Cyber Bounty Program

Last amended as of: 07 Feb 2025

Payop is committed to ensuring a high level of security for its products and services to protect our customers and their data. To achieve this goal, we have implemented a Cyber bounty program that allows security experts to actively help identify and fix vulnerabilities in our systems.

As part of this program, we invite security professionals to participate in identifying vulnerabilities across all Payop platforms and technologies. We offer financial rewards for various types of vulnerabilities that could compromise the security of our products. By engaging external specialists, we aim to make our services even more secure, reducing risks for users and partners.

We value responsible vulnerability reporting and encourage researchers who wish to participate in the program to review our rules and policies for safe and effective vulnerability testing.

Your participation will help us create a safer environment for all Payop users.

Overview of the Vulnerability Rewards Program

Payop promotes responsible vulnerability disclosure through its Cyber Bounty program. Participation in the program is contingent upon adherence to established policies, which are mandatory and non-negotiable.

Key Principles:
  • Act responsibly and in full compliance with the policy.
  • Limit your actions to the minimum necessary to verify the vulnerability.
  • Refrain from threats, extortion, or any form of blackmail.
  • The report discovered vulnerabilities promptly, including clear instructions and a proof of concept for exploiting them.
  • Ensure compliance with all applicable laws during the research process.
  • If in doubt, contact us at [email protected] for clarification.
Important Notice:

Any attempts to circumvent or violate the policy will result in immediate exclusion from the program. In cases of threats or extortion, information about the violator may be reported to law enforcement agencies.

Legal terms

Your involvement in the Program signifies your acceptance of Payop’s Terms of Service and Privacy Policy, which are accessible for review. You agree to adhere to all relevant laws and regulations, including those related to privacy and data processing.

Payop reserves the right to modify the terms of the Program at any time without needing your prior consent. The Company may update the Program by publishing a revised version on its website. By continuing your participation in the Program after such changes are posted, you accept the updated terms.

Participation in the Program is restricted for individuals who are residents of or located in countries listed in the sanctions lists of the United Nations Security Council, the USA, Australia, the EU, or the UK.

Payop prohibits the collection or publication of personal information without the consent of the users. Additionally, altering or damaging Payop’s applications or data is not allowed.

Employees of Payop, along with their relatives and household members, are ineligible to receive rewards under the Payop Program.

Conditions of participation

To participate in the Payop Cyber Bounty program, you must not:

  • Be a resident of or apply from a country subject to export sanctions or other trade restrictions (eg Russia, Iran, North Korea, Syria).
  • Violate national, state or local laws and regulations.
  • Be an employee of Payop or its subsidiaries.
  • Be a relative of a person who works for Payop or its subsidiaries.
  • Be minors and incapacitated.

If Payop determines that you do not meet these requirements, your eligibility to participate in the program will be terminated and you will not receive any Bounty payments.

Rules of engagement

By submitting reports or otherwise participating in this program, you agree that you have read and will comply with the sections “Program rules” and “Legal Terms” of this Program Policy.

Program rules

At Payop, we value the work of security professionals and developers who help keep our payment products secure and financial transactions safe. We have implemented and actively support a Coordinated Vulnerability Disclosure (CVD) program through our Cyber bounty program, which helps improve the security of payment system users.

By searching for vulnerabilities in our systems, you agree to comply with the following requirements:

Confidentiality: All data, vulnerabilities, research results, and communications with us must remain confidential until the issue is resolved and public disclosure is authorized. Any information received or collected about the Company or its users within this Program (“Confidential Information”) must be kept confidential and used solely in relation to this Program. You are prohibited from using, disclosing, or distributing any such confidential information, including, but not limited to, any data related to your Report or any information gathered during research on the Company’s websites, without prior written consent from the Company.

Test Account Usage: To avoid unintentional privacy violations, always use test accounts whenever possible. If you accidentally access personally identifiable information (“PII”) or any other sensitive data belonging to users, and you do not have written consent from the account owner, cease accessing the information immediately and notify us. Provide only a description of the personally identifiable information or other confidential data, without revealing the data itself.

