OMPAY Security

Vulnerability
Disclosure
Program

We take the protection of our customers' financial data seriously.

Found a security issue? Report it to our security team and we will investigate promptly. Researchers who report valid vulnerabilities are recognised in our Hall of Fame.

Report a Vulnerability

Guidelines

Disclose Responsibly

We ask all security researchers to follow these principles when identifying and reporting issues. Researchers acting in good faith will not face legal action from OMPAY.

Minimal Footprint

Only test accounts you own or have explicit permission to access. Do not modify or delete data beyond what is necessary to prove the issue exists.

Proof of Concept Only

Do not exploit the vulnerability beyond what is needed to prove it exists. No automated scanning, DoS testing, or social engineering of our staff.

Clear Reporting

Include steps to reproduce, affected endpoints, and an impact assessment. The more detail you provide, the faster we can resolve the issue.

Coordinated Disclosure

Please give us 90 days to investigate and remediate before publishing your findings publicly. We will keep you informed throughout the process.

Scope

What's in Scope

Please focus your research on the systems listed below. Out-of-scope reports will not be eligible for public recognition on this page.

✓ In Scope

  • ompay.om, ompay.com and all subdomains
  • OMPAY mobile apps (iOS & Android)
  • Authentication & session management
  • API endpoints and data exposure
  • Cross-site scripting (XSS)
  • SQL injection and IDOR
  • Privilege escalation vulnerabilities
  • Server-side request forgery (SSRF)

✗ Out of Scope

  • Third-party services and integrations
  • Social engineering or phishing attacks
  • Denial-of-service (DoS / DDoS)
  • Physical security testing
  • Issues requiring outdated browsers
  • Email configuration (SPF, DMARC, DKIM)
  • Clickjacking on non-sensitive pages
  • Scanner output without proof of concept

Contact

How to Report

Send your findings to our security team. We aim to acknowledge all reports within 48 hours and will provide updates as we work toward a fix.

[email protected]

Please include steps to reproduce, affected URLs or endpoints, environment details, and your assessment of potential impact. Encrypted submissions are welcome — contact us to exchange PGP keys.

Acknowledgement ≤ 48 hrs
Triage ≤ 5 days
Status update ≤ 30 days
Coordinated disclosure 90 days

Recognition

Hall of Fame

0 recognised researchers

We thank the following researchers for responsibly disclosing valid vulnerabilities and helping make OMPAY safer for everyone.

Researcher Country Year Severity
RR
Raksh Raja [email protected]
🇮🇳 India 2026 Low