Security at Ease2pay

As a provider of an Internet of Things and payment platform, Ease2pay also places the highest demands on the cyber security of its networked devices, apps and web applications. Our development teams are committed to protecting your privacy.

Reporting vulnerabilities

Send us your findings or comments via our contact page.

Ideally, your message should contain the following information:

• Affected product/application.
• Description of identified vulnerability.
• If available: proof-of-concept code, exploit or packet capture.

Ease2pay Vulnerability Disclosure Policy

Introduction

As a provider of an Internet of Things and payment platform, keeping user information safe and secure is a top priority and a core company value for Ease2pay. Therefore, we welcome external security researchers' contribution to improving our products and IT applications' security. This policy shows the framework that Ease2pay assures regarding the responsible disclosure of security vulnerabilities. This policy is subject to changes occasionally and is applicable in its latest version.

Scope

This policy applies to all networked and networkable products and components developed, produced or marketed by Ease2pay and to all publicly accessible IT applications of Ease2pay.

We are interested in findings which are exploitable, leading directly to an exploitable vulnerability or allowing to compromise user data remotely.

Please note that reports regarding vulnerabilities with minimal security impact (e.g. missing headers), unverified results of automated scans, vulnerabilities beyond Ease2pay’s control and vulnerabilities in violation of the requirements stated below are out of scope.

Eligibility and Responsible Disclosure 

If you believe you have discovered a vulnerability in an IT application or have a security incident to report, you can share your findings or comments with us via the contact page. 

Ideally, your message should contain the following information:

• Affected product/application.
• Description of identified vulnerability.
• If available: proof-of-concept code, exploit or packet capture. 

To accelerate the reporting process, we ask that you:

• Share the security issue with us in detail.
• Be respectful of our applications and systems, and do not disrupt operations.
• Give us a reasonable time to respond to the issue before publicly disclosing any information. We will try to contact you as soon as possible and eliminate a vulnerability within a period of 90 days. We ask you to keep all communications and information confidential during this time. We reserve the right to change deadlines based on extreme circumstances.
• Do not access or modify our data or our users’ data without our explicit permission of the owner. Only interact with your own accounts or test accounts for security research purposes.
• Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to the aforementioned e-mail address.
• Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including denial of service); and
• Otherwise, comply with all applicable laws.

Consequences of Complying with this policy

In its current version, we will not pursue civil action or initiate a complaint to law enforcement for accidental, good-faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct. To the extent that your activities are inconsistent with certain restrictions in our policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a claim against you for circumventing the technological measures we have used to protect the applications in scope.

We would like to thank you as an important contributor. Your hints and messages support us in making our systems more secure. We would like to express our gratitude and reference you in the accessible vulnerability reports. Please let us know if and under which name we can list you there.

| Date |      Vulnerability report     | Contributor |

|   15-12-2022  |       Download 1                       |    Ease2pay      |

If you believe you have discovered a vulnerability in an IT application or have a security incident to report, you can share your findings or comments with us via the contact page.

Ideally, your message should contain the following information:

• Affected product/application.
• Description of identified vulnerability.
• If available: proof-of-concept code, exploit or packet capture. 

To accelerate the reporting process, we ask that you:

• Share the security issue with us in detail.
• Be respectful of our applications and systems, and do not disrupt operations.
• Geef ons een redelijke termijn om op het probleem te reageren voordat je informatie openbaar maakt. Wij zullen proberen zo spoedig mogelijk contact met je op te nemen en een kwetsbaarheid binnen een periode van 90 dagen te verhelpen. Wij vragen je alle communicatie en informatie gedurende deze periode vertrouwelijk te houden. Wij behouden ons het recht voor om termijnen te wijzigen op basis van extreme omstandigheden.
• Do not access or modify our data or our users’ data without our explicit permission of the owner. Only interact with your own accounts or test accounts for security research purposes.
• Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to the aforementioned e-mail address.
• Te goeder trouw handelen om schending van de privacy, vernietiging van gegevens en onderbreking of verslechtering van onze diensten (met begrip van dienstweigering) te voorkomen; voor het overige alle toepasselijke wetten naleven.

Reporting of vulnerabilities

Send us your findings or comments using the email button on our contact page.

Ideally, your message should contain the following information:

Affected product/application.

Description of identified vulnerability.

If available: proof-of-concept code, exploit or packet capture.