Data Protection and Privacy:

  • Do not store or share any personally identifiable information of customers.
  • If you accidentally access such data, notify us immediately and delete all copies.
  • Limit data collection and access strictly to what is necessary for verifying a vulnerability and generating a report.
  • Once Payop acknowledges the report, securely delete all collected data.

Vulnerability Disclosure: Any vulnerabilities and related data must not be shared with third parties without written permission from Payop. This includes sharing information on social media, with other companies, or with the media.

Data Breach Notification: If you identify a security breach or data misuse, report the exact location of the data and ensure access is terminated. Do not disclose this information to others without our approval.

Reward for Errors: Error messages should not include threats or demands. We reward legitimate vulnerability disclosures, but ransom demands for information or delays in resolving vulnerabilities until demands are met will be considered attempted extortion. No bug bounty will be given for ransom or any illegal claims. If extortion is detected through the Cyber bounty program, we may be required to notify the authorities.

Before starting any research that may conflict with this policy, we encourage researchers to contact us for clarification. We are also always open to suggestions for improving this policy to ensure safe and efficient vulnerability research.

Safe Harbor:

When conducting vulnerability research under this policy, we consider the following research:

  • Authorized under the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and will not initiate legal action for occasional good faith violations of this policy.
  • Excluded from the Digital Copyright Act (DMCA) and will not file claims for circumvention of technology controls.
  • We are exempt from restrictions in our Terms of Use that may interfere with security research, and we waive those restrictions on a limited basis for work performed under this policy.
  • Legal and beneficial to overall internet safety, as long as the research is conducted in good faith.

As always, you are expected to comply with all applicable laws.

Payop will not initiate legal action or law enforcement investigations against a researcher who complies with this policy.

Please note that if your research involves the networks, systems, information, programs, products or services of another organization (not ours), that organization may decide whether to file a lawsuit. We do not allow security research to be conducted on behalf of other companies. If a third party files a claim and you have followed this policy, we will take appropriate steps to communicate that your actions were taken in accordance with this policy.

Please report to Payop before engaging in any activity that may be inconsistent with or not covered by this policy.

Reimbursement

You agree to defend, indemnify, and hold harmless the Company, its subsidiaries, affiliates, and its officers, directors, agents, joint venturers, employees, and suppliers from and against any claims or demands (including attorneys’ fees) made or caused by any third party as a result of your Report, your violation of the terms of this Program and/or your improper use of this Programs.  

Termination

In the event that: 1) you have violated any of the terms of the Program; or 2) The Company determines, in its sole discretion, that your continued participation in the Program may adversely affect the Company (including, but not limited to, creating any threat to the Company’s systems, security, finances, and/or reputation), then the Company may immediately terminate your participation in this Program and deprive you of the right to receive any rewards.  

Goals

Public purposes

Payop.com

Error reporting requirements

All submitted bounties are assessed by Payop and rewarded based on the vulnerability rating. The reward will be paid in EUR. To receive your reward, you will need to provide a copy of your ID and your bank account details. All payments will be made in Euros (EUR). Bug reports should be submitted through the official channel of this application. Please do not use third-party sites to report vulnerabilities, as they are not official and are not supported by Payop.

To receive a reward for a detected error, you must perform the following steps:

Creating an initial request

  • Send a request through the official site Payop by filling in the required fields.
  • In a short appeal, indicate the main information about the detected problem.

Query analysis

  • The support team receives your request, analyzes it and sends you instructions on the next steps.
  • WARNING: You are strictly prohibited from transmitting, publishing or using the information provided for testing by others.

Submitting a find report

  • After receiving the necessary instructions, you will need to create a request in which you provide a report on the vulnerability found.
  • The report must contain the evidence listed in the official text of the Cyber bounty program.

Review of the report

  • The request is considered by qualified specialists within 1-5 working days.
  • Based on the results of the analysis, you will be informed about the status of the findings.

Confirmation and payment of reward

  • In case of confirmation of a vulnerability that meets the criteria of the program, the amount of the reward is determined according to the vulnerability assessment scale.
  • You will need to provide a copy of your ID and bank account details to receive your payment.

Remuneration payments

  • After successful identification, the financial department transfers the funds.
  • A notification of successful payment will be sent.

