Omise. Seamless software and APIs that enable businesses to accept payments and financial institutions to innovate at scale

If you believe you've found a security issue in our product or service, please let us know. We welcome working with you to resolve any issues.

NOTE: Read carefully what is on our Scope and allowed for research.

Investigating and reporting bugs

• Be the first to report it to receive credits or payments.
• Express and explain the vulnerabilities;
• Give brief steps to reproduce the vulnerability;
• Provide Proof-Of-Concept(Screenshots or Screen recordings, etc.,) that gives us an insight that the attack is reproducible, if we feel lost;
• Brief summary of impact the vulnerability might cause to our company.
• Follow our Disclosure Policy.
• Respect the exclusions.
• Only research on Scoped domains and systems.

Regarding State of the Reports:

• Please be informed on State of the Report: https://docs.hackerone.com/hackers/report-states.html .
• If you have additional information, add them to the report.
• When the report is closed as N/A or Informative, please read the explanation behind closing the report, including the linked articles carefully.
• If you feel we have made a mistake, update the report. We will consider your explanation and reply.
• Don’t file a separate report to discuss the same issue.
• Feel free to verify the bugfix, and let us know if there’s still a problem.

Main Components:

See the Hacker one Scope page for a up to date list of all endpoints in scope.

There are some exceptions by design for the dashboard:

• Rolling keys will expire the old keys after 1 hour and still be shown for 15 minutes (You can revoke expiring keys to make them unusable immediately);
• Test data can be reset via a get request, it's just test data, this is a feature;
• Email verification is not required to continue using us in test mode, but optional;
• You can create test account without email (anonymous mode);
• Roles are applied to live mode only. All members will have full access in test mode.

Disclosure Policy

• Contact us here upon discovery of a potential security issue which needs immediate attention.
• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We will try reply within 48 business hours.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Rewards and Eligible Vulnerabilities

We will reward depending on the application, risk, complexity, impact and overall severity of the Vulnerability. You must provide as much explanation as possible on how the attack can be performed, estimated percentage of users/browsers affected, browser versions, attack conditions and all edge case details.

Vulnerabilities must be applicable, have a proof of concept and must be reproducible. Non-reproducible findings that depends on other theoretical or non-existing high level issues are not accepted.

Our team will review each Vulnerability submission for eligibility and final reward consideration. Final reward amounts are at our sole and final discretion. In some instances, our reward panel may choose higher rewards for unusually major, clever or complex vulnerability submissions.

To receive credit, you must be the first reporter of a vulnerability and provide us a reasonable amount of time to remediate before publicly disclosing. When submitting a vulnerability, please provide concise steps to reproduce that are easily understood, as well allow us some time to fix it. Depending on the issue we might take longer to produce a solution.

While researching, please to refrain from:

• Denial of service.
• Spamming.
• Destruction of data.
• Non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
• Scans from available tools such as Nessus or Qualys.

Example of qualifying vulnerabilities:

• Remote code execution
• Authentication bypass
• SQL injection
• Unauthorized Access
• Severe XSS and CSRF
• Change content on our pages/websites
• Skip merchant live account verification
• Live Account take-over
• Unauthorized data access such as:
• Leak or Retrieval of credit/debit card data
• Leak or Retrieval or merchant/account information
• iOS application security flaws
• Two Factor authentication bypass

Vulnerabilities not eligible:

• No Email verification while signing up in Test mode.
• No session expiration if password changed.
• Email enumeration via Login, Signup, or Forgot Password pages.
• Rate limiting to any endpoint.
• OTP validation on profile page when signed in correctly.
• Content spoofing / text injection.
• Self-XSS [to be valid, cross-site scripting issues must be exploitable in reflected, stored or DOM-based types]
• Logout and other instances of low-severity Cross-Site Request Forgery.
• CSRF to GET type urls that are not important (i.e. reset test data)
• Missing HTTP security headers and,
• Host Header Attacks.
• Missing cookie flags on non-sensitive cookies.
• Password and account recovery policies, such as reset link expiration or password complexity.
• Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM).
• Flaws affecting the users of out-of-date browsers and plugins: The security model of the web is being constantly fine-tuned. The panel will typically not reward any problems that affect only the users of outdated or unpatched browsers. In particular, we exclude Internet Explorer prior to version 9. SSL/TLS best practices.
• Clickjacking/UI redressing with no practical security impact.
• Presence of banner or version information: Version information does not, by itself, expose the service to attacks - so we do not consider this to be a bug. That said, if you find outdated software and have good reasons to suspect that it poses a well-defined security risk, please let us know.
• Vulnerabilities that depend on other non existing vulnerabilities (fall under best practices).

• Issues related to software not under our control (such as external dependencies) are not eligible for a reward.
• Our open source development is publicly visible. Reports related to an issue being fixed in a branch or being tracked in a public way will therefore not be eligible for a bounty.
• Reports of issues without a proof-of-concept or clear path to exploitation. You may still report these, but will not be eligible for a monetary reward.
• Issues on older releases. Issues must be reproducible on latest/master releases only.
• Certificate pinning recommendations.
• Links from webpage that are broken. Most likely these will not be awarded.
• MITM attacks.

Security Best practices: We welcome those findings with no actual security vulnerability that are security best practices, but we may not award bounties to those, we can only give you thanks and points for it.

NOTE: Reports covering exclusions above may be closed as Not Applicable or Duplicate causing you to lose your hard earned points, or we may mark as Informative if deemed a good security best practice.

Payment Conditions

All reward payments are subject to compliance with local laws, rules and regulations. Before you receive your reward, we may require that you sign an affidavit of eligibility, a questionnaire, and a release of liability. You will be solely responsible for all applicable taxes relating to any reward under this Program.

Thank you for helping keep us and our users safe!