1. Introduction
   1. We, Red Dot Payment Pte Ltd and RDP subsidiaries (“RDP” or “us” or “we”), take the security of our systems and our data very seriously and value the security community. RDP continuously strives to maintain and ensure that our environment is safe and secure for everyone to use. If you have discovered any security vulnerabilities associated with any of the Products (as defined below), RDP does appreciate your help in disclosure of such vulnerabilities in a responsible manner.
   2. RDP genuinely values the assistance of the security researchers and others in the digital security community to assist in keeping our systems secure. RDP will investigate all legitimate reports and fix the problem as soon as possible.
   3. The RDP Responsible Disclosure Policy along with such other policy as referred herein (Policy” or “Terms”) covers the terms of your participation in the RDP Responsible Disclosure Program (the “Program”). The Program enables users to submit vulnerabilities and exploitation techniques an illustrative and non-exhaustive list of which is provided under Annex 1 here to (“Vulnerabilities”) to RDP about eligible RDP products and services on domains as exhaustively listed under Annex 2 here to (“Products”) for a chance to earn rewards as determined by RDP in its sole discretion (“Reward”). The decisions made by RDP regarding Rewards are final and binding.
   4. The Policy forms the contractual relationship between you and RDP with respect to the Program. Participants in the Program hereby irrevocably, unconditionally and unequivocally accept and agree to abide by the Policy. Participants are advised to revisit the Policy regularly to check the terms and conditions and the updates. By submitting any Vulnerabilities to RDP or otherwise participating in the Program in any manner, you, expressly, irrevocably and unconditionally acknowledge, confirm and accept the Policy, as amended from time to time in the sole discretion of RDP. RDP may change or cancel the Program at any time, for any reason at its sole discretion. RDP reserves the right but not the obligation to make changes to the Policy and/or the Program at its sole discretion which will be effective once they are published. Participating in the Program after any changes become effective means you agree to the new Terms and/or Program. If you don’t agree to the new Policy (or any amendments thereof), you must not participate in the Program.
2. Eligibility
   1. You may participate in the Program if you meet all of the following criteria:
      • You are at least 18 years old; and
      • You are either an individual researcher participating in your own individual capacity, or you work for an organization that permits you to participate in the Program.
   2. You are not eligible to participate in the Program if you meet any of the following criteria:
      • You are a resident of any countries under sanctions or any other country that does not allow participation in this type of program;
      • You are under the age of 18;
      • Your organization does not allow you to participate in these types of programs;
      • You are in breach of your employer’s policy with respect to participation in the Program or receipt of the Reward under the Program;
      • You are currently an employee of RDP or a RDP subsidiary, or a RDP group entity or an immediate family (parent, sibling, spouse, or child) or household member of such an employee;
      • Within the six months prior to providing RDP your Submission you were an employee of RDP or a RDP subsidiary or a RDP group entity;
      • You currently (or within six months prior providing to us your Submission) perform services for RDP or a RDP subsidiary in an external staff capacity that requires access to RDP group, such as agency temporary worker, vendor employee, or contractor; or
      • You are or were involved in any part of the development, administration, and/or execution of this Program.
   3. You are responsible for reviewing and complying with your employer’s rules for participating (including to the extent applicable receiving the Reward) in this Program. It is your responsibility to comply with any polices that your employer may have that would affect your eligibility to participate in the Program or to receive the Reward. If you are participating in violation of your employer’s policies, you may be disqualified from participating or receiving any Reward.
   4. To the extent applicable, all awards of Reward will be made in compliance with local laws, regulations, and ethics rules. RDP disclaims any and all liability or responsibility for disputes arising between an employee and their employer related to this matter.
   5. There may be additional restrictions on your ability to enter the Program depending upon your local law.
3. Your Covenants
   1. You represent, warrant, undertake and covenant to:
      1. Refrain from privacy violations, degradation of user experience, disruption to our systems, and destruction of data during security testing.
      2. Perform research only within the scope set out in this Policy.
      3. Use the identified communication channels to report Vulnerability information to RDP.
      4. Keep information about any Vulnerabilities you’ve discovered confidential between yourself and RDP. RDP will take a reasonable time to remedy such vulnerability (approximately 30 days as a minimum but this is dependent on the nature of the security vulnerability and regulatory compliance by RDP). You shall not publicly disclose the Vulnerability on any online or physical platform before it is fixed and prior written approval from RDP to publicly disclose such Vulnerability.
      5. Have the right, title and interest to disclose any Vulnerability found and to submit any information, including documents, codes, among others, in connection therewith.
