PAX Vulnerability Disclosure Program
PAX Technology Limited (hereinafter referred to as PAX, we, us or our) is committed to improving the security of our products and services to fully support the secure operations of our customers' networks and services. We encourage security researchers, industry organizations, customers, and suppliers to report to us the suspected vulnerabilities associated to publicly accessible assets of PAX. PAX has established a process for handling reported suspected vulnerabilities.
Security researchers shall place our users’ interests at the forefront and respect the privacy of users. PAX encourages the interest parties to discover and report vulnerabilities legally and commits to working with security researchers to understand, confirm, and appropriately resolve the vulnerability. In accordance with the applicable laws and regulations, however, we reserve the right to pursue legal actions against illegal testing and disclosing actions.
PAX urges the reporting party to follow the Responsible Disclosure Policy, which involves privately notifying us of any security vulnerabilities before fully disclosing them to allow us to resolve the vulnerabilities and minimize any overall risk to users. During the entire process, PAX will strictly control the scope of information distribution. PAX will request the reporting party to keep the vulnerability confidential until PAX has completed the fix and bulletin.
Prizes and Process
1. For eligible reports, PAX will award all reporters' prizes before the end of each calendar year.
2. With the consent of the vulnerability reporter, the reporters will be credited and the name of reporters will be displayed on the Acknowledgements of PAX’s official website.
3. Please note that prizes and Acknowledgements will be issued and updated uniformly at the end of each calendar year, regardless of when the reports are submitted.
4. This prizes program process will be terminated if the report or participant's submission of the vulnerability does not meet the eligibility requirements or any other necessary conditions.
5. If reporters violate the Responsibility Disclosure Policy, PAX will not award the reporters’ prizes.
In return, we will:
1. Work with you to understand and resolve the potential vulnerability quickly, PAX promises you a timely response;
2. Use our best efforts to resolve security vulnerabilities by including but not limited to releasing patches to our partners, and communicate with the stakeholders as needed;
3. While a monetary reward is not currently available, a prize will be offered and eligible vulnerability reports will be acknowledged in accordance with our Prize and Acknowledgement Policy ;
4. With PAX’s consent, the reporting parties may conduct the CVE applications for the specific resolved vulnerabilities in certain PAX products after the Security Advisory is released.
We ask our security research community to follow the rules:
1. Make every effort to avoid improper or illegal actions, such as blackmail, violation of privacy, degradation of user experience, disruption to internal or external servers, PAX devices or services and destruction of data or physical assets during security testing;
2. Follow the Required Information outlined in the Reporting Process to report details of potential vulnerabilities as complete as possible;
3. During the period of responsible vulnerability disclosure, keep information about the discovered potential vulnerability confidential between all parties until we have resolved the issue;
4. Restrain from using any exploits or vulnerabilities for commercial or business purposes;
5. Reported vulnerability or related exploits must not involve any illegal activities, and reporters must not violate any applicable laws and regulations, or infringe any third party rights (including intellectual property rights).
Please contact PAX at VulnerabilityDisclosure@paxsz.com with any security-related issues on the PAX product or solution.
Please note that only emails sent in English or Chinese can be considered.
Use the Public PGP key (Key ID 8B23 89DC; Fingerprint: F1C5 8104 CE21 B082 4AD7 88A4 66F0 4EBA 8B23 89DC) to encrypt your report.
For PAX partners, please use PAX Partner Network (PPN) to report issues with PAX products and obtain technical support. Contact your representative for the PPN account if necessary.
Vulnerabilities identified by PPN will be handled according to PAX's internal processes.
- Organization and contact name;
- Summary of the vulnerability, including issue description, class or type of vulnerability;
- The impact (arbitrary code execution, information disclosure, etc.) and severity estimate;
- Affected product/service, including model, hardware/software version, configuration;
- Tools and steps to reproduce the issue;
- Proof-of-Concept(PoC) code or other substantial evidence;
- Recommendations for mitigation;
- Possible root cause, if any;
- Disclosure plans, if any.
To report a security vulnerability affecting a PAX product or solution, please contact PAX using the methods described in the Contact Information section.
Particularly, if you need to report a potential security issue please include the word [VULNERABILITY] in the subject line.
