Trio's Responsible disclosure policy

Trio is committed to security, We care deeply about the safety and security of our customer’s data. We deeply value all those in the security community who help us ensure 100% security of all our systems at all times. We reward reporters for the responsible disclosure of in-scope issues and exploitation techniques.

How to Report a Vulnerability?

If you happen to have identified a vulnerability on any of our web or mobile app properties, we request you to follow the steps outlined below:

• Please submit the vulnerability report form with the necessary details to recreate the vulnerability scenario. This may include screenshots, videos or simple text instructions.
• If possible, share with us your contact details (phone number or Email), So that our security team can reach out to you if further inputs are needed to identify or close the problem.
• If the identified vulnerability can be used to potentially extract information of our customers or systems, or impair our system’s ability to function normally, then please refrain from actually exploiting such a vulnerability. This is absolutely necessary for us to consider your disclosure a responsible one.
• While we appreciate the inputs of Whitehat hackers, we may take legal recourse if the identified vulnerabilities are exploited for unlawful gains or getting access to restricted customer or system information or impairing our systems.
• Upon receiving your report, our team will start investigating the issue. We will keep you updated on the progress and may reach back for further details if needed.
• Of course, we want to compensate your effort, so for any valid vulnerabilities with a CVSS score of 4 or higher, we will reach back to you with a respective reward.
• If you come across any vulnerabilities in our products, please don't hesitate to report them by emailing us at security@triotech.co.in.

Programme rules

• Don't violate the privacy of other users, destroy data, disrupt our services, etc.
• Give us a reasonable time to respond to the issue so that Our team will try to triage all reports with priority to the severity, scenario and exploit complexity. We will notify you when the reported vulnerability is remediated, and you may confirm that the solution covers the vulnerability adequately.
• Only target your own accounts in the process of investigating any bugs/findings. Don't target, attempt to access, or otherwise disrupt the accounts of other users without the express permission of our team.
• Don't target our physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDOS) attacks, etc.
• In case you find a severe vulnerability that allows system access, you must not proceed further.
• It is Trio’s decision to determine when and how bugs should be addressed and fixed. Disclosing bugs to a party other than Trio is forbidden, all bug reports are to remain at the reporter and Trio’s discretion.
• Threatening of any kind will automatically disqualify you from participating in the program. Exploiting or misusing the vulnerability for your own or others' benefit will automatically disqualify the report.
• Bug disclosure communications with Trio’s Security Team are to remain confidential. Researchers must destroy all artifacts created to document vulnerabilities (POC code, videos, screenshots) after the bug report is closed.

Eligibility

• Be the first to report the issue to us.
• Must pertain to an item explicitly listed under Vulnerability Categories.
• Must contain sufficient information including a proof of concept screenshot, video, or code snippet where needed.
• You agree to participate in testing the effectiveness of the countermeasure applied to your report.
• You agree to keep any communication with Trio private.

Scope

1. Any website that is owned by Triotech

Qualifying Vulnerabilities

Any design or implementation issue that is reproducible and substantially affects the security of Trio users is likely to be in scope for the program. Common examples include:

• Injections
• Cross Site Scripting (XSS)
• Cross Site Request Forgery (CSRF)
• Remote Code Execution (RCE)
• Authentication/Authorisation flaws
• Domain take-over vulnerabilities
• Able to take-over other Trio user accounts (while testing, use your own another test account to validate)
• Any vulnerability that can affect the Trio Brand, user data and financial transactions

Exclusions

The following bugs are unlikely to be eligible:

• Vulnerabilities found through automated testing
• "Scanner output" or scanner-generated reports
• Publicly released CVE’s or 0-days in internet software within 90 days of their disclosure
• "Advisory" or "Informational" reports that do not include any Trio testing or context
• Vulnerabilities requiring MITM or physical access to the victim’s unlocked device
• Denial of Service attacks
  • SPF and DKIM issues
  • Content injection
  • Hyperlink injection in emails
  • IDN homograph attacks
  • RTL Ambiguity
• Content Spoofing
• Vulnerabilities relating to Password Policy
• Full-Path Disclosure on any property
• Version number information disclosure
• Third-party applications on the Trio Application directory (identified by the existence of a "Report this app" link on the app's page). Please report vulnerabilities with these services to the creator of that specific application
• Clickjacking on pre-authenticated pages, or the non-existence of X-Frame-Options, or other non-exploitable clickjacking vulnerabilities
• CSRF-able actions that do not require authentication (or a session) to exploit
• Reports related to the following security-related headers:
  • Strict Transport Security (HSTS)
  • XSS mitigation headers (X-Content-Type and X-XSS-Protection)
  • X-Content-Type-Options
  • Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario)
• Bugs that do not represent any security risk
• Security bugs in third-party applications or services built on the Trio API - please report them to the third party that built the application or service
• Security bugs in software related to an acquisition for a period of 90 days following any public announcement
• HTTP TRACE or OPTIONS methods enabled
• Non-sensitive (i.e., non-session) cookies missing the Secure or HttpOnly flags
• Tap jacking
• Mobile client issues require a rooted device and/or outdated OS version or SSL pinning issues.
• Subdomain takeovers without supporting evidence
• Missing best practices in SSL/TLS configuration
• The Vulnerabilities that cannot be used to exploit other users or Trio -- e.g., self-XSS or having a user paste JavaScript into the browser console
• Open ports without an accompanying proof-of-concept demonstrating vulnerability

Acknowledgements

We do not have a bounty/cash reward program for such disclosures, but we express our gratitude for your contribution in different ways. For genuine ethical disclosures, we would be glad to publicly acknowledge your contribution in this section on our website. Of course, this will be done if you want a public acknowledgement.

Hall of Fame

This is dedicated to recognizing the contributions of our top security researchers who have helped us improve the security of our systems and applications through their bug reports.

We are proud to showcase their names and acknowledge their outstanding efforts in making our service more secure and reliable for our users. We are grateful for the time and expertise that these researchers have invested in testing and reporting vulnerabilities to us. Their contributions have helped us identify and address potential security issues before they can be exploited by malicious actors.