      6. Waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure accepted by RDP.
      7. You are not guaranteed any compensation or credit for use of your Submission; and
      8. Your Submission is your own work, that you haven’t used information owned by another person or entity, and that you have the legal right to provide the Submission to RDP.
      9. Not perform any attack that could harm the reliability, integrity and capacity of our Products.
      10. Not undertake directly or indirectly any denial of service/spam attacks in any manner whatsoever are strictly not allowed;
      11. Not disclose any card data to any third party whatsoever or in screenshot mentioned for Proof of Concept (PoC).
      12. Not run automated scanners (RDP may automatically suspend your account and ban your IP address).
      13. Not undertake any non-technical attacks such as social engineering, phishing, or physical attacks against RDP employees, personnel, users, or infrastructure.
4. Submission Process
   1. If you believe you have identified a Vulnerability (excluding the vulnerabilities that are listed under the Annex 3 that is out of scope vulnerabilities) that meets the applicable requirements set forth in the Policy, you may submit it to RDP, in accordance with the following process:
   2. Each Vulnerability submitted to RDP shall be a “Submission.” Submissions must be reported to bugbounty@reddotpay.com. Please specify the Vulnerability details, and specific product version numbers (to the extent applicable) you used to validate your research. Please also include as much of the following information as possible:
      1. Type of issue (buffer overflow, SQL injection, cross-site scripting, etc.)
      2. Product and version that contains the bug, or URL if for an online service
      3. Service packs, security updates, or other updates for the product you have installed
      4. Any special configuration required to reproduce the issue
      5. Step-by-step instructions to reproduce the issue on a fresh install
      6. Proof-of-concept or exploit code
      7. Impact of the issue, including how an attacker could exploit the issue
   3. You must follow these Terms (“Disclosure Protocol”) when reporting all Vulnerabilities to RDP. Submissions that do not follow the Disclosure Protocol may not be eligible for Reward and not following the Disclosure Protocol could disqualify you from participating in the Program in the future.
   4. Depending on the detail of your Submission, RDP may award Reward of varying amount at its sole discretion. Well-written reports and functional exploits are more likely to result in Rewards. Those Submissions that do not meet the minimum bar described above are considered incomplete and not eligible for Rewards. RDP is not responsible for Submissions that we do not receive for any reason.
   5. There are no restrictions on the number of qualified Submissions you can provide and potentially be awarded Rewards.
   6. It is clarified that, if you submit a Vulnerability for a product or service that is not covered by the Program at the time you submitted it, you will not be eligible to receive a Reward if the product or service is later added to the Program.
5. Grant of License
   1. RDP does not claim any ownership rights to your Submission. However, by providing any Submission to RDP, you:
      1. grant RDP, its subsidiaries and affiliates the following non-exclusive, irrevocable, perpetual, royalty free, worldwide, sub-licensable license to the intellectual property in your Submission: (i) to use, review, assess, test, and otherwise analyze your Submission; (ii) to reproduce, modify, distribute, display, adapt and perform publicly, and commercialize and create derivative works of your Submission and all its content, in whole or in part; and (iii) to feature your Submission and all of its content in connection with the marketing, sale, or promotion of this Program or other programs (including internal and external sales meetings, conference presentations, tradeshows, and screen shots of the Submission in press releases) in all media (now known or later developed
      2. agree to sign any documentation that may be required for us or our designees to confirm the rights you granted above; and
      3. understand and acknowledge that RDP may have developed or commissioned materials similar or identical to your Submission, and you waive any claims you may have resulting from any similarities to your Submission
6. Confidentiality and Restrictions on Disclosure
   1. Protecting customers, merchants and partners is one RDP’s highest priority. We endeavour to address each Vulnerability report in a timely manner. While we are doing that we require that Program Submissions remain confidential and cannot be disclosed to third parties or as part of paper reviews or conference submissions. You can only make available high-level descriptions of your research and non-reversible demonstrations after the Vulnerability is fixed. RDP requires that detailed proof-of-concept exploit code and details that would make attacks easier on customers be withheld after the Vulnerability is fixed. RDP will notify you when the Vulnerability in your Submission is fixed. You may be awarded a Reward prior to the fix being released and the awarding of Reward should not be taken as notification of fix completion.
      VIOLATIONS OF THIS SECTION COULD REQUIRE YOU TO RETURN OR FOREFEITURE OF REWARD AWARDED FOR THAT VULNERABILITY AND DISQUALIFY YOU FROM PARTICIPATING IN THE PROGRAM IN THE FUTURE.
7. Review Process
   1. After a Submission is sent to RDP in accordance with this Policy, RDP engineers will review the Submission and validate its eligibility. The review time will vary depending on the complexity and completeness of your Submission, as well as on the number of Submissions we receive.
