Report A Security Vulnerability
NUVEI VULNERABILITY DISCLOSURE PROGRAM
If you believe you have discovered a security vulnerability in Nuvei’s or any of its subsidiaries’ products or websites, please continue reading on how to submit a report to our security teams to investigate.
While we greatly appreciate community reports regarding security issues, at this time Nuvei does not provide monetary compensation for automated vulnerability reports.
Any security bugs or vulnerabilities that can be successfully shown to compromise the confidentiality, integrity, or availability of information relating to our clients and our secrets may be considered for compensation.
Any vulnerability or potential vulnerability you discover may not be disclosed publicly or to any 3rd party.
ELEGIBILITY REQUIREMENTS
- All vulnerabilities must be new discoveries and not previously known to Nuvei.
- The submitter must not reside in country on any Canadian, or US Sanctions lists.
PROHIBITED TESTING
The following tests are prohibited and will be subject to notification of law enforcement.
Automated tests of any kind including but not limited to:
- Brute Force
- SSL Labs Scanning
- 3rd party ASV Scanning
- Denial of Service
Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Nuvei services.
Do not attempt to target Nuvei employees or customers using methods of social engineering, phishing, or physical attacks.
OUT OF SCOPE
Non-qualifying security vulnerabilities include but are not limited to:
- Social engineering, phishing
- Physical attacks
- Missing Cookie Flags
- Content Spoofing
- Stack Traces, path disclosure, directory listings
- Ability to create external links.
- CSRF with minimal security implications.
- Client-Side enforcement of server-side security
- Email Spoofing
- Clickjacking on static website
- Good Practice Settings
- DOS/DDOS
- SPF record configuration
- Weak password policy
- SSL/TLS best practices