DailyPay Vulnerability Disclosure Program

Introduction

At DailyPay, we are dedicated to delivering secure products and services. We value the input of independent security researchers and the broader community in helping us maintain a secure technological landscape.

If you believe you've identified a potential security vulnerability within DailyPay's systems, we want to hear from you.

TIP: Exceptional reports don't just help us stay safe, they may also warrant an invite to our private, paid Bug Bounty program!

Response Targets

We make a best effort to meet the following response timelines for researchers:

Program Rules & Disclosure

To remain in good standing, we ask that you adhere to the following:

• Confidentiality: Do not discuss vulnerabilities (including resolved ones) outside this program without express written consent.

• Standard Guidelines: Follow the HackerOne Disclosure Guidelines.

• Report Quality: Submit one vulnerability per report (unless chaining for impact). Reports must include clear, reproducible steps.

• Duplicates: Only the first reproducible report of a vulnerability will be triaged.

• Good Faith Effort: Make a good faith effort to avoid privacy violations, data destruction, or service degradation. Only interact with accounts you own.

• Prohibited: Social engineering (phishing, vishing, etc.) against DailyPay employees or users is strictly forbidden.

Scope & Identification

Testing is strictly limited to assets listed as "In-Scope." Anything not listed is considered Out-of-Scope. If you discover a vulnerability in an unlisted asset, please contact [email protected] before submitting.

Mandatory Testing Header

To ensure our SOC doesn't block your activity, all manual and automated testing tools must include the following HTTP header:

X-HackerOne-DailyPay-Research: [Your H1 Username]

Out-of-Scope Vulnerabilities

When reporting, please focus on exploitability and security impact. The following issues are generally considered out of scope:

Web & General Policy

• CSRF/Clickjacking: On pages with no sensitive actions or unauthenticated forms.

• Configuration: Missing best practices in SSL/TLS, CSP, or HTTP headers (e.g., HttpOnly, Secure flags).

• Email: Missing SPF/DKIM/DMARC records or general email best practices.

• Redirects: Open redirects unless a significant security impact is demonstrated.

• Information Disclosure: Software version disclosure, banner identification, stack traces, or descriptive error messages.

• Rate Limiting: On non-authentication endpoints.

• CORS misconfiguration without an exploitation scenario.

• Broken link hijacking issues.

• Improper logout functionality and improper session timeout.

• Disclosure of IP addresses.

Technical Limitations

• User Interaction: Issues requiring unlikely or "perfect world" user interaction (e.g., Tabnabbing).

• Access: Attacks requiring MITM or physical access to a user's device.

• Environment: Debug info or partial source code disclosure in development/staging environments.

• Known Vulnerabilities: Vulnerabilities in outdated browsers (less than 2 stable versions behind), "Zero-day" vulnerabilities patched within the last 30 days, or previously known vulnerable libraries without a working Proof of Concept.

• Archived Repositories: Findings in archived repositories will not be accepted as these are no longer maintained.

• Theoretical issues that are not exploitable, or cannot be demonstrated as exploitable.

Low Impact / Automated

• CSV Injection: Without a demonstrated vulnerability.

• Scanner Reports: Raw, unvalidated output from automated tools.

• Public Data: Publicly known Google API keys, leaked credentials from dark web sources, or breach lists.

• WordPress: Issues on unauthenticated endpoints of WordPress sites or XMLRPC.

Mobile Specific

• Lack of SSL Pinning or Jailbreak detection.

Thank you for helping keep DailyPay and our users safe!