   2. RDP retains sole discretion in determining which Submissions are qualified. If RDP receives multiple bug reports for the same issue/Vulnerabilities from different parties, the Reward will be granted to the first eligible Submission. If a duplicate report provides new information that was previously unknown to RDP, we may award a differential Reward to the person submitting the duplicate report.
   3. If you report a Vulnerability without a functioning exploit, you may be eligible for a partial Reward. If you submit the functioning exploit within a reasonable time of submitting the Vulnerability (as may be solely determined by RDP), we may, in our discretion, provide additional Reward (but are not obligated to do so).
8. Awarding Rewards
   1. The decisions made by RDP regarding Rewards are final and binding.
   2. If RDP has determined at its sole discretion that your Submission is eligible for a Reward under the Policy, we will notify you of the Reward awarded and provide you with the necessary paperwork/documentation to process your award. Failure to deliver the paperwork/documentation as required by RDP may result in the non-awarding of Reward. You may waive the award if you do not wish to receive the Reward.
   3. If there is a dispute as to who the qualified submitter is, Program owner / platform will consider the eligible submitter to be the authorized account holder of the email address used to enter the Program.
   4. If your Submission qualifies for a Reward, please note:
      1. you shall not designate someone else to receive the Reward;
      2. if you are eligible for this Program but are considered a minor in your place of residence, we may award the Reward to your parent/legal guardian on your behalf.;
      3. if you are unable or unwilling to accept your Reward, we reserve the right to rescind it;
   5. All rewards under this program will be disbursed exclusively in cash (fiat currency) through our approved payment channels. These include, but are not limited to, bank transfers and other officially recognized financial service providers as designated by RDP.
   6. We do not support or offer rewards in any form of cryptocurrency, including but not limited to Bitcoin (BTC), Ethereum (ETH), or stablecoins (e.g., USDT, USDC). Any requests for reward payments via cryptocurrency or unapproved platforms will be declined.
   7. Participants are responsible for providing accurate payment information through the approved channels to facilitate reward processing. All payments will be made in accordance with applicable local laws and tax regulations.
   8. If you follow this Policy when reporting an issue to us, we commit to:
      1. We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this Policy to constitute “authorized” conduct;
      2. Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within a reasonable time of your Submission); and
      3. If legal action is initiated by a third party against you and you have complied with our Policy, RDP will take steps to make it known that your actions were conducted in compliance with this Policy.
9. Public Recognition
   1. RDP may publicly recognize individuals who have been awarded a Reward. RDP at its sole discretion may recognize you on web properties or other printed materials or digital platforms or any other media.
   2. Notwithstanding anything to the contrary stated elsewhere, the Policy do not allow public disclosure. You should not release the information about Vulnerabilities to public, failing which you shall be liable for legal penalties.
10. Privacy
    1. See the RDP Data Privacy Notice herein for disclosures relating to the collection and use of your information in connection with the Program. Notwithstanding the Data Privacy Notice, your information may be shared with service providers or vendors of RDP in relation to the Program. Your consent is deemed to be granted for such disclosures when you make a Submission.
11. Code of Conduct
    1. By participating in the Program, you will follow these rules:
       1. Don’t do anything illegal.
       2. Don’t engage in any activity that exploits, harms, or threatens to harm children.
       3. Don’t send spam. Spam is unwanted or unsolicited bulk email, postings, contact requests, SMS (text messages), or instant messages.
       4. Don’t share inappropriate content or material (involving, for example, nudity, bestiality, pornography, graphic violence, or criminal activity).
       5. Don’t engage in activity that is false or misleading.
       6. Don’t engage in activity that is harmful to you, the Program, or others (e.g., transmitting viruses, stalking, posting terrorist content, communicating hate speech, or advocating violence against others).
       7. Don’t infringe upon the rights of others (e.g., unauthorized sharing of copyrighted material) or engage in activity that violates the privacy of others.
       8. Don’t help others break these rules.
    2. If you violate this Policy, you may be prohibited from participating in the Program in the future and any Submissions you have provided may be deemed to be ineligible for receiving a Reward.
12. No Warranties
    1. RDP, AND OUR AFFILIATES, RESELLERS, MERCHANTS, AND VENDORS, MAKE NO WARRANTIES, EXPRESS OR IMPLIED, GUARANTEES OR CONDITIONS WITH RESPECT TO THE PROGRAM. YOU UNDERSTAND THAT YOUR PARTICIPATION IN THE PROGRAM IS COMPLELETELY VOLUNTARY AND AT YOUR OWN RISK. WE EXCLUDE ANY IMPLIED WARRANTIES IN CONNECTION WITH THE PROGRAM. YOU MAY HAVE CERTAIN RIGHTS UNDER YOUR LOCAL LAW. NOTHING IN THESE TERMS IS INTENDED TO AFFECT THOSE RIGHTS, IF THEY ARE APPLICABLE.
13. Indemnification
