logo
  • About indó
  • Salary account
  • Savings Jars
  • Loans
  • FAQ
  • Pricing
  • Exchange rates
  • Duet
  • Teens

    • Responsible Disclosure Policy

    Safeguarding the funds and personal data of our customers is a top priority at indó. We are fully committed to maintaining a secure and reliable IT infrastructure and appreciate help from our community and security professionals to achieve that.

    If you discover a vulnerability we want to hear from you and kindly ask you to report it in a secure and responsible manner as described below.

    Rules of engagement

    We must ask you to act responsibly and with caution.

    • Do not go beyond what is required to identify and verify the vulnerability.
    • Do not use the vulnerability to your advantage or to obtain private information.
    • Do not permanently destroy or modify data.
    • Do not disrupt any of our services.
    • Do not for any reason attempt to install or open a backdoor.
    • Do not share any data that you have obtained.
    • Social engineering attacks are out of scope.
    • Do not perform physical testing (e.g. office access, open doors, tailgating), or any other non-technical vulnerability testing.
    • Do not publicly share your findings before we have confirmed that the vulnerability is fixed.

    What should be reported

    Any vulnerability related to www.indo.is, api.prod.indo.is or any other service exposed as *.indo.is.

    We want to know about

    • Anything which may threaten confidentiality, integrity or availability of our data.
    • Data which may have originated from our systems.
    • Copycat or phishing attacks which are directed against our customers or use our name/branding.

    If you are unsure about the exploitability of an issue or are unable to verify it within the rules of engagement, please contact us so we can investigate it safely.

    What should not be reported

    We are continuously monitoring our systems to identify issues and misconfigurations. We ask you to avoid reporting issues which do not lead to actual exploitations, such as:

    • Simple bugs like 404 Not Found errors.
    • Non-sensitive publicly available information.
    • Low impact information disclosures such as software versions.
    • Old versions, configurations or best-practices which cannot be used directly for exploitation.
    • Enumerations (accounts, emails, etc.) using brute-force attacks.
    • Password/Pin policies and session lifetime.

    How to get in touch

    Please encrypt any sensitive information using this PGP key and send your findings to pwned@indo.is.

    Reward

    Valid vulnerabilities, reported through our responsible disclosure program, are rewarded with a dedicated spot in our hall of fame and all the bragging rights that come with it. Based on the vulnerability's severity, we may also send you some of our awesome indó merch.