PAX's vulnerability handling and disclosure process consists of the following four steps:
PAX usually responds to incoming reports within two business days. “Business Day” shall mean any day other than Saturday, Sunday, or any public holiday in China. If any period expires or action is to be taken on a day which is not a Business Day, the time frame for the same shall be extended until the next Business Day. If a reply email is not delivered, please make sure the email from PAX has not been marked as junk.
PAX investigates and reproduces the reported issue to test whether it is a vulnerability and assesses the severity level based on security impact and Proof-of-Concept. During this phase, PAX will maintain communication with the reporter to confirm the issue if necessary.
PAX typically takes three to ten business days to complete the verification.
PAX performs internal vulnerability handling in collaboration with the responsible security and development groups, and will maintain vulnerability mitigation and recovery plans for any affected products or solutions.
The duration of this phase will vary in accordance with the risk level, impact and difficulty.
During this period, regular communication is maintained between PAX and the reporting party to inform both parties of the current status. If available, pre-releases of software fixes may be provided to the reporting party for verification.
Once the patches or fixes are available for distribution, the process will progress to the disclosure phase.
PAX will use existing customer notification processes to manage the release of patches or fixes and release vulnerability remediation information to PAX’s customers.
A PAX Security Advisory typically contains the following information:
- Vulnerability description
- Known affected product and versions
- Remediation solution and available fixes
RESPONSIBILITY DISCLOSURE POLICY
At PAX, we take security and privacy issues very seriously, and we cherish the security research community with our commitment to addressing potential security vulnerabilities as quickly as possible. The responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our end users.
PRIZE AND ACKNOWLEDGEMENT POLICY
In return for helping PAX improve the security of our products and minimizing risk to our end-consumers, PAX offers a prize and acknowledgement for eligible security vulnerability reports.
Conditions for Vulnerability Eligibility
1. The security vulnerability stated in the Report has been confirmed after PAX has completed the Report, Verify, Remediation and Disclosure procedures. The Reports that have been verified by PAX as ineligible (see clause 4 for details) may not be eligible for a prize.
2. The Report shall be based on PAX devices with the latest available Android version and firmware (including Android SmartPOS, Unattended Payment and Classic POS listed in PAX Terminals list), currently up-to-date software services, the newest version of applications developed and signed by PAX.
3. In case of receiving duplicate or similar reports of a specific vulnerability, only the first report will be eligible for a prize. In some cases, reports may also be considered duplicates if the patch for the vulnerability is already scheduled for release.
4. Reports related to the following categories are ineligible:
- Software bugs or a behavior of software that has no security impact;
- Exploit is based on a complex scenario or the probability of an exploit is very low;
- Scenarios requiring excessive user interaction or tricking users like phishing or clickjacking;
- Vulnerability in a 3rd party code that affects not only PAX devices but also other Android devices;
- Reports from people employed by PAX and its affiliates, partners, or family members of people employed by PAX;
- Reports based on information obtained or extracted through illegal access to PAX confidential information;
- Require excessive preconditions to exploit a vulnerability (Vulnerabilities that assume devices configured as developer mode may be downgraded or considered of No Security Impact);
- After the reporter submits the vulnerability, the reporter needs to supplement the information after the review by PAX, and the reporter does not supplement the information within 5 working days;
- Result in an application-level crash, or simply mentions the possibility of MITM or SQL injection without an exploit (SQL injection with no practical security impact may be considered no security impact and thus possibly ineligible).
5. You acknowledge and agree that the reports may be shared with our stakeholders and affiliates.
Notwithstanding any terms and conditions mentioned above, for the purposes of identifying and assessing a vulnerability report, including but not limited to the effectiveness of the vulnerability, the eligibility of a report, the severity level of the vulnerability, the award of the prize, PAX reserves the right of final interpretation.
First of all, PAX would like to express our sincere thanks to all the reporting parties who have ever helped us in PAX security.
Thank you for your unquenchable passion and sense of justice for responsibly disclosing information to us, for helping us address security issues, and for working with us to improve PAX’s security.
The following is the 2022 PAX Security Acknowledgement.
Saif Aziz (@wr3nchsr), https://cyshield.com