Any request for payment or other acknowledgement of vulnerability information provided will result in immediate denial of reward. Failure to disclose vulnerability details will also result in denial of reward.

For the report, provide clear instructions on how to reproduce the vulnerability and proof of concept. If we are unable to reproduce your findings, no reward will be given. Use only the data necessary to prove a security vulnerability and promptly return any seized assets.

For all submitted documents, please include:

  1. A complete description of the vulnerability, including the possibility of its exploitation and impact.
  2. Evidence and explanation of all steps to reproduce the vulnerability, including:
    • Video
    • Screenshots
    • Exploit code
    • Magazines
    • Web/API requests and responses
    • The email address or user ID of the text account
    • IP address used during testing.

Failure to provide an email address or test account ID and IP address will result in a penalty of 15% of the bounty.

Submission Rules for Remote Code Execution (RCE):
Failure to meet the following requirements may result in forfeiture of the award:

  1. Source IP address.
  2. Timestamp (including time zone).
  3. Full server request and response.
  4. Names of downloaded files containing “bug-bounty” and a timestamp.
  5. Callback IP address and port (if applicable).
  6. Data accessed intentionally or unintentionally.

Allowed actions:

  • Executing secure commands through a web application or interface (eg whoami, hostname, ifconfig).
  • Download files that output the result of a secure coded command.

Prohibited actions:

  • Downloading files that allow the execution of arbitrary commands (for example, a web shell).
  • Changing or deleting files and data.
  • Interruption of normal operations (eg reboots).
  • Creating and maintaining a permanent connection to the server.
  • Viewing files or data not related to vulnerability validation.
  • Failure to disclose any information or actions that have been taken.

Prohibited testing:

  • The use of automated scanners and vulnerability detection tools is strictly prohibited.
  • Do not test web forms in an automated manner, especially contact us forms.
  • In Public Targets applications, do not modify or add random content.
  • Do not test the physical security of Payop offices or equipment.
  • It is forbidden to carry out attacks that can damage the services (for example, DDoS or spam).
  • Don’t target end users or trade stolen credentials.
  • You can test in your own or test accounts, but you must not violate or compromise other people’s data.

Disclosure of vulnerability to third parties is prohibited. Any attempt to circumvent the established rules will result in the immediate cancellation of the payment of the reward.

Privacy:
If your testing accidentally causes a breach of privacy (e.g. access to credentials or other sensitive information), please include this in your report or email [email protected]

Report ownership

You hereby grant the Company, along with its subsidiaries, affiliates, and customers, a perpetual, irrevocable, worldwide, royalty-free, transferable, sublicensable (including through multiple tiers), and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative works, manufacture, use, sell, offer for sale, and import the Report, as well as any materials provided to the Company in connection with it, for any purpose. Do not submit any material to the Company unless you are willing to grant this license. You represent and warrant that the Report is your original work and that you hold all rights, titles, and interests in it. The Company is not restricted in any way from discussing, reviewing, or developing for itself or for third parties any materials that may compete with or resemble those described in the Report. 

Reward scale:

Severity level Description of the situation Payout range
Low severity Minor violations, errors in payments, minor technical problems that did not lead to serious consequences. 50 – 150 EUR
Medium severity Problems with data security, errors in transactions, violations of terms of use that did not lead to large losses. 250 – 500 EUR
High severity Large-scale failures, data privacy violations, large financial losses for users or the company. 750 – 1000 EUR
Critical severity Large financial losses, serious breaches of data privacy, legal problems, fraud. 1500 – 2500 EUR

The Company retains the exclusive right to make the final determination regarding the payment of remuneration. Please refer to the section “Unqualified Vulnerabilities Without Reward,” which specifies the types of findings that are not eligible for compensation. By participating in the Cyber Bounty Program, you acknowledge and accept the terms of the program, including this provision.

Vulnerability rating:

Critical level

Problems of this level of severity pose an immediate threat to users or the service as a whole. This can lead to major security consequences, lost funds, or disrupting the normal operation of the payment system. Vulnerabilities can have serious consequences for financial transactions or data access, including:

  • Execution of arbitrary code or commands on servers in a productive environment.
  • Access to the database without the appropriate authorization.
  • Bypassing the authentication system (password/2FA).
  • Theft or unauthorized access to sensitive user data such as financial information, transaction history, etc.
  • Hacking of the company’s internal services or infrastructure.

