Responsible Disclosure Policy

At Zooz we value the security community and believe that a responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our users. We also value the hard work that goes into security research. If you have discovered a security vulnerability in our website or API, we appreciate your help in disclosing it to us in a responsible manner. To show our appreciation for security researchers, we operate a bug bounty (reward) program for those who have responsibly disclosed vulnerabilities to us.

Our bug bounty program is powered by Bugcrowd.

We ask that you:

  • Report vulnerabilities expediently, to reduce the risk of malicious actors finding and exploiting them.
  • Report vulnerabilities with sufficient detail so that we may reproduce them.
  • Please keep in mind the following constraints:
  • Do not disclose vulnerabilities to others.
  • Do not exploit vulnerabilities any further than necessary than to prove their existence.
  • Do not access, alter or download data belonging to legitimate users of the site.
  • Do not perform any activity that could lead to the disruption of our service (DoS/DDoS).
  • Do not test in a manner that would result in the sending of unsolicited or unauthorized junk mail or unsolicited messages
  • Do not test third-party applications or services that are integrated with PaymentsOS.
  • Do not perform social engineering attacks.
  • Not violate any laws.
  • Create an account with an email that contains the word ‘bounty’.

Note that if multiple researchers find the same bug, we’ll only reward the first researcher who discloses it to us.

Targets

In scope
Target name Type
control.paymentsos.com Website Testing
api.paymentsos.com API Testing
developers.paymentsos.com Website Testing
admin.zooz.com Website Testing

Out of scope
Target name Type
Email invitation feature Other
Zooz repos on Github / Gitlab Other
DMARC records Other
Any direct API call from paymentsos.com / zooz.com to zendesk.com i.e. support tile in control center API Testing
Direct testing of 3rd parties (for example, testing Zendesk directly for any reason) Other

Testing is only authorized on the targets listed as In-Scope. Any domain/property of PayU not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you’ve identified a vulnerability on a system outside the scope, please reach out to support@bugcrowd.com before submitting.

Target Info

  • control.paymentsos.com - The control panel for PaymentsOS. Researchers are free to self sign up through this portal.
  • api.paymentsos.com - The API endpoint for PaymentsOS. Please see the documentation below.
  • developers.paymentsos.com - This is where the documentation for PaymentsOS lives. Use this target to help set up your environment and test all the functionality of the application.
  • admin.zooz.com - The admin portal for Zooz. No credentials have been provided for this portal, but researchers are free to see if they can gain access through privilege escalation, etc.

Known Issues

  • Both paymentsos.com and zooz.com have missing DKIM/DMARC (No Spoofing Protection on Email Domain)

  • control.paymentsos.com doesn’t invalidate existing session upon password reset

  • HSTS header is missing from all domains

  • No Rate Limiting (Global) on APIs and resources

  • Domain take over using webflow.com

Submitting Vulnerabilities

Found a vulnerability? You can use the form below to submit your findings.

Last modified May 16, 2022