Evri Responsible Disclosure Policy

Evri appreciates investigative work into security vulnerabilities carried out by well-intentioned, ethical security researchers. We are committed to thoroughly investigating and resolving security issues in our platform and services in collaboration with the security community. This document aims to define the method by which we can work with the security research community to improve our online security.

Scope

This disclosure policy applies only to vulnerabilities in Evri products and services under the following conditions:

  • Only vulnerabilities which are original and previously unreported and not already discovered by internal procedures are in scope.

The following security issues are currently not in scope (please don’t report them):

  • Volumetric vulnerabilities (i.e. simply overwhelming our service with a high volume of requests).
  • TLS configuration weaknesses (e.g. “weak” cipher suite support, TLS1.0 support, sweet32 etc.).
  • Reports of non-exploitable vulnerabilities.
  • Reports indicating that our services do not fully align with “best practice” e.g. missing security headers (CSP, x-frame-options, x-prevent-xss etc) or suboptimal email related configuration (SPF, DMARC etc).
  • Reports of improper session management / session fixation vulnerabilities.

Bug Bounty

We unfortunately do not offer a paid bug bounty programme at this time. We may, after due consideration, offer a token of appreciation to security researchers who take the time and effort to investigate and report security vulnerabilities to us according to this policy. This is entirely at our discretion and is usually based on the uniqueness and rating of the vulnerability.

However we do want to recognise the good people who have helped us to keep Evri secure in our Hall of Fame.

Bug Bounty Hall of Fame 2022

Evri are not responsible for the content of the links in the Bug Bounty Hall of Fame, if your name is on the list and you feel this is incorrect, please let us know at infosec@evri.com

Reporting a vulnerability

If you have discovered an issue which you believe is an in-scope security vulnerability, please email infosec@evri.com including:

  • The website or page in which the vulnerability exists.
  • A description of the vulnerability, including its class. We ask that reporters provide a benign (i.e. non-destructive) proof of exploitation wherever possible. This helps to ensure that the report can be triaged quickly and accurately whilst also reducing the likelihood of duplicate reports and/or malicious exploitation for some vulnerability classes (e.g. sub-domain takeovers).

What to expect

Following the initial email, our Security Team will work to triage the reported vulnerability and will respond to you as soon as possible to confirm whether further information is required in order to confirm the vulnerability From this point, necessary remediation work will be assigned to the appropriate teams and/or supplier(s). Priority for bug fixes and/or mitigations will be assigned based on the severity of impact and complexity of exploitation.

Our Security Team will notify you when the reported vulnerability is resolved and will ask you to confirm that the solution covers the vulnerability adequately. We will offer you the opportunity to feed back to us on the process as well as the vulnerability resolution. This information will be used in strict confidence in order to help us improve the way in which we handle future reports and/or develop services to resolve vulnerabilities.

Guidance

Security researchers must not:

  • Access unnecessary amounts of data above what is necessary to demonstrate or confirm a vulnerability;
  • Violate the privacy of Evri users, staff, contractors, systems etc. Examples of this would be sharing, redistributing and/or not properly securing data retrieved from our systems or services;
  • Communicate any vulnerabilities or associated details via methods not described in this policy or with anyone other than the infosec@evri.com inbox;
  • Modify data in our systems/services which is not your own;
  • Disrupt our service(s) and/or systems; or
  • Disclose any vulnerabilities in Evri systems/services to third parties/the public prior to the us confirming that those vulnerabilities have been mitigated or rectified. This does not prevent notification of a vulnerability to third parties to whom the vulnerability is directly relevant, for example where the vulnerability being reported is in a software library or framework – but details of the specific vulnerability of Evri must not be referenced in such reports. If you are unsure about the status of a third party to whom you wish to send notification, please email infosec@evri.com for clarification.

We request that any and all data retrieved during research is securely deleted as soon as it is no longer required and at most, 30 days after the vulnerability is resolved, whichever occurs soonest.

If you are unsure at any stage whether the actions you are thinking of taking are acceptable, please contact our security team for guidance at infosec@evri.com.

Legalities

This policy is designed to be compatible with common good practice among well-intentioned security researchers. It does not give you permission to act in any manner that is inconsistent with the law or cause Evri to be in breach of any of its legal obligations, including but not limited to:

  • The Computer Misuse Act (1990).
  • The General Data Protection Regulation 2016/679 (GDPR) and the Data Protection Act 2018.
  • The Copyright, Designs and Patents Act (1988).

Evri will not seek prosecution of any security researcher who reports, in good faith and in accordance with this policy, any security vulnerability on an Evri service.

Feedback

If you wish to provide feedback or suggestions on this policy, please contact our security team: infosec@evri.com. This policy will evolve over time and your input will be valued to ensure that it is clear, complete and remains relevant.