Responsible disclosure

• You must make a good faith effort to avoid any privacy violations or disruptions to the services we provide. This includes, but is not limited to, unauthorised access to or destruction of data, and interruption or degradation of our services. You must also adhere to all applicable laws and regulations, including those prohibiting unauthorised access to data.
• If you discover a security issue, you must only use it for testing purposes and you must not conduct testing outside of your own account or another account without the explicit written consent of the account owner. You must also take into consideration any additional risks that the security issue may pose, such as the risk of compromising sensitive company data or another user's account.
• Avoid running automated scans.
• Refrain from testing the physical security of Trustly offices, employees, equipment, etc.
• Social engineering techniques (phishing, vishing, etc.) are not allowed.
• Do not conduct DoS or DDoS attacks.
• Do not disclose any issues to the public or any third party without explicit permission of Trustly.
• We maintain a list of security researchers who have submitted valid security reports. Participation on the list is optional. We reserve the right to limit the information associated with your name.

We are only interested in vulnerabilities on domains or IP addresses that are owned by Trustly Group AB or Trustly Inc. Check the WHOIS records to make sure it is owned by us.

The following examples are types of vulnerabilities that are always out of scope (this list is not exhaustive):

• HTTP 404 codes/pages or other HTTP non-200 codes/pages
• Fingerprinting/banner disclosure on common/public services
• Disclosure of known public files or directories (e.g. robots.txt)
• Clickjacking and issues only exploitable through clickjacking
• CSRF on forms that are available to anonymous users
• Logout Cross-Site Request Forgery (logout CSRF)
• Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
• Lack of secure/HTTP-only flags on non-sensitive cookies
• OPTIONS HTTP method enabled
• Enumeration of any @trustly.com addresses
• Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
  a. Strict-Transport-Security
  b. X-Frame-Options
  c. X-XSS-Protection
  d. X-Content-Type-Options
  e. Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
  f. Content-Security-Policy-Report-Only
• TLS/SSL issues such as BEAST, BREACH, weak cipher suites, etc.
• Content spoofing/text injection without HTML/CSS
• Weak password policies
• Email configuration settings such as DMARC, SPF and DKIM