Patron Technology Security Vulnerability Program

Responsible Disclosure of Security Vulnerabilities

If you have discovered a vulnerability, we request that you responsibly disclose the vulnerability to our security team by taking the following steps:

Ranking Vulnerabilities

All reported vulnerabilities are checked for validity, ranked, and then reviewed by the Patron Technology InfoSec team.

Patron Technology has established a Vulnerability Ranking Matrix based on NIST's Common [Vulnerability Scoring System V3](https://nvd.nist.gov/vuln-metrics/cvss). The Vulnerability Ranking Matrix is defined below. Vulnerabilities are ranked using the guidelines below with assistance from the [NIST CVSS Calculator](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator). The final ranking for a vulnerability is the sole discretion of Patron Technology InfoSec.

P1: Critical

CVSS >= 9.0
Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, large scale access to PII, etc.. At the discretion of Patron Technology, vulnerabilities that demonstrate a critical, widespread risk to information security may be eligible to receive a reward greater than the standard bounty.
Example: Vulnerabilities that result in unrestricted Remote Code Execution such as Vertical Authentication bypass, SSRF, XXE, SQL Injection, User authentication bypass.

P2: High

CVSS 7.0 - 8.9
Vulnerabilities that affect the security of the platform including the processes it supports. 
Example: Lateral authentication bypass, Stored XSS, some CSRF depending on impact.

P3: Moderate

CVSS 5.0 - 6.9 
Vulnerabilities that affect multiple users, and require little or no user interaction to trigger. 
Example: Some reflective XSS, Some direct object reference, URL Redirect, some CSRF depending on impact.

P4: Low

CVSS < 5.0
Issues that affect singular users and require interaction or significant prerequisites (MITM) to trigger.
Example: Common flaws, Detailed debug information.

P5: Acceptable

Non-exploitable weaknesses and “won’t fix” vulnerabilities.Best practices, mitigations, issues that are by design or acceptable business risk to the customer such as use of CAPTCHAS.

In Scope Domains

The following domains are included in this program. 


In Scope Mobile Applications


Scope Exclusions

The following categories of reports are considered out of scope for our program and Patron Technology will NOT provide any reward pay out:


Changes to the Program

We may update or suspend this Program at any time without any prior notice.  We encourage you to periodically review this page for the latest information on this Program.  Any submitted reports will be processed using the Program terms in effect at the time our Security Incident Response Team reviews the report.

Effective Date of this Privacy Policy: 7/22/2020


PGP Key

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1mQENBF1j//MBCACxqIOVGeab36yHCMqfRndP7H8o1XuQenT0O1yIZf6+27Z9Qn0xwPB4y477I8BrIapHf4lB6nObFs3IrCvEfBwF4/QXgR5EG6ZesvqnYNYvnqWOmywyo0BSpE03h1CTDvbqstINmjsqRLFcLs8pC78xw7Ao/mvxg3bmNk44V0lDU4Q0GjSI+F252OFcos/JkikGPL4TZorRa+OKyJDZnBRE2WyFpBtrQ4g5BG029rlX6WjuSCKsv6TPgS2o8yoksQD2tbLYEEQ3wIwTfhE+GI28qgrK/c+SNY2qskhfJ85WGc7l87+dIlfgj6jGnEg5P1UUM6l+epFklih3QYxeAB/LABEBAAG0RlBhdHJvbiBUZWNobm9sb2d5IEluZm9ybWF0aW9uIFNlY3VyaXR5IDxzZWN1cml0eUBwYXRyb250ZWNobm9sb2d5LmNvbT6JATgEEwECACIFAl1j//MCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEKO1jLZ11HH46IgH+wVppvN8tpPjUKkTGUtAmoHUt4dysWEylafzEMCDoJwGDkDNnthsEIx6zfekFXyWD9Ievv/3+EIbonsw8lw0EzGkN3lXqvDdTCEogfp/LhkTA2xEWNI7Vic8CdXM1P9xE+T1NpWVSx+FbvP1ygA6i67oEYN+IzWwmwG/AgRUIU89W1p9vdJLQl8HVkl6E0Zo1QKZlglU3Hd9W1IBiF68z3ounc786DV+QwhnUT4zHylB+sgiOD1SLPQV+WLtCms3gTNecJi3/IO8BBaylXmkvqbqdPTrkoq3+iSLyq3cbsVszrS/xxnR2c7cbIlUB25tazmNOJYaB2jeK0CG0g3tBNm5AQ0EXWP/8wEIALxViyBnQLfXhP/ZK/vsQUXkd5gB0nmdn79w8LYes7uW5MZWmoD6wqumNZxzzR5TG0pgD4WdegjqXLs/XJTGj0EHjAr1peQhtoHbcRcZTC/oan9wjGCTCuB2bS/8GLlcSRHC6MO3Q9vWmVf8yQUfNBP59P/gv+vbvyu68Ud8gsz7PkisnxF06IvX3JfFR42tctbeBViPWl/FwLqu4fHr/pjdR8XkE7Xozhor+coR77uEIGnwxLGj0f6conI7yrVDqf/i+ToucemElNYgWz0zrY1oh4liM8DI82WyXsAc098Bw3EXPadtOeZFm00XjqD5+G6qj1oPz98yeUdHNXai06EAEQEAAYkBHwQYAQIACQUCXWP/8wIbDAAKCRCjtYy2ddRx+MzDB/9J5u7eBU+GEU7YxQKioZHaszQeQfhWBSHAKlY1N2WlB+YX4YVcHC+8NWvfH8aYM3sIEdpFBwQyHS4KieQ4oqGNxd89lEor+q3l0WH7CUF86BfaTsOs6mIL/lDEbDTbzhNgiB3X46SlVRe8opFY4H2LZJdirtkZTHGMhTxECFTrwT5XTI0ylINMe1cfC1FGeAw1SGoRSIHX4CXSIBmkn8QeW+ls1L3neCysWo207/4RW1hlgngvqVmcCum/t92SKmAFWoMJ0T5KtkKmnjwIeIkVlbLms9vaqyHFN1YQW7S86BJO+Jwc3vbGSGWmtCg3+aUBuGgaNb5gJOdSkAZQCn/u=EcV3
-----END PGP PUBLIC KEY BLOCK-----