Ascend Money Group of Companies’ Vulnerability Disclosure Policy

Ascend Money Group of Companies (collectively, will be referred to as “ACM”) recognizes the importance of and is committed to ensuring the security of its database, systems, products and applications by protecting them from unwarranted security disclosure.

This Vulnerability Disclosure Policy (“Policy”) or Vulnerability Disclosure Program (“VDP”) is established to provide the security researchers clear information of how the researchers shall conduct their security vulnerability activities and contact us; all subject to ACM’s clear instructions and approval at all times. We encourage the security researchers to report vulnerabilities and share your expertise with us in good faith so that we can fix such a vulnerability(ies) found, improve our security posture and publicly acknowledge, as we deem fit, your contribution to the security community.

This Policy describes the ACM VDP rules of engagement, scope and exclusions, how to send vulnerability reports, our contact information, and what the security researchers can expect upon submitting a vulnerability report to us, our actions to fix the issue, communication with the security researchers and acknowledgement to the security researchers.

In addition, this Policy aligns with widely accepted best practices for vulnerability disclosure but does not grant permission to any individual or entity to engage in any actions that are unlawful or that could cause ACM or its partners to breach legal obligations.

Rules of Engagement

Before submitting a vulnerability report, please make sure to read the information in our Policy thoroughly. We appreciate individuals (in this Policy, referred to as ‘security researcher(s)’) who responsibly share potential security issues with us. Please note that we do not provide financial compensation for such reports, and public disclosure of the vulnerabilities is not permitted. This is a critical condition to any security researcher engaging with ACM in this regard.

To support responsible vulnerability research per this VDP, and clearly distinguish ethical behaviors from malicious activities, it is a clear requirement that the security researchers must:

  • Adhere to the rules outlined in this Policy and any applicable terms or agreements;
  • Conduct testing only within the defined scope given by ACM, and avoid engaging with systems or areas that are explicitly out of scope;
  • Act with the highest-industry level of care to prevent privacy breaches, data loss and/or disclosure, and any disruption or degradation of our services, and keep all information that you are exposed to, in strict confidence;
  • Understand and agree that any such vulnerability report(s) created and/or submitted to ACM, shall be exclusively owned by ACM. Accordingly, the security researchers hereby agree and irrevocably assign and transfer to ACM (or any entity designated by it) all rights (if any) in such vulnerability report(s) without any further claim and/or right whatsoever (as well as shall fully cooperate with ACM to effect such assignment and transfer, if so requested by ACM);
  • If you discover a vulnerability that grants unintended access to data, you must access only the minimal amount necessary to demonstrate the issue through a Proof of Concept (a step-by-step explanation which can let us reproduce the vulnerability issue);
  • Immediately stop testing and submit a report if you come across any user data, including personal or sensitive information, payment details, or proprietary content;
  • Promptly report any real or potential security issue/vulnerability that you have discovered via our designated reporting channel (e-mail: [email protected]); and
  • Provide us reasonable time to verify, resolve and contact you back regarding the reported vulnerabilities.

Accordingly, the security researchers must NOT:

  • Test any ACM’s systems/applications other than what are stated in the ‘Scope’ Section below;
  • Test in a manner that could degrade, DoS, DDoS ACM’s systems;
  • Introduce any malicious codes to ACM’s systems;
  • Disclose any vulnerability information and/or any part of a vulnerability report(s), except as stated in the “Reporting a Vulnerability’ Section below;
  • Intentionally compromise the privacy or safety of ACM, ACM personnel or its relevant third parties;
  • Intentionally compromise intellectual property or other proprietary, commercial or financial interests of ACM, its personnel or its relevant third parties;
  • Delete, alter, share, retain, sell or destroy ACM information you may encounter/discover during the test (if any); and
  • Engage in social engineering, physical testing facilities or resources.

Scope

All systems and services associated with the below domains including their subdomains, unless explicitly excluded, are in scope according to our VDP.
In case you are not certain whether a domain, system or endpoint is in scope or not, please contact [email protected] prior to starting your research.

*.truemoney.*
*.tmn-dev.com
*.ascendcorp.com
*.ascendmoney.io
*.ascendmoneygroup.com
*.truemoneyplus.*
*.truemoneyvay.*
*.ascendnano.com
*.ascendnano.io
*.ascendwealth.co.th
*.ascendwealth.io
*.insurance.ascendmoney.io
*.abc-dev.network
*.ascendbit.*

Vulnerability Exclusions

Below are examples of the security issues/vulnerabilities which are out of scope in accordance with this Policy. Therefore, the security researcher must refrain from submitting any reports regarding the following vulnerabilities/issues:

  • HTTP 404 codes/pages or other HTTP codes/ pages and Content Spoofing/ text injection on these pages;
  • Report of outdated software or upgrade possibility without sharing the associated proof of concept of a working exploit;
  • Systems and protocols that can be abused for a DDoS attack;
  • Issues with SSL configurations:
    • SSL forward secrecy disabled
    • Weak/ insecure cipher suites
    • DNS CAA records;
  • Anything related to HTTP security headers, for example:
    • Strict-Transport-Security
    • X-Frame Options
    • X-XSS-Protection
    • X-Content-Type-Options
    • Content-Security Policy;
  • Social engineering attack (e.g., phishing, vishing, smishing); and
  • Physical security vulnerabilities.

Reporting a vulnerability

If you believe you have identified a security vulnerability in our database, systems, products or applications, please promptly report it to us via email at [email protected].
When submitting your report, be sure to include the following information:

  • The website, IP address, or specific URL where the vulnerability is present.
  • A concise summary of the vulnerability type (e.g., “Cross-Site Scripting (XSS) vulnerability”).
  • Clear, step-by-step instructions to reproduce the issue using a safe and non-destructive Proof of Concept. This will help us efficiently assess and address the reported issue.
  • Impact of the vulnerability.
  • Risk Score (Please use OWASP risk rating calculator).
  • Contact information (optional).

Our commitment:

  • We will acknowledge receipt of your report within 7 (seven) business days.
  • To the best of our ability, we will keep you updated on the progress as we work toward resolving the issue.
  • As long as you adhere to and comply with this Policy when performing your security research, we will consider your research and report to be authorized and will work with you in order to understand and resolve the reported vulnerability on a timely basis. In this regard, your report will be maintained as confidential and no legal action will be taken against you in relation to your report.
  • Your report submission will be treated with strict confidentiality, and your personal information will not be shared with third parties without your explicit consent.

Recognition/Acknowledgements:

While we do not offer monetary rewards for vulnerability report submission, we highly recognize and value your contribution. Therefore, the Researcher(s) who submits valid vulnerability reports via our VDP will receive an exclusive swag from ACM and/or will be acknowledged in our Hall of Fame.