Responsible Disclosure Policy
Our bug bounty program is powered by Bugcrowd.
We ask that you:
- Report vulnerabilities expediently, to reduce the risk of malicious actors finding and exploiting them.
- Report vulnerabilities with sufficient detail so that we may reproduce them.
- Please keep in mind the following constraints:
- Do not disclose vulnerabilities to others.
- Do not exploit vulnerabilities any further than necessary than to prove their existence.
- Do not access, alter or download data belonging to legitimate users of the site.
- Do not perform any activity that could lead to the disruption of our service (DoS/DDoS).
- Do not test in a manner that would result in the sending of unsolicited or unauthorized junk mail or unsolicited messages
- Do not test third-party applications or services that are integrated with PaymentsOS.
- Do not perform social engineering attacks.
- Not violate any laws.
- Create an account with an email that contains the word ‘bounty’.
Note that if multiple researchers find the same bug, we’ll only reward the first researcher who discloses it to us.
Out of scope
|Email invitation feature||Other|
|Zooz repos on Github / Gitlab||Other|
|Any direct API call from paymentsos.com / zooz.com to zendesk.com i.e. support tile in control center||API Testing|
|Direct testing of 3rd parties (for example, testing Zendesk directly for any reason)||Other|
Testing is only authorized on the targets listed as In-Scope. Any domain/property of PayU not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you’ve identified a vulnerability on a system outside the scope, please reach out to firstname.lastname@example.org before submitting.
- control.paymentsos.com - The control panel for PaymentsOS. Researchers are free to self sign up through this portal.
- api.paymentsos.com - The API endpoint for PaymentsOS. Please see the documentation below.
- developers.paymentsos.com - This is where the documentation for PaymentsOS lives. Use this target to help set up your environment and test all the functionality of the application.
- admin.zooz.com - The admin portal for Zooz. No credentials have been provided for this portal, but researchers are free to see if they can gain access through privilege escalation, etc.
Both paymentsos.com and zooz.com have missing DKIM/DMARC (No Spoofing Protection on Email Domain)
control.paymentsos.com doesn’t invalidate existing session upon password reset
HSTS header is missing from all domains
No Rate Limiting (Global) on APIs and resources
Domain take over using webflow.com
Found a vulnerability? You can use the form below to submit your findings.