Responsible Disclosure | Brain Payroll

We are dedicated to maintaining the security and privacy of the Brain services and customer data. We welcome security researchers or professionals from the community who want to help us improve the security of our products and services. You can submit any security vulnerability found in Brain application to securityincidents@brainpayroll.co.uk.

In order to be eligible for a reward under our bug bounty program, you must comply with the terms outlined below.

Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope.
Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and other platforms).
Only interact with accounts or devices you own or with explicit permission from the owner.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. If unsure or need advice, contact us at securityincidents@brainpayroll.co.uk.
Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data.
Do not attempt to execute Denial of Service attacks.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Report any vulnerability you have discovered promptly.
Do not engage in extortion by demanding a reward before disclosing vulnerability details.
Do not attempt physical attacks against Brain employees, offices, and data centers.
Use only the Official Channels to discuss vulnerability information with us.
Do not generate reports from automated tools and scans.
Our bug bounty program does not cover third-party assets, as it only applies to software under our control.

Scope

Brain offers the sandbox https://vapt.weservepayroll.xyz/ for testing security vulnerabilities.

All other Brain (including Brain's customer and partners) applications, websites, URLs, servers, endpoints, and other IT devices are out of scope.

How does a security professional or researcher qualify to enter this program?

The researcher and security professional has to submit their profile (Qualifications and achievements) to brain at securityincidents@brainpayroll.co.uk. The Brain team individually review your qualifications and invites you to enter the program. Once your profile is accepted by our security team, we will give you additional support and credentials of application for testing.

Typically, these are individuals who have established reputations, non-negative signals, and clear records with zero code of conduct violations. At times, we may also reach out to additional reputable individuals we believe would benefit the program.

Can I still do the security testing for Brain application even though I am not part of the program?

No. You must first submit your credential. Without the approval of Brain, you cannot be a part of program or authorize to do any security testing on Brain's application or website.

Rewards

Rewards are distributed according to the impact of the vulnerability based on the severity per CVSS v3.1 Ratings.

Severity	CVSS Rating	Rewards
Critical	9.0 to 10.0	£ 100
High	7.0 to 8.9	£ 50
Medium	4.0 to 6.9	£ 25

The table above outlines the nominal rewards for in-scope application environment. Brain, at its own discretion, will make the final decision on the bounties and rewards for qualifying vulnerabilities. In the event of duplicate reports, we award a bounty to the first person to submit an issue. The amounts may vary depending on the severity of the issue and the quality of the report. The brain holds the right to make the final decision at its own discretion.

What kinds of reports do not qualify?

The following is a non-exhaustive list of reports that do not qualify for a reward under our bug bounty program:

Bugs that have already been reported to us or bugs that we are otherwise already aware of.
Scripting or other automation and brute forcing of intended functionality (all of which is strictly prohibited).
Issues related to software or protocols not under our control.
Disclosure of public information or information that in our opinion does not present a significant risk.