Introduction
At Paygoz, the security of our platform and the protection of our customers' data are our highest priorities. We recognize the valuable role that independent security researchers play in keeping the internet safe.
If you believe you have discovered a security vulnerability in our systems, we encourage you to report it to us responsibly. We are committed to working with the security community to verify, reproduce, and respond to legitimate reports.
This policy describes the rules of engagement for security research and vulnerability reporting, what systems and activities are covered, how to submit vulnerability reports, and how long we ask you to wait before publicly disclosing a vulnerability.
Guidelines for Researchers
To encourage responsible reporting, we ask that you adhere to the following guidelines:
- Report vulnerabilities as soon as possible after discovery.
- Provide sufficient detail to allow us to reproduce and verify the vulnerability.
- Make a good faith effort to avoid privacy violations, data destruction, and service disruption.
- Do not access, modify, or delete data belonging to other users.
- Do not exploit a vulnerability beyond what is necessary to demonstrate the issue.
- Do not use automated scanning tools that generate significant traffic or could cause service degradation.
- Do not engage in social engineering, phishing, or physical attacks against Paygoz employees or infrastructure.
- Do not publicly disclose the vulnerability until Paygoz has had reasonable time to address it and has provided written consent.
- Do not demand financial compensation as a condition for reporting or withholding a vulnerability.
In Scope
The following systems and vulnerability types are within the scope of this program:
Systems
- paygoz.com and all subdomains
- Paygoz API endpoints
- Paygoz Dashboard
- Paygoz Checkout and payment pages
- Paygoz mobile applications
Vulnerability Types
- Remote code execution
- SQL injection and other injection vulnerabilities
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Server-side request forgery (SSRF)
- Authentication and authorization bypass
- Insecure direct object references (IDOR)
- Sensitive data exposure
- Business logic vulnerabilities affecting payment flows
- Privilege escalation
Out of Scope
The following are explicitly excluded from this program:
- Denial of Service (DoS/DDoS) attacks
- Brute force attacks on login pages or API endpoints
- Spam or social engineering attacks (including phishing)
- Physical security vulnerabilities
- Vulnerabilities in third-party software, services, or integrations not maintained by Paygoz
- Clickjacking on pages with no sensitive actions
- Missing HTTP security headers that do not lead to a demonstrable vulnerability
- SSL/TLS configuration issues without demonstrable impact
- Content injection or text-only injection without demonstrable impact
- Email configuration issues (SPF, DKIM, DMARC) without demonstrable exploit
- Vulnerabilities requiring jailbroken or rooted devices
- Reports generated solely by automated scanning tools without manual validation
How to Report a Vulnerability
Please send your vulnerability report to:
Your report should include the following information:
- A clear description of the vulnerability and its potential impact
- Detailed steps to reproduce the issue
- The URL(s) or API endpoint(s) affected
- Screenshots, videos, or proof-of-concept code (if applicable)
- Your assessment of the severity (Critical, High, Medium, Low)
- Your name and contact information (for follow-up and acknowledgment)
For sensitive reports, we encourage you to encrypt your email using our PGP public key, available upon request at security@paygoz.com.
What to Expect
After you submit a vulnerability report, you can expect the following:
- Acknowledgment: We will acknowledge receipt of your report within two (2) business days.
- Assessment: Our security team will evaluate your report and determine the validity and severity of the vulnerability within ten (10) business days.
- Updates: We will keep you informed about the progress of our investigation and remediation efforts.
- Resolution: We aim to resolve critical vulnerabilities within thirty (30) days. Complex issues may take longer, and we will communicate expected timelines.
- Notification: We will notify you when the vulnerability has been remediated and, with your consent, credit you for the discovery.
Rewards
To show our appreciation for responsible disclosure, we offer rewards for qualifying vulnerability reports. Reward amounts are determined at Paygoz's discretion based on the severity, impact, and quality of the report.
| Severity |
Reward Range |
| Critical |
$500 - $2,000 |
| High |
$250 - $500 |
| Medium |
$100 - $250 |
| Low |
Up to $100 |
Rewards are only paid for the first report of a given vulnerability. Duplicate reports will be acknowledged but are not eligible for a reward. Paygoz reserves the right to modify or discontinue the rewards program at any time.
Legal Safe Harbor
Paygoz will not pursue legal action against security researchers who discover and report vulnerabilities in good faith, provided they comply with this responsible disclosure policy.
To qualify for safe harbor protection, you must:
- Act in good faith and comply with all guidelines outlined in this policy.
- Avoid intentionally accessing, modifying, or deleting data that does not belong to you.
- Not cause harm to Paygoz, its customers, or its systems beyond what is strictly necessary to demonstrate the vulnerability.
- Promptly report any inadvertently accessed data and delete any copies.
- Not publicly disclose the vulnerability without Paygoz's prior written consent.
If at any time you are uncertain whether your research complies with this policy, please contact us at security@paygoz.com before proceeding.
We appreciate the security community's efforts in helping us keep Paygoz safe for everyone.
