STD-SECURITY-043: Bug Bounty Programme¶
| Owner | Classification | Review Date | Status |
|---|---|---|---|
| Security | Confidential | April 2027 | Active |
STD-SECURITY-043: Bug Bounty Programme¶
| Field | Value |
|---|---|
| Standard | STD-SECURITY-043 |
| Title | Bug Bounty Programme |
| Status | Draft |
| Owner | Security Team |
| Approved By | CDO |
| Created | 2026-04-03 |
| Review | Quarterly |
Purpose¶
Establish a public bug bounty programme to harness the security research community for finding vulnerabilities in Simpaisa's external-facing systems. Internal penetration testing (STD-SECURITY-042) provides structured coverage; a bug bounty provides continuous, adversarial testing by diverse researchers with varied skill sets.
Scope¶
In Scope¶
| Target | Description |
|---|---|
| External Payment APIs | /v3/payments/*, /v3/payouts/*, /v3/remittances/*, /v3/cards/* |
| Merchant Portal | portal.simpaisa.com — all authenticated and unauthenticated flows |
| Mobile SDKs | Android and iOS SDKs — reverse engineering, local storage, API key extraction |
| Webhook Infrastructure | Signature bypass, replay attacks, SSRF via callback URLs |
| KrakenD Gateway | Authentication bypass, rate limit evasion, header injection |
| Public Documentation Site | XSS, open redirects, information disclosure |
Out of Scope¶
-
Social engineering, phishing, or physical attacks.
-
Denial-of-service (DoS/DDoS) attacks.
-
Attacks against third-party services (Cloudflare, ControlPlane, payment channels).
-
Automated scanning without prior coordination (noisy scanners will be blocked).
-
Findings already reported in the last 90 days (duplicates).
-
Theoretical vulnerabilities without a working proof of concept.
Platform¶
-
Primary : HackerOne (preferred) or Bugcrowd.
-
Programme type : Private initially (invite-only, 50 researchers), moving to public after 6 months of operational maturity.
-
Programme page : Includes scope, rules of engagement, reward table, safe harbour statement, and disclosure policy.
Reward Tiers¶
| Severity | CVSS v4.0 Range | Reward (USD) | Examples |
|---|---|---|---|
| Critical | 9.0–10.0 | $5,000 | RCE, authentication bypass, mass data exfiltration |
| High | 7.0–8.9 | $2,000 | SQL injection, IDOR accessing other merchants' data, SSRF |
| Medium | 4.0–6.9 | $500 | Stored XSS, CSRF on sensitive actions, information leakage |
| Low | 0.1–3.9 | $100 | Reflected XSS, missing security headers, verbose errors |
-
Bonuses: +50% for submissions with a clear, reproducible proof of concept and suggested remediation.
-
Payment: via HackerOne/Bugcrowd platform (bank transfer or PayPal).
Triage SLAs¶
| Stage | SLA | Owner |
|---|---|---|
| Acknowledge receipt | 24 hours | Security Team |
| Initial triage | 48 hours | Security Team |
| Validate and classify | 7 calendar days | Security Team |
| Remediation | Per STD-SECURITY-042 SLAs | Service Owner |
| Researcher notification | Within 24h of fix | Security Team |
| Reward payment | Within 14 days of validation | Security Team |
Triage Process¶
-
Receive — submission arrives via bounty platform. Auto-acknowledge within 24h.
-
Triage — Security Team assesses validity, severity, and scope compliance within 48h.
-
Validate — Reproduce the issue in a staging environment. Assign CVSS score. Within 7 days.
-
Assign — Create a Beads issue, assign to the owning service team with remediation SLA.
-
Remediate — Service team fixes the vulnerability per STD-SECURITY-042 remediation SLAs.
-
Verify — Security Team confirms the fix. Re-test in staging.
-
Reward — Payment issued. Researcher notified. Finding closed on the platform.
-
Disclose — Coordinated disclosure after 90 days or upon fix, whichever comes first.
Integration with Vulnerability Management¶
-
All validated bounty findings are logged in the vulnerability management system (STD-SECURITY-050).
-
Severity, remediation owner, SLA deadline, and bounty reference ID are tracked.
-
Monthly bounty metrics reported to CDO: submissions received, valid findings, average time-to-fix, total payouts.
Safe Harbour¶
Simpaisa will not pursue legal action against researchers who act in good faith, comply with the programme rules, and report findings exclusively through the bounty platform. This commitment is published on the programme page.
Actions¶
| # | Action | Owner | Deadline |
|---|---|---|---|
| 1 | Select and contract bounty platform (HackerOne) | Security Team | 2026-Q2 |
| 2 | Draft programme page (scope, rules, rewards) | Security Team | 2026-Q2 |
| 3 | Invite initial 50 researchers (private launch) | Security Team | 2026-Q3 |
| 4 | Establish triage rotation within Security Team | Security Lead | 2026-Q3 |
| 5 | Evaluate transition to public programme | CDO | 2027-Q1 |
References¶
-
STD-SECURITY-042-PENETRATION-TESTING.md -
STD-SECURITY-050-VULNERABILITY-MANAGEMENT.md -
SECURITY-ARCHITECTURE.md -
STD-SECURITY-044-DATA-BREACH-RESPONSE.md