Banner object (1)

Hack and Take the Cash !

822 bounties in database
  Back Link to program      
Omise logo
Hall of Fame


100 $ 


Omise payment gateway in Southeast Asia, we provide credit card and alternative payment solutions to merchants.

If you believe you've found a security issue in our product or service, please let us know. We welcome working with you to resolve any issues.

PLEASE : Read carefully what is on our Scope and allowed for research.

Program Rules

  • Be the first to report it to receive credits or payments
  • Follow our Disclosure Policy
  • Respect the exclusions
  • Only research on Scoped domains and systems
  • When in doubt, contact us at

Omise Main Components:

1. Vault: (

Omise vault is used only for receiving credit cards data and exchanging it for a token which can be used to charge a card or create a permanent card on file (customer) for recurring charges. __

2. API (

Omise API handles all operations except token creation. No credit card is ever transmitted to the API. The API can charge cards, capture charges, perform refunds, create transfers, among many others. All API endpoints can be found in our Documentation at __

3. Dashboard (

Omise Dashboard is where merchants signin, signup and view all information for their accounts. Some actions are also possible to be run from the dashboard, such as refunding a charge or creating a transfer.

However, there are some exceptions by design for Omise dashboard:

  • Rolling keys will expire the old keys after 1 hour and still be shown for 15 minutes (You can revoke expiring keys to make them unusable immediately);
  • Test data can be reset via a get request, it's just test data, this is a feature;
  • Email verification is not required to continue using us, but optional;
  • You can create test account without email (anonymous mode);

Mobile Applications

Source Code Bounty Program

We have a number of open source repositories for our projects that are eligible.

Endpoints Repositories

Example of ideal source code reports:

  • Design flaws which could be exploited with a proof of concept.
  • Insecure default configurations/settings that could lead a security issue.
  • Usage of insecure (deprecated) algorithms that could lead to data compromise of MitM attacks.
  • Poor/incorrect usage of a package/dependency resulting in a vulnerability in our packages.

Ineligible reports for Source code

  • Issues related to software not under our control (such as external dependencies) are not eligible for a reward.
  • Our open source development is publicly visible. Reports related to an issue being fixed in a branch or being tracked in a public way will therefore not be eligible for a bounty.
  • Reports of issues without a proof-of-concept or clear path to exploitation. You may still report these, but will not be eligible for a monetary reward.
  • Issues on older releases. Issues must be reproducible on latest/master releases only.
  • Certificate pinning recommendations.

Disclosure Policy

  • Contact us here or at
  • Let us know as soon as possible upon discovery of a potential security issue.
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We will reply within 48 business hours.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Rewards and Eligible Vulnerabilities

We will reward in the range of $100 to $2000 USD depending on the application, risk, complexity, impact and overall severity of the Vulnerability. You must provide as much explanation as possible on how the attack can be performed, estimated percentage of users/browsers affected, browser versions, attack conditions and all edge case details.

Vulnerabilities must be applicable, have a proof of concept and must be reproducible. Non-reproducible findings that depends on other theoretical or non-existing high level issues are not accepted.

Our team will review each Vulnerability submission for eligibility and final reward consideration. Final reward amounts are at our sole and final discretion. In some instances, our reward panel may choose higher rewards for unusually major, clever or complex vulnerability submissions.

We will only reward vulnerability in the following categories:

  • Remote code execution
  • Authentication bypass
  • SQL injection
  • Unauthorized Access
  • Severe XSS and CSRF
  • Change content on our pages/websites
  • Skip merchant live account verification
  • Live Account take-over
  • Unauthorized data access such as:
    • Leak or Retrieval of credit/debit card data
    • Leak or Retrieval or merchant/account information
  • iOS application security flaws
  • Two Factor authentication flaws or bypass

To receive credit, you must be the first reporter of a vulnerability and provide us a reasonable amount of time to remediate before publicly disclosing. When submitting a vulnerability, please provide concise steps to reproduce that are easily understood, as well allow us some time to fix it. Depending on the issue we might take longer to produce a solution.


While researching, please to refrain from:

  • Denial of service
  • Spamming
  • Destruction of data
  • Non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
  • Scans from available tools such as Nessus or Qualys.
  • Perform more than 100 requests in a minute or 3000 per hour.

Vulnerabilities not eligible:

  • Email enumeration via Login, Signup, or Forgot Password pages.
  • Rate limiting to any endpoint
  • Content spoofing / text injection
  • Self-XSS [to be valid, cross-site scripting issues must be exploitable in reflected, stored or DOM-based types]
  • Logout and other instances of low-severity Cross-Site Request Forgery
  • CSRF to GET type urls that are not important (i.e. reset test data)
  • Missing HTTP security headers and
  • Host Header Attacks
  • Missing cookie flags on non-sensitive cookies
  • Password and account recovery policies, such as reset link expiration or password complexity
  • Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)
  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
  • SSL/TLS best practices
  • Clickjacking/UI redressing with no practical security impact
  • Software version disclosure
  • Vulnerabilities that depends on other non existing vulnerabilities (fall under best practices)

Security Best practices : We welcome those findings with no actual security vulnerability that are security best practices, but we may not award bounties to those, we can only give you thanks and points for it.

Reports covering exclusions above may be closed as " Not Applicable" or " Duplicate" causing you to loose your hard earned points, or we may mark as resolved with no bounty if deemed a good security best practice.

Payment Conditions

All reward payments are subject to compliance with local laws, rules and regulations. Before you receive your reward, we may require that you sign an affidavit of eligibility, a questionnaire, and a release of liability. You will be solely responsible for all applicable taxes relating to any reward under this Program.

Thank you for helping keep Omise and our users safe!

In Scope

Scope Type Scope Name











web_application __

web_application __

web_application __

web_application __

web_application __

web_application __

web_application __

web_application __

web_application __

web_application __

web_application __

web_application &mt=8 __

The public program Omise on the platform Hackerone has been updated on 2019-08-06, The lowest reward is 100 $.

FireBounty © 2015-2020

Legal notices