PAX Technology | Global Website

PAX Technology Limited (hereinafter referred to as PAX, we, us or our) is committed to improving the security of our products and services to fully support the secure operations of our customers' networks and services. We encourage security researchers, industry organizations, customers, and suppliers to report to us the suspected vulnerabilities associated to publicly accessible assets of PAX. PAX has established a process for handling reported suspected vulnerabilities.

Security researchers shall place our users’ interests at the forefront and respect the privacy of users. PAX encourages the interest parties to discover and report vulnerabilities legally and commits to working with security researchers to understand, confirm, and appropriately resolve the vulnerability. In accordance with the applicable laws and regulations, however, we reserve the right to pursue legal actions against illegal testing and disclosing actions.

PAX urges the reporting party to follow the Responsible Disclosure Policy, which involves privately notifying us of any security vulnerabilities before fully disclosing them to allow us to resolve the vulnerabilities and minimize any overall risk to users. During the entire process, PAX will strictly control the scope of information distribution. PAX will request the reporting party to keep the vulnerability confidential until PAX has completed the fix and bulletin.

Prizes and Process

1. For eligible reports, PAX will award all reporters' prizes before the end of each calendar year.
2. With the consent of the vulnerability reporter, the reporters will be credited and the name of reporters will be displayed on the Acknowledgements of PAX’s official website.
3. Please note that prizes and Acknowledgements will be issued and updated uniformly at the end of each calendar year, regardless of when the reports are submitted.
4. This prizes program process will be terminated if the report or participant's submission of the vulnerability does not meet the eligibility requirements or any other necessary conditions.
5. If reporters violate the Responsibility Disclosure Policy, PAX will not award the reporters’ prizes.

In return, we will:

1. Work with you to understand and resolve the potential vulnerability quickly, PAX promises you a timely response;
2. Use our best efforts to resolve security vulnerabilities by including but not limited to releasing patches to our partners, and communicate with the stakeholders as needed;
3. While a monetary reward is not currently available, a prize will be offered and eligible vulnerability reports will be acknowledged in accordance with our Prize and Acknowledgement Policy ;
4. With PAX’s consent, the reporting parties may conduct the CVE applications for the specific resolved vulnerabilities in certain PAX products after the Security Advisory is released.

We ask our security research community to follow the rules:

1. Make every effort to avoid improper or illegal actions, such as blackmail, violation of privacy, degradation of user experience, disruption to internal or external servers, PAX devices or services and destruction of data or physical assets during security testing;
2. Follow the Required Information outlined in the Reporting Process to report details of potential vulnerabilities as complete as possible;
3. During the period of responsible vulnerability disclosure, keep information about the discovered potential vulnerability confidential between all parties until we have resolved the issue;
4. Restrain from using any exploits or vulnerabilities for commercial or business purposes;
5. Reported vulnerability or related exploits must not involve any illegal activities, and reporters must not violate any applicable laws and regulations, or infringe any third party rights (including intellectual property rights).

Please contact PAX at VulnerabilityDisclosure@paxsz.com with any security-related issues on the PAX product or solution.
Please note that only emails sent in English or Chinese can be considered.
Use the Public PGP key (Key ID 8B23 89DC; Fingerprint: F1C5 8104 CE21 B082 4AD7 88A4 66F0 4EBA 8B23 89DC) to encrypt your report.

For PAX partners, please use PAX Partner Network (PPN) to report issues with PAX products and obtain technical support. Contact your representative for the PPN account if necessary.
Vulnerabilities identified by PPN will be handled according to PAX's internal processes.

- Organization and contact name;

- Summary of the vulnerability, including issue description, class or type of vulnerability;

- The impact (arbitrary code execution, information disclosure, etc.) and severity estimate;

- Affected product/service, including model, hardware/software version, configuration;

- Tools and steps to reproduce the issue;

- Proof-of-Concept(PoC) code or other substantial evidence;

- Recommendations for mitigation;
- Possible root cause, if any;
- Disclosure plans, if any.

PAX performs internal vulnerability handling in collaboration with the responsible security and development groups, and will maintain vulnerability mitigation and recovery plans for any affected products or solutions.

The duration of this phase will vary in accordance with the risk level, impact and difficulty.
During this period, regular communication is maintained between PAX and the reporting party to inform both parties of the current status. If available, pre-releases of software fixes may be provided to the reporting party for verification.

Conditions for Vulnerability Eligibility

1. The security vulnerability stated in the Report has been confirmed after PAX has completed the Report, Verify, Remediation and Disclosure procedures. The Reports that have been verified by PAX as ineligible (see clause 4 for details) may not be eligible for a prize.
2. The Report shall be based on PAX devices with the latest available Android version and firmware (including Android SmartPOS, Unattended Payment and Classic POS listed in PAX Terminals list), currently up-to-date software services, the newest version of applications developed and signed by PAX.
3. In case of receiving duplicate or similar reports of a specific vulnerability, only the first report will be eligible for a prize. In some cases, reports may also be considered duplicates if the patch for the vulnerability is already scheduled for release.
4. Reports related to the following categories are ineligible:

- Software bugs or a behavior of software that has no security impact;
- Exploit is based on a complex scenario or the probability of an exploit is very low;
- Scenarios requiring excessive user interaction or tricking users like phishing or clickjacking;
- Vulnerability in a 3rd party code that affects not only PAX devices but also other Android devices;
- Reports from people employed by PAX and its affiliates, partners, or family members of people employed by PAX;
- Reports based on information obtained or extracted through illegal access to PAX confidential information;
- Require excessive preconditions to exploit a vulnerability (Vulnerabilities that assume devices configured as developer mode may be downgraded or considered of No Security Impact);
- After the reporter submits the vulnerability, the reporter needs to supplement the information after the review by PAX, and the reporter does not supplement the information within 5 working days;
- Result in an application-level crash, or simply mentions the possibility of MITM or SQL injection without an exploit (SQL injection with no practical security impact may be considered no security impact and thus possibly ineligible).

Mobile

MiniPOS

Countertop

PDAPOS

SmartTablet

Customer-Facing

Combo

IM-Series

SK-Series

Mobile

Countertop

MiniPOS

PINpad

Mobile

MiniPOS

Countertop

PDAPOS

SmartTablet

Customer-Facing

Combo

IM-Series

SK-Series

Mobile

Countertop

MiniPOS

PINpad

Never miss an insight

Tell us about yourself

Welcome!