PayTabs Bug Bounty
The purpose of the Bug bounty program is to layout procedures and establish the rules for collaboration with Security Researchers when security tests are performed on the PayTabs Group (collectively “Company”) environment.
Bug Bounty Scope
Scope for Bug bounty will be PayTabs merchant dashboard (PT 2.0), PayTabs applications such as Paymes, SoftPOS, PayTabs mobile SDK, PayTabs API and PayTabs express checkout.
Responsible Investigation
Responsible investigation includes, but is not limited to, the following rules:
- Do not violate the privacy of PayTabs employee, customers, merchants or destroy any data.
- Do not defraud or harm PayTabs or its users during your research; you should make a good faith effort to not interrupt or degrade PayTabs services.
- Do not target our physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDOS) attacks.
- In general, investigate and report bugs in a way that makes a reasonable, good faith effort not to be disruptive or harmful to us or our users. Otherwise, your actions might be interpreted as an attack rather than an effort to be helpful.
Report Eligibility
- The report should demonstrate the actual security vulnerability and its impact to PayTabs infrastructure. The Security Researcher is also required to demonstrate step-by-step vulnerability identification process.
- Security Researcher should follow applicable local and international laws during the testing.
- Security Researcher should not disclose findings to the public.
Note: Going public with your finding before we have fixed it will exclude you from the bug bounty. Instead, kindly endorse and discuss the finding with the authorized experts and give them time to assess and solve the issue.
Disclosure Policy
- Security Researcher should agree to the PayTabs Terms and Conditions document sent by PayTabs Legal Department.
- Security Researcher should agree that he/she may not publicly disclose their findings or the contents of their Submission to any third party or competitor in any way without PayTabs’ prior written approval.
- Failure to comply with the PayTabs Terms and Conditions will result in immediate disqualification from the Bug Bounty Program and ineligible for receiving any Bounty Payments.
Rewards – Security Researcher
- Reward amount ranges from 100$ to 2000$ depending on the severity of the reported vulnerability, the type of
website concerned, and the quality of the report being received. - If the report is of great value for the continuity and reliability of PayTabs’ infrastructure, the reward or
bug bounty will be considerably higher in exceptional cases. - The Security Researcher will be eligible for a bounty only if he is the first person to disclose an unknown
security or technical issue. - Rewards are granted at the sole discretion of PayTabs.
- Vulnerabilities will be rewarded based on severity, to be determined by PayTabs in its sole discretion.
- At PayTabs discretion, providing more complete research, proof-of-concept code and detailed reports may increase the bounty awarded. Conversely, rewards would be less for vulnerabilities that require complex or over-complicated interactions or for which the impact or security risk is negligible.
- Rewards may be denied if there is any evidence of program procedure violations.
- Rewards will be declined if any evidence of abuse is established
Other Information
This Bug Bounty Program is a discretionary rewards program for the PayTabs community to encourage and reward those who are helping for the enhancement of our services and infrastructure. This is not a competition. The Management can cancel this program at any time and rewards are at the sole discretion of PayTabs.
Report a Vulnerability
Security Researchers can privately share details of suspected vulnerabilities with us by submitting a report via the form below: