Responsible Disclosure
Last Modified: March 26, 2026
Overview
PayNow values the security community and welcomes responsible disclosure of security vulnerabilities. We appreciate researchers who take the time to report security issues to us responsibly.
Reporting Security Issues
If you discover a security vulnerability, please report it to us through one of these channels:
- Email: security@paynow.gg
- Discord: discord.gg/paynow (open a private ticket)
What to Include in Your Report
Please provide the following information:
- Type and severity of the vulnerability
- Steps to reproduce the issue
- URL or location of the vulnerability
- Proof-of-concept code, screenshots, or recordings
- Potential impact assessment
- Suggested remediation (if applicable)
Testing Guidelines
- Only test on your own created stores
- Do not target active vendors or customer stores
- Do not access or modify data belonging to other users
- Stop testing once you've confirmed the vulnerability
- Add "security-research" to the end of your PayNow store name
- Use an identifiable User-Agent header while conducting your research (e.g. SecurityResearch-YourUsername)
Prohibited Actions
The following actions are strictly prohibited:
- Automated scanning that generates excessive traffic
- Testing on production customer data or live transactions
- Attempting to access PayNow internal systems or employee accounts
- Publicly disclosing vulnerabilities before receiving our confirmation
- Demanding payment or making threats for disclosure
Safe Harbor
PayNow will not pursue legal action against researchers who:
- Act in good faith and follow this policy
- Do not exploit vulnerabilities beyond what's necessary for verification
- Do not violate the privacy of our users
- Do not destroy or corrupt data
Response Timeline
We acknowledge receipt within 3 business days and review all reports within 30 days. Low priority or out of scope issues may not receive a response.
Public Disclosure
Public disclosure should only be made after confirmation from the PayNow team. We'll work with you to coordinate disclosure timing.
Bug Bounties
We generally do not offer bug bounties except for critical vulnerabilities involving:
- Personally identifiable information (PII) exposure
- Payment processing or financial exploits
- Cross-tenant data leaks
Bounty eligibility is determined by our internal severity criteria.
Out of Scope
The following issues are considered out of scope:
Issue Type | Description |
|---|---|
Account Squatting | Preventing users from registering with certain email addresses |
Physical Access / MITM Attacks | Attacks requiring physical access to a user's device or man-in-the-middle position |
Missing Best Practices without Exploits | Security weaknesses without concrete exploits (CSP, SSL/TLS configs, email configs, cookie flags, rate limits, security headers) |
Non-sensitive Clickjacking | Clickjacking on pages with no sensitive actions |
CSV Injection without Vulnerability | CSV injection without demonstrating actual compromise |
Content Spoofing without Attack Vector | Text injection without ability to modify HTML/CSS |
Non-sensitive CSRF | CSRF on unauthenticated or non-sensitive forms |
Denial of Service | DoS attacks of any kind |
Information Disclosure | Software versions, server banners, stack traces, descriptive errors |
Hypothetical Subdomain Takeovers | Subdomain takeovers without supporting evidence |
Open Redirects | Unless additional security impact can be demonstrated |
Vulnerable Libraries | Known vulnerable libraries without working proof of concept |
Rate Limiting on Non-auth Endpoints | Brute force issues on non-authentication endpoints |
Outdated Browser Exploits | Vulnerabilities only affecting outdated browsers (2+ versions behind stable) |
Spam | Reports of spam issues |
Social Engineering | Phishing, tabnabbing, or social engineering attacks |
Web Crawler Results | URLs indexed by search engines or archives |
Session Management | Session invalidation issues when credentials are known |
Self-XSS and Self-Exploitation | Issues requiring users to compromise their own security |
Automated Scanner Reports | Unverified automated scanner results without working exploits |
Contact
Questions about this policy? Contact us at security@paynow.gg