Omise payment gateway in Southeast Asia, we provide credit card and alternative payment solutions to merchants.

If you believe you've found a security issue in our product or service, please let us know. We welcome working with you to resolve any issues.

NOTE: Read carefully what is on our Scope and allowed for research.

Investigating and reporting bugs

• Be the first to report it to receive credits or payments.

• As a reporter, we expect you to

• express and explain the vulnerabilities;

• Give brief steps to reproduce the vulnerability;

• Provide Proof-Of-Concept(Screenshots or Screen recordings, etc.,) that gives us an insight that the

  attack is reproducible, if we feel lost;

• Brief summary of impact the vulnerability might cause to our company.

• Follow our Disclosure Policy.

• Respect the exclusions.

• Only research on Scoped domains and systems.

• When in doubt, contact us at security@omise.co. (NOTE: We will not be responding to emails asking if a

particular vulnerability is eligible or not. Please use HackerOne to report any issues you find.)

Regarding State of the Reports:

• Please be informed on State of the Report: https://docs.hackerone.com/hackers/report-states.html .

• If you have additional information, add them to the report.

• When the report is closed as N/A or Informative, please read the explanation behind closing the

report, including the linked articles carefully.

• If you feel we have made a mistake, update the report. We will consider your explanation and reply.

• Don’t file a separate report to discuss the same issue.

• Feel free to verify the bugfix, and let us know if there’s still a problem.

Omise Main Components:

PLEASE CHECK BELOW(SCROLL DOWN) FOR IN-SCOPE COMPONENTS.

1. Vault: (vault.omise.co)

Omise vault is used only for receiving credit cards data and exchanging it for a token which can be used to charge a card or create a permanent card on file (customer) for recurring charges. https://www.omise.co/tokens-api

2. API (api.omise.co)

Omise API handles all operations except token creation. No credit card is ever transmitted to the API. The API can charge cards, capture charges, perform refunds, create transfers, among many others. All API endpoints can be found in our Documentation at https://www.omise.co/api-reference

3. Dashboard (dashboard.omise.co)

Omise Dashboard is where merchants signin, signup and view all information for their accounts. Some actions are also possible to be run from the dashboard, such as refunding a charge or creating a transfer.

However, there are some exceptions by design for Omise dashboard:

• Rolling keys will expire the old keys after 1 hour and still be shown for 15 minutes (You can revoke expiring keys to make them unusable immediately);

• Test data can be reset via a get request, it's just test data, this is a feature;

• Email verification is not required to continue using us, but optional;

• You can create test account without email (anonymous mode);

4. Mobile Applications

• Omise iOS Dashboard application https://itunes.apple.com/th/app/omise/id1170479422

• Omise Alipay Android application https://play.google.com/store/apps/details?id=co.omise.pay

Source Code Bounty Program

We have a number of open source repositories for our projects that are eligible.

Endpoints Repositories

• https://github.com/omise

Example of ideal source code reports:

• Design flaws which could be exploited with a proof of concept.

• Insecure default configurations/settings that could lead a security issue.

• Usage of insecure (deprecated) algorithms that could lead to data compromise of MitM attacks.

• Poor/incorrect usage of a package/dependency resulting in a vulnerability in our packages.

Non-qualifying reports for Source code:

• Issues related to software not under our control (such as external dependencies) are not eligible for a

reward.

• Our open source development is publicly visible. Reports related to an issue being fixed in a branch or

being tracked in a public way will therefore not be eligible for a bounty.

• Reports of issues without a proof-of-concept or clear path to exploitation. You may still report these,

but will not be eligible for a monetary reward.

• Issues on older releases. Issues must be reproducible on latest/master releases only.

• Certificate pinning recommendations.

Disclosure Policy

• Contact us here or at security@omise.co, upon discovery of a potential security issue which needs

immediate attention.

• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a

third-party. We will reply within 48 business hours.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation

of our service. Only interact with accounts you own or with explicit permission of the account holder.

Rewards and Eligible Vulnerabilities

We will reward in the range of $100 to $2000 USD depending on the application, risk, complexity, impact and overall severity of the Vulnerability. You must provide as much explanation as possible on how the attack can be performed, estimated percentage of users/browsers affected, browser versions, attack conditions and all edge case details.

Vulnerabilities must be applicable, have a proof of concept and must be reproducible. Non-reproducible findings that depends on other theoretical or non-existing high level issues are not accepted.

Our team will review each Vulnerability submission for eligibility and final reward consideration. Final reward amounts are at our sole and final discretion. In some instances, our reward panel may choose higher rewards for unusually major, clever or complex vulnerability submissions.

Qualifying vulnerabilities:

• Remote code execution

• Authentication bypass

• SQL injection

• Unauthorized Access

• Severe XSS and CSRF

• Change content on our pages/websites

• Skip merchant live account verification

• Live Account take-over

• Unauthorized data access such as:

• Leak or Retrieval of credit/debit card data

• Leak or Retrieval or merchant/account information

• iOS application security flaws

• Two Factor authentication flaws or bypass

To receive credit, you must be the first reporter of a vulnerability and provide us a reasonable amount of time to remediate before publicly disclosing. When submitting a vulnerability, please provide concise steps to reproduce that are easily understood, as well allow us some time to fix it. Depending on the issue we might take longer to produce a solution.

Non-qualifying vulnerabilities:

While researching, please to refrain from:

• Denial of service.

• Spamming.

• Destruction of data.

• Non-technical attacks such as social engineering, phishing, or physical attacks against our employees,

users, or infrastructure.

• Scans from available tools such as Nessus or Qualys.

• Perform more than 100 requests in a minute or 3000 per hour.

Vulnerabilities not eligible:

• No Email verification while signing up in Test mode.

• No session expiration if password changed.

• Email enumeration via Login, Signup, or Forgot Password pages.

• Rate limiting to any endpoint.

• Content spoofing / text injection.

• Self-XSS [to be valid, cross-site scripting issues must be exploitable in reflected, stored or DOM-based

types]

• Logout and other instances of low-severity Cross-Site Request Forgery.

• CSRF to GET type urls that are not important (i.e. reset test data)

• Missing HTTP security headers and,

• Host Header Attacks.

• Missing cookie flags on non-sensitive cookies.

• Password and account recovery policies, such as reset link expiration or password complexity.

• Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM).

• Flaws affecting the users of out-of-date browsers and plugins: The security model of the web is being

constantly fine-tuned. The panel will typically not reward any problems that affect only the users of

outdated or unpatched browsers. In particular, we exclude Internet Explorer prior to version 9.

SSL/TLS best practices.

• Clickjacking/UI redressing with no practical security impact.

• Presence of banner or version information: Version information does not, by itself, expose the service to attacks - so we do not consider this to be a bug. That said, if you find outdated software and have good reasons to suspect that it poses a well-defined security risk, please let us know.

• Vulnerabilities that depend on other non existing vulnerabilities (fall under best practices).

Security Best practices: We welcome those findings with no actual security vulnerability that are security best practices, but we may not award bounties to those, we can only give you thanks and points for it.

NOTE: Reports covering exclusions above may be closed as Not Applicable or Duplicate causing you to lose your hard earned points, or we may mark as Informative if deemed a good security best practice.

Payment Conditions

All reward payments are subject to compliance with local laws, rules and regulations. Before you receive your reward, we may require that you sign an affidavit of eligibility, a questionnaire, and a release of liability. You will be solely responsible for all applicable taxes relating to any reward under this Program.

Thank you for helping keep Omise and our users safe!