High level

This level of vulnerabilities is usually smaller in scope than critical issues, but could allow attackers to access sensitive or sensitive data, compromising the security of the payment system. Examples are:

  • Using XSS to bypass Content Security Policy (CSP).
  • Discovery or leakage of confidential user data through public resources.
  • Incorrect access to systems to which the user does not have the right to access (for example, authorization errors).
  • Manipulation of payment system data, which can lead to manipulation of transactions, even without direct access to finances.

Average level

Medium-level problems may allow limited access to data that is not critical, but still poses a problem to the normal operation of the service or poses a potential threat to privacy. Such vulnerabilities may include:

  • Leakage of non-confidential information (such as general account or transaction data) that the user should not have access to.
  • XSS that does not bypass CSP or modify another user’s session.
  • CSRF attacks on low-risk activities that do not compromise the security of financial transactions.

Low

These vulnerabilities have minimal impact on the security or functionality of the payment service, but may affect the user experience or even mislead users. They can rarely be used for more serious attacks and usually refer to minor system malfunctions. For example:

  • Launching verbose or detailed error pages that do not contain sensitive information but may give the impression that the system is not functioning properly.
  • Glitches in the user interface or error messages that may lead to incorrect expectations but have no serious consequences.

Types of vulnerabilities

Qualified vulnerabilities:

  • Account recovery attacks:
    • Any attack that allows access to a user’s password, including trusted account recovery mechanisms.
  • Attacks on access to messages and files:
    • Any attack that allows access to files/messages in a workspace/conversation that you do not have access to.
  • Bypassing permissions in the workspace:
    • Any attack that bypasses a user’s workspace permissions, such as updating documents with read-only permissions or adding users with member-only permissions.
  • Attacks on access to shared files:
    • Any attack that allows access to a shared file without knowing the access key.
  • File history modification attacks:
    • Any attack that allows you to change the history of files.
  • Cross-Site Scripting (XSS):
    • Attacks that allow a malicious script to be executed in the user’s browser, through which data can be stolen or other unwanted actions can be performed.
  • SQL injection:
    • Attacks that allow malicious SQL code to be injected into database queries, which can lead to data loss or unwanted operations.
  • Remote Code Execution (RCE):
    • Attacks that allow an attacker to execute arbitrary code on a victim’s server or device.
  • Unprotected Direct Object Reference (IDOR):
    • Attacks that allow an attacker to gain access to objects (files, data) by manipulating request parameters.
  • Horizontal and vertical escalation of privileges:
    • Attacks that allow an attacker to gain greater privileges, both within the same level (horizontal escalation) and to a higher level of access (vertical escalation).
  • Authentication bypass and failed authentication:
    • Attacks that allow bypassing the authentication process or using vulnerabilities in the authentication process.
  • Business logic errors with real security impact:
    • Vulnerabilities resulting from improper implementation of business logic that can be exploited to gain unauthorized access or affect operations.
  • Local file access and manipulation (LFI, RFI, XXE, SSRF, XSPA):
    • Attacks that allow attackers to manipulate or access local files or otherwise manipulate resources.
  • Cross-origin resource sharing (CORS) with real security implications:
    • Vulnerabilities that allow cross-origin resource sharing (CORS) policies to be violated, which could lead to data theft or unwanted actions.
  • Cross-Site Request Forgery (CSRF):
    • Attacks that allow an attacker to forge a request on behalf of a user who is already authenticated on the platform in order to perform unwanted actions.
  • Open redirect:
    • Attacks that allow an attacker to redirect a user to a malicious website using a vulnerability in the platform’s redirect mechanism.
  • Disclosed secrets, credentials or confidential information:
    • Attacks that allow attackers to gain access to sensitive information, credentials, or secrets through objects under the platform’s control.
  • Access to infrastructure:
    • Attacks that allow attackers to gain access to sensitive information, credentials that are not properly protected.

