Responsible Disclosure Policy

At Zooz we value the security community and believe that a responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our users. We also value the hard work that goes into security research. If you have discovered a security vulnerability in our website or API, we appreciate your help in disclosing it to us in a responsible manner. To show our appreciation for security researchers, we operate a bug bounty (reward) program for those who have responsibly disclosed vulnerabilities to us.

Our bug bounty program is powered by Bugcrowd.

We ask that you:

  • Report vulnerabilities expediently, to reduce the risk of malicious actors finding and exploiting them.
  • Report vulnerabilities with sufficient detail so that we may reproduce them.
  • Please keep in mind the following constraints:
  • Do not disclose vulnerabilities to others.
  • Do not exploit vulnerabilities any further than necessary than to prove their existence.
  • Do not access, alter or download data belonging to legitimate users of the site.
  • Do not perform any activity that could lead to the disruption of our service (DoS/DDoS).
  • Do not test in a manner that would result in the sending of unsolicited or unauthorized junk mail or unsolicited messages
  • Do not test third-party applications or services that are integrated with PaymentsOS.
  • Do not perform social engineering attacks.
  • Not violate any laws.
  • Create an account with an email that contains the word 'bounty'.

Note that if multiple researchers find the same bug, we'll only reward the first researcher who discloses it to us.

Known Issues

  • Both paymentsos.com and zooz.com have missing DKIM/DMARC (No Spoofing Protection on Email Domain)

  • control.paymentsos.com doesn’t invalidate existing session upon password reset

  • HSTS header is missing from all domains

  • No Rate Limiting (Global) on APIs and resources

  • Domain take over using webflow.com

Out of Scope

  • Email invitation feature

  • Direct testing of 3rd parties (for example, testing Zendesk directly for any reason)

Submitting Vulnerabilities

Found a vulnerability? You can use the form below to submit your findings.

results matching ""

    No results matching ""