    1. To the maximum extent permitted by law, you agree to indemnify and hold harmless on demand and without any demur RDP and each of its subsidiaries, affiliates, officers, employees, agents, shareholders, representatives and third party service providers (“Indemnified Parties”), from and against any and all claims, demands, costs, expenses, losses, liabilities and damages of every kind and nature (including, without limitation, attorneys’ fees) imposed upon or incurred directly or indirectly or involving any third party claim due to, relating to and/or arising from: (i) the breach of any term, obligations, covenant, representation or warranty of this Policy; (ii) your violation of any law; (iii) the violation of rights of a third party/other persons including without limitation any intellectual property or other proprietary right ; (iv) any breach of the confidentiality; (v) any misuse of data, including personal data; (vi) any breach of any waiver granted; (vii) any attempt to contact RDP’s clients, merchants, partners, users or third parties to inform the existence of the Vulnerability (including any reference or message in social media making reference to the finding); (viii) any attempt to bring direct or indirectly claims, lawsuits, demands, actions judgments against RDP or any other Indemnified Party, in each case whether or not caused by the negligence of RDP or any other Indemnified Party and whether or not the relevant claim has merit; and/or (ix) any actual or threatened disparagement, defamation or brining to disrepute RDP and or any Indemnified Party by you while being a participant in the Program.
    2. RDP holds the benefit of this indemnity and all other rights under this T&C as trustee for each Indemnified Party benefiting from it. RDP’s failure to act with respect to a breach by you or a cause of indemnity as stated above does not waive its right to act with respect to same, subsequent or similar breaches. These indemnification obligations under shall survive any termination or expiration of Policy against you or your exit from Platform.
14. Limitation of RDP Liability
    1. If you have any basis for recovering damages in connection with the Program (including breach of these Terms), you agree that your exclusive remedy is to recover, from RDP or any affiliates, merchants, third-party providers, and vendors, direct damages up to a maximum of SGD 50. You can’t recover any other damages or losses, including direct, consequential, lost profits, lost business, lost opportunity, special, indirect, incidental, or punitive. These limitations and exclusions apply even if this remedy doesn’t fully compensate you for any losses or fails of its essential purpose or if we knew or should have known about the possibility of the damages. To the maximum extent permitted by law, these limitations and exclusions apply to anything or any claims related to these Terms and the Program.
15. Dispute Resolution and Governing Law
    1. You and RDP irrevocably consent that this Policy shall be governed by and construed in accordance with the laws of Singapore.
    2. We hope we never have a dispute, but if we do, you and RDP (including its subsidiaries, affiliates and group entities) agree that if any dispute(s) or difference(s) shall arise between the parties in connection with or arising out of or relating to the Program and/or Policy, the parties shall attempt, for a period of 60 (sixty) days from the receipt of a notice (“Disputes Notice”) from the other Party of the existence of a dispute(s), to settle such dispute(s) informally by mutual discussions. If the said dispute(s) cannot be settled by mutual discussions within the sixty-day period specified above, such disputes(s) shall be referred to arbitration for final resolution in the manner provided herein. The Parties shall mutually appoint a sole arbitrator within 90 (ninety) days from the date of the Disputes Notice who shall resolve such accordance with the provisions of Singapore International Arbitration Centre. In the event the Parties fail to appoint a sole arbitrator in accordance with the procedure aforesaid and within the time period as specified above, a panel of arbitrators shall be appointed in accordance with the provisions of the Arbitration Rules for the final resolution of the dispute(s). The arbitration proceedings shall be held in English language with the seat of the arbitration being Singapore.
    3. Class action lawsuits, class-wide arbitrations, and any other proceeding where someone acts in a representative capacity aren’t allowed. Nor is combining individual proceedings without the consent of all parties. If the class action waiver is found to be illegal or unenforceable as to all or some parts of a dispute, then those parts won’t be arbitrated but will proceed in court, with the rest proceeding in arbitration. If any other provision of this section is found to be illegal or unenforceable, that provision will be severed but the rest of this section still applies.
16. Miscellaneous
    1. This Policy is the entire agreement between you and RDP for your participation in the Program. It supersedes any prior agreements between you and RDP regarding your participation in the Program. All parts of these Terms apply to the maximum extent permitted by relevant law. If a court or arbitrator holds that RDP can’t enforce a part of these Terms as written, RDP may replace those terms with similar terms to the extent enforceable under the relevant law, but the rest of these Terms shall not change.
17. Unsolicited Ideas
    1. Other than your Submission, RDP does not consider or accept unsolicited proposals or ideas, including without limitation ideas for new products, technologies, promotions, product names, product feedback and product improvements (“Unsolicited Feedback”). If you send any Unsolicited Feedback to RDP through the Program or otherwise, RDP makes no assurances that your ideas will be treated as confidential or proprietary.

