NEXTTECH

General Regulations

Mandatory Policies

Below are the mandatory requirements for researchers and white hat hackers when reporting vulnerabilities:

You are not allowed to access or download users' personal data. If you accidentally discover such a vulnerability, stop immediately and notify us right away.
Do not affect the operation of services such as causing service disruption or destroying user data during the bug hunting process.
Only collect information that is sufficient to describe the vulnerability.
Provide us with as much information as possible about the vulnerability you found. You can attach files in the report via email or use other file storage services, but make sure they are only disclosed to us.
All questions or bug reports to the business should only be made through email [email protected]. Please do not contact any individual or use any other communication method. This helps ensure your rights and avoid other troubles.
Public discussion about this program is not allowed.
You are not allowed to publicly disclose your report to the community without our consent.
Violations will be handled by warning, refusing to pay rewards.

Focus Vulnerabilities

We are interested in any design or implementation issues that significantly affect the security or data integrity of users and within the scope of the program. Including:

Remote Code Execution
SQL Injection (SQLi)
Business Logic
Mobile-specific API vulnerabilities
Cross Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
Authentication or Authorization related issues
Data Exposure

Invalid Vulnerabilities

Depending on the impact of the vulnerability, some reported issues may not be considered valid bugs. We will consider them on a case-by-case basis. Below are some types of bugs that will not receive rewards:

Bugs that do not follow user logic and are unlikely to occur in practice
Bugs that only occur when using very old browser or plugin versions
Bugs that allow obtaining version information of web technologies
URL redirection
Logout cross-site request forgery
Email spoofing
DDoS

Rewards

Severity Level	Reward
CRITICAL	1000 USD
HIGH	700 USD
MEDIUM	300 USD
LOW	Thanks You!

Scope

Name	Type
*nextpay.vn	Web, App
*nganluong.vn	Web, App
*mpos.vn	Web, App
*vimo.vn	Web, App
*nexttech.asia	Web, App
and other Nexttech products	Web, App...

Making Report Instruction

Section	Requirements
Email Subject Line	Format: DOMAIN - NAME OF THE REPORTED VULNERABILITY Example: nganluong.vn - SQL injection
Body/Main Point	Content must include: Sender's information (optional): Nickname/website Severity level: Critical / High / Medium / Low Short description: vulnerability name and impact Detailed steps: - Step 1, - Step 2, - Step 3... Attached files: txt, pdf, mp3, mp4, png, jpg Other important information (if any)
Receiving Address	Only send reports to: [email protected] Other email addresses are not ours - sending to them may disclosure vulnerabilities to attackers.

Section

Requirements

Email Subject Line

Format: DOMAIN - NAME OF THE REPORTED VULNERABILITY

Example: nganluong.vn - SQL injection

Body/Main Point

Content must include:

Sender's information (optional): Nickname/website
Severity level: Critical / High / Medium / Low
Short description: vulnerability name and impact
Detailed steps:
- Step 1,
- Step 2,
- Step 3...
Attached files: txt, pdf, mp3, mp4, png, jpg
Other important information (if any)

Receiving Address

Only send reports to: [email protected]

Other email addresses are not ours - sending to them may disclosure vulnerabilities to attackers.