BillEase Bug Bounty Program

Last updated at 2022 April 4.

  1. Rationale

    BillEase strives to maintain the overall security of its systems and acknowledges that a unilateral approach to this objective is not optimal. Therefore, we're opening this bug bounty program to security researchers to try and find vulnerabilities in our systems for a corresponding bounty.

  2. Program Scope

    Here's a list of what we consider fair game for researchers to test:

    2. BillEase Android App
    3. BillEase iOS App
    4. Other BillEase assets

    As of now, we're only open for public testing (unauthenticated) of our services.

  3. Security Researcher Requirements

    For submissions to be recognized, the security researcher should:

    1. provide BillEase with a reasonable amount of time to resolve reported verified security vulnerabilities;
    2. attempt to preserve the confidentiality of any data that might have been compromised;
    3. avoid leaking vulnerability details to third-parties for external payouts not from BillEase or otherwise;
    4. not defraud BillEase, its systems and employees, in researching a vulnerability;
    5. not use any discovered vulnerabilities to harass, threaten, or blackmail BillEase.

    Should you plan to engage in conduct that is beyond the scope of our policies, please reach out to [email protected] so that we might assess its qualifications.

  4. Our Pledge

    In line with our commitment to deliver to better serve the unbanked Filipinos with accessible credit and to show our gratitude to security researchers who will be testing our systems systems and following our guidelines we will:

    1. address and resolve reported and verified security vulnerabilities;
    2. refrain from penalizing security researchers from applicable system exploitation laws; and
    3. award commensurate bounty for verified vulnerabilities.
  5. Excluded Vulnerabilities

    We have a number of vulnerabilities that are not eligible in for reporting in our Bug Bounty Program:

    1. Theoretical vulnerabilities without actual proof of concept
    2. Clickjacking
    3. Known issues publicized by BillEase
    4. Unilateral expiring password token availability to third parties
    5. Deprecated Mobile App and/or Browser Platforms
    6. Jailbreak or root device exploits
    7. Tab-nabbing
    8. Web or Mobile App performance issues
    9. Issues related to unsafe SSL/TLS cipher suites or protocol version
    10. Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
    11. Social engineering exploits
    12. Low-impact CSRF issues
    13. CSP Headers, X-Frame-Options, Content sniffing, HPKP, etc
    14. Assets not owned by BillEase
    15. Missing security headers that do not lead to direct exploitation
    16. Self-XSS
    17. Service issues that have no security impact
    18. Phishing
    19. Vulnerabilities that require physical access to a user’s device
    20. DDoS Attacks (intentional or not)
    21. Missing best practices without a working Proof of Concept
    22. Man-in-the-middle (MITM) attacks
  6. Submission Protocol

    Found a legitimate security vulnerability? Attach the following to your message:

    and send it to our Security and Privacy officer at [email protected] .

  7. Reward Schedule

    As soon as BillEase receives your submission, we will verify its authenticity and triage it accordingly. A reply will follow to render BillEase's classification of the vulnerability along with the appropriate bounty amount.

Other info Contact us
FAQ [email protected]
Privacy Blog
Terms and conditions Bug Bounty Program
Careers Facebook Instagram Tiktok
Google Play Badge App Store Badge

First Digital Finance Corporation doing business under the names and styles of FDFC, Balikbayad, and BillEase is regulated by Securities and Exchange Commission as a financing company (CoA No.: 1101) and by the Bangko Sentral ng Pilipinas as Operator of Payment System (OPSCOR-2021-0007).

Copyright 2024