VezoPay Responsible Disclosure & Bug Bounty Program

Introduction & Purpose

At VezoPay, we take the security of our systems and the protection of our users' data seriously. We believe that collaboration with the security community is essential to maintaining a robust security posture.

We encourage ethical security research on our platforms and welcome responsible disclosure of any vulnerabilities you may discover. Our program is designed to foster a collaborative relationship with security researchers, not adversarial ones.

By working together, we can identify and address potential security issues before they can be exploited maliciously, ensuring that VezoPay remains a safe and trusted platform for all our users.

Scope

In-Scope Assets

vezopay.com
api.vezopay.com
Android App
iOS App

Out-of-Scope Items

Social engineering
Physical attacks
DDoS / traffic flooding
Vulnerabilities in third-party services
Reports without clear reproduction steps

Accepted Vulnerability Types

Authentication & authorization flaws

Insecure Direct Object Reference (IDOR)

Sensitive data exposure

API security issues

Business logic flaws

Mobile app vulnerabilities

Improper access control

Cryptographic issues

Non-Eligible Findings

Best practices / informational issues only

Rate limiting without impact

Missing headers without exploitation

Self-XSS

Clickjacking without sensitive action

Rules & Safe Harbor

Act in good faith and avoid any disruptive or harmful actions.

Do not destroy data, modify data without authorization, or degrade the performance of our systems.

Respect user privacy and do not access or exfiltrate user data beyond what is necessary to demonstrate the vulnerability.

Do not publicly disclose the vulnerability before we have had a reasonable time to address it.

VezoPay will not take legal action against researchers who follow these rules and act in good faith.

How to Report

1

Prepare Your Report

Gather all necessary information about the vulnerability, including detailed steps to reproduce it.

2

Include Required Details

Make sure your report contains all the information we need to validate and address the issue.

3

Send Your Report

Email your findings to our security team for review.

Required Report Details

Asset affected (website, API endpoint, mobile app)
Vulnerability type
Detailed proof of concept or reproduction steps
Potential impact and risk assessment
Screenshots or videos if applicable

Contact Method

Please send your reports to: [email protected]

We'll acknowledge receipt within 48 hours and provide updates on our progress.

Security Champions Hall of Fame

We celebrate the security researchers who collaborate with us to make VezoPay safer for everyone. These champions have demonstrated exceptional skill and commitment to security.

Disclosure Timeline

1

Acknowledgment

We'll acknowledge receipt of your report within 48 hours.

2

Validation

We'll validate and triage your report within 5-7 business days.

3

Resolution

We'll work to fix the issue based on severity and complexity.

4

Recognition

After resolution, we'll add you to our Hall of Fame (with your permission).

Legal Disclaimer

Important Notice

This is a recognition-based program and does not offer monetary rewards. VezoPay reserves the right to determine the final eligibility of any submission and recognition in our Hall of Fame.

Participation in this program is voluntary and at your own discretion. VezoPay may modify the terms of this program at any time without notice.