Omise payment gateway in Southeast Asia, we provide credit card and
alternative payment solutions to merchants.
If you believe you've found a security issue in our product or service, please
let us know. We welcome working with you to resolve any issues.
PLEASE : Read carefully what is on our Scope and allowed for research.
- Be the first to report it to receive credits or payments
- Follow our Disclosure Policy
- Respect the exclusions
- Only research on Scoped domains and systems
- When in doubt, contact us at firstname.lastname@example.org
Omise Main Components:
1. Vault: (vault.omise.co)
Omise vault is used only for receiving credit cards data and exchanging it for
a token which can be used to charge a card or create a permanent card on file
(customer) for recurring charges. https://www.omise.co/tokens-api
2. API (api.omise.co)
Omise API handles all operations except token creation. No credit card is ever
transmitted to the API. The API can charge cards, capture charges, perform
refunds, create transfers, among many others. All API endpoints can be found
in our Documentation at https://www.omise.co/api-reference
3. Dashboard (dashboard.omise.co)
Omise Dashboard is where merchants signin, signup and view all information for
their accounts. Some actions are also possible to be run from the dashboard,
such as refunding a charge or creating a transfer.
However, there are some exceptions by design for Omise dashboard:
- Rolling keys will expire the old keys after 1 hour and still be shown for 15 minutes (You can revoke expiring keys to make them unusable immediately);
- Test data can be reset via a get request, it's just test data, this is a feature;
- Email verification is not required to continue using us, but optional;
- You can create test account without email (anonymous mode);
- The Roles (Administrator and Technical Manager) are only applied in Live mode, not in test mode. If you want a live account, please register at https://dashboard-staging.omise.co __. You can use dummy information, but need to fill all fields. After having completed the registration write an email email@example.com to get it activated.
4. Exchange ( go.exchange )
A newly launched crypto to crypto exchange. Where users can trade, deposit,
Source Code Bounty Program
We have a number of open source repositories for our projects that are
Example of ideal source code reports:
- Design flaws which could be exploited with a proof of concept.
- Insecure default configurations/settings that could lead a security issue.
- Usage of insecure (deprecated) algorithms that could lead to data compromise of MitM attacks.
- Poor/incorrect usage of a package/dependency resulting in a vulnerability in our packages.
Ineligible reports for Source code
- Issues related to software not under our control (such as external dependencies) are not eligible for a reward.
- Our open source development is publicly visible. Reports related to an issue being fixed in a branch or being tracked in a public way will therefore not be eligible for a bounty.
- Reports of issues without a proof-of-concept or clear path to exploitation. You may still report these, but will not be eligible for a monetary reward.
- Issues on older releases. Issues must be reproducible on latest/master releases only.
- Certificate pinning recommendations.
- Contact us here or at firstname.lastname@example.org
- Let us know as soon as possible upon discovery of a potential security issue.
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We will reply within 48 business hours.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Rewards and Eligible Vulnerabilities
We will reward in the range of $100 to $2000 USD depending on the application,
risk, complexity, impact and overall severity of the Vulnerability. You must
provide as much explanation as possible on how the attack can be performed,
estimated percentage of users/browsers affected, browser versions, attack
conditions and all edge case details.
Vulnerabilities must be applicable, have a proof of concept and must be
reproducible. Non-reproducible findings that depends on other theoretical or
non-existing high level issues are not accepted.
Our team will review each Vulnerability submission for eligibility and final
reward consideration. Final reward amounts are at our sole and final
discretion. In some instances, our reward panel may choose higher rewards for
unusually major, clever or complex vulnerability submissions.
We will only reward vulnerability in the following categories:
- Remote code execution
- Authentication bypass
- SQL injection
- Unauthorized Access
- Severe XSS and CSRF
- Change content on our pages/websites
- Skip merchant live account verification
- Live Account take-over
- Unauthorized data access such as:
- Leak or Retrieval of credit/debit card data
- Leak or Retrieval or merchant/account information
- iOS application security flaws
- Two Factor authentication flaws or bypass
To receive credit, you must be the first reporter of a vulnerability and
provide us a reasonable amount of time to remediate before publicly
disclosing. When submitting a vulnerability, please provide concise steps to
reproduce that are easily understood, as well allow us some time to fix it.
Depending on the issue we might take longer to produce a solution.
While researching, please to refrain from:
- Denial of service
- Destruction of data
- Non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
- Scans from available tools such as Nessus or Qualys.
- Perform more than 100 requests in a minute or 3000 per hour.
Vulnerabilities not eligible:
- Email enumeration via Login, Signup, or Forgot Password pages.
- Rate limiting to any endpoint
- Content spoofing / text injection
- Self-XSS [to be valid, cross-site scripting issues must be exploitable in reflected, stored or DOM-based types]
- Logout and other instances of low-severity Cross-Site Request Forgery
- CSRF to GET type urls that are not important (i.e. reset test data)
- Missing HTTP security headers and
- Host Header Attacks
- Missing cookie flags on non-sensitive cookies
- Password and account recovery policies, such as reset link expiration or password complexity
- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)
- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
- SSL/TLS best practices
- Clickjacking/UI redressing with no practical security impact
- Software version disclosure
- Vulnerabilities that depends on other non existing vulnerabilities (fall under best practices)
Security Best practices : We welcome those findings with no actual
security vulnerability that are security best practices, but we may not award
bounties to those, we can only give you thanks and points for it.
Reports covering exclusions above may be closed as " Not Applicable" or
" Duplicate" causing you to loose your hard earned points, or we may mark
as resolved with no bounty if deemed a good security best practice.
All reward payments are subject to compliance with local laws, rules and
regulations. Before you receive your reward, we may require that you sign an
affidavit of eligibility, a questionnaire, and a release of liability. You
will be solely responsible for all applicable taxes relating to any reward
under this Program.
Thank you for helping keep Omise and our users safe!