IF YOU DO NOT AGREE TO THESE TERMS, PLEASE DO NOT SEND US ANY SUBMISSIONS OR OTHERWISE PARTICIPATE IN THIS PROGRAM.

Annex 1: Illustrative Vulnerabilities

1. Payment parameters manipulation, Price manipulation with a successful transaction
2. All types of Injections
3. Broken Access Control
4. Server-side Injection
5. Cross site scripting – XSS
6. Remote Code Execution
7. Sensitive data exposure
8. Authentication Bypass / Unauthorized Access
9. CSRF
10. Unrestricted upload vulnerabilities
11. Domain take-over vulnerabilities
12. Sensitive information leak
13. Descriptive error messages
14. Any vulnerability that can affect the RDP Brand, User (Customer/Merchant) data and financial transactions

Annex 2: RDP Products

*.reddotpayment.com

*.reddotpayment.id

*.reddotpay.com

Annex 3: Out of Scope Vulnerabilities

1. Any vulnerabilities without a properly described evidence report of possible exploitation
2. Reports generated by automated scan tools
3. Any services hosted by third party providers and services/Products not provided by RDP.
4. Publicly available information and/or browser instructions, such as:
   1. Our policies on presence or absence of SPF/DKIM/DMARC records or Cross Site Request Forgery (CSRF) vulnerabilities on unauthenticated pages
   2. HTML character set vulnerabilities such as “does not specify” or “unrecognized”
   3. Lack of secure/HTTP Only flags on non-sensitive cookies
   4. Absence of using HTTP Strict Transport Security (HSTS)
   5. Clickjacking or the non-existence of X-Frame-Options on non-logon pages
   6. Cacheable HTTPS response pages on sites that do not provide money transfer capabilities
   7. Reports of insecure SSL/TLS ciphers
   8. Vulnerabilities only affecting users of outdated or unpatched browsers and platforms (older than two major releases) or for users who have intentionally reduced security settings on their platform