcgUCYpYFfgIbDAAKCRCc TO5XBbNhco0bDAC0XcAt3++/axhvRbZz6Bb3GfojdWY0/MM2iV8gGyKwi3yjQwHA Cxg/EC+A4sC69gPuWeJHll2o3PWse61/+eqvMqN5oQkivMN61B120pyzEfA9TZEL vg5kIDBbuVXn4FlQwHPaNeBUcfEpVWEAPQKs2UWcKrStabIL+N1vmZJepmVYkmAZ rfdH7E8OaFmlShfO8N150mhQGT9W6Li6MMzRzRWaSNuknSEUqWvimfpjLiiPkdbG mzTKWQ1ZavPdaTWASO50qISFqSgYlcZSJCGgFJc6u4kABZ7LgFCAJc3U8TT8Bj+F jbLcNDytzrupSUFoMm0PDsFqhEXacUM8MBAS4kDNOfv3fqMai6lONDiMfOhaoIll 5bdHQKCoz7qtjI56HauctDvdbGK4v8mTZW3V6tFpInkkh7BJkiNQV1FcWO3hLELF NmBk65fMk0s806xFlsWpU8WVNtB8QQUKVYo/aYZfSeLZZB1dLS9CQk8RoLsyOcZJ lK2yau+ZeM+XxvM= =Z0Yb

-----END PGP PUBLIC KEY BLOCK-----