Reporting vulnerabilities in our tech

We strive to maintain and improve our systems and processes so that our customers can make payments safely at all times. However, should you find a weakness in our systems, we would appreciate your help.

You can report any number of weaknesses in our systems. If you spot a weakness, please contact us as soon as possible. Examples are (but not limited to):
  • Cross-scripting vulnerabilities
  • SQL injection vulnerabilities
  • Encryption weaknesses
You can report weaknesses to us by email: responsible.disclosure@finja.pk or fill form below. Please mention in your email what weakness(es) you have identified.
A team of security experts will investigate your report and will contact you within five work days to discuss the weakness, how you found it and follow-up action.
We will only use your personal details to take action based on your report. We will not share your personal details with others without your express permission.
If you discover a weakness and investigate it, you might perform actions that are punishable by law. If you observe the rules for reporting weaknesses in our IT systems, we will not to report your offence to the authorities and will not submit a claim.

It is important for you to know, however, that it is possible that the Federal Investigation Agency of Pakistan - not SimSim - will decide whether or not you will be prosecuted, regardless of whether we report your offence to the authorities. We cannot promise that you will not be prosecuted if you commit a punishable offence according to the laws of Pakistan when investigating a weakness.
Take responsibility and act with extreme care and caution. When investigating the matter, only use methods or techniques that are necessary in order to find or demonstrate the weaknesses.
  • Secure your own systems as tightly as possible.
  • Do not use weaknesses you discover for purposes other than your own investigation.
  • Do not use social engineering to gain access to a system.
  • Do not install any back doors - not even to demonstrate the vulnerability of a system. Back doors will weaken the system's security.
  • Do not alter or delete any information in the system. If you need to copy information for your investigation, never copy more than you need. If one record is sufficient, do not go any further.
  • Do not alter the system in any way.
  • Only infiltrate a system if absolutely necessary. If you do manage to infiltrate a system, do not share access with others.
  • Do not use brute force techniques, such as repeatedly entering passwords, to gain access to systems.
Yes, you might receive a reward - but we are not required to give you one. You are not necessarily entitled to compensation. The amount of the reward is not fixed in advance. SimSim determines the amount, based on the following:
  • The caution taken in your investigation
  • The quality of your report
  • The amount of potential damages prevented as a result of your report
Never publicise weaknesses in our systems or your investigation without consulting us first. We can work together to prevent criminals from abusing your information. Consult with our security experts and give us time to solve the problem.
The email address responsible.disclosure@finja.pk is not intended for the following:
  • To submit complaints about SimSim and its services
  • To submit questions or complaints about the availability of SimSim services
  • To report fraud or suspicion of fraud
  • To report phony emails or phishing emails
  • To report viruses
Yes, you can. You do not have to give us your name and contact details when you report a weakness. Please realise, however, that we will be unable to consult with you about follow-up measures, e.g. what we do about your report, further collaboration, giving you credit or a possible reward.

Send US A EMAIL

Drop us a line by using the below form