Unqualified vulnerabilities with no reward:

We are not interested in and do not charge a fee for the following reports:

  • The ability for authenticated users to view account information (e-mail, first name, last name, payment details, publicly available certificates) on payment platforms if the user role has the required access level.
  • Denial of service vulnerabilities, lack of speed limiting, brute force attacks on payment systems.
  • Client applications remain connected indefinitely, which may allow attackers to perform unwanted financial transactions.
  • Problems with tabnabbing in the process of making transactions.
  • Known CVEs without a working Proof of Concept related to payment systems.
  • Social engineering of staff or contractors to steal payment information.
  • The presence of an autofill attribute in web forms, which may lead to unauthorized filling of payment data.
  • Outdated libraries with no demonstrated impact on the security of payment transactions.
  • Hypothetical flaws or violations of best practices without PoC in payment systems.
  • Reports that require physical access to the victim’s device to perform payment transactions.
  • Disclosure of payment information without direct impact on security (e.g. stack trace, disclosure of path to payment servers).
  • Issues with password requirements (length, complexity, reuse) to access payment accounts.
  • Possibility of sending spam through the payment system (e-mail/SMS/direct message flood).
  • Recently disclosed 0-day vulnerabilities in payment systems (less than 30 days after patching).
  • Vulnerabilities on third-party sites, as long as they do not affect the company’s main payment platform.
  • Vulnerabilities on the company’s blog affecting the security of payment data (blog.Payop.com).
  • Vulnerabilities requiring physical access, social engineering, spam, DDoS attacks on payment services.
  • Vulnerabilities in outdated or unpatched browsers that can be used to intercept payment data.
  • Problems in third-party applications using the API of the payment system.
  • Vulnerabilities in third-party libraries or payment system technologies, if less than 30 days have passed since their public disclosure.
  • Known problems or vulnerabilities already reported by another participant (only the first report receives a reward).
  • Problems that could not be reproduced on the payment platform.
  • Vulnerabilities that require excessive interaction with the user to carry out financial transactions.
  • Lack of security headers without confirmation of their use in payment services.
  • Guidelines for using TLS cipher suites to secure payment transactions.
  • Suggestions for improving best practices in the field of payment security.
  • Disclosure of payment software versions.
  • Reports that do not contain detailed instructions and proof of concept exploit for payment services.
  • Problems that cannot be solved due to the requirements for compliance with the technical standards of the payment system.
  • Results of automated scanners or AI-generated reports that relate to the payment platform.
  • Attacks that may impair or disrupt the functionality of payment services or user interaction.
  • Attacks aimed at destroying or corrupting payment data that do not belong to you.
  • Attacks through stolen or leaked credentials to access the payment platform.
  • Intentional access to payment data or information beyond the minimum necessary to demonstrate a vulnerability.
  • Physical attacks, social engineering attacks, phishing or electronic attacks on billing personnel, offices, wireless networks or property.
  • Attacks related to payment email servers, security protocols (e.g. SPF, DMARC, DKIM) or spam.
  • Reporting insecure SSL/TLS ciphers without working proof of concept on the payment server.
  • Reports of missing HTTP headers (e.g. missing HSTS) without operational proof of concept on the payment platform.
  • Clickjacking in the context of payment web forms.
  • Reports server error messages with no confirmed exploit on the payment server.
  • Vulnerabilities affecting only old/deprecated browsers used for payment transactions.
  • Reports related to payment server version lines.
  • Attempts to execute malicious code by placing the name of internal packages for a payment platform.
  • Code execution in an isolated programming environment from the code interpreter function to manipulate payment data.
  • Ways to bypass paid IP blocking or geoblocking by changing your IP address or using a VPN.
  • Methods of bypassing the payment system through other channels, such as changing API keys.

The Same Flaw on a Different Host
Allow Payop sufficient time to address and patch similar issues across other host instances. If you discover the same vulnerability on another unique host before the initial report is resolved, add this finding to the existing report. This will qualify you for an additional 5% bonus per host (not per domain). Submitting new reports separately for the same issue during the resolution process will result in them being marked as duplicates.

The Same Flaw with a Different Parameter
In some cases, rewards can be combined into a single payment. For example, if multiple reports identify the same vulnerability affecting different resource parameters or demonstrate various attack vectors related to a core infrastructure issue, please consolidate your findings into one report. Avoid splitting them into separate submissions.