PayNow Responsible Disclosure Policy

Last Modified: September 10, 2025

Overview

PayNow values the security community and welcomes responsible disclosure of security vulnerabilities. We appreciate researchers who take the time to report security issues to us responsibly.

Reporting Security Issues

If you discover a security vulnerability, please report it to us through one of these channels:

What to Include in Your Report

Please provide the following information:

  • Type and severity of the vulnerability
  • Steps to reproduce the issue
  • URL or location of the vulnerability
  • Proof-of-concept code, screenshots, or recordings
  • Potential impact assessment
  • Suggested remediation (if applicable)

Testing Guidelines

  • Only test on your own created stores
  • Do not target active vendors or customer stores
  • Do not access or modify data belonging to other users
  • Stop testing once you've confirmed the vulnerability
  • Add "security-research" to the end of your PayNow store name
  • Use an identifiable User-Agent header while conducting your research (e.g. SecurityResearch-YourUsername)

Prohibited Actions

The following actions are strictly prohibited:

  • Automated scanning that generates excessive traffic
  • Testing on production customer data or live transactions
  • Attempting to access PayNow internal systems or employee accounts
  • Publicly disclosing vulnerabilities before receiving our confirmation
  • Demanding payment or making threats for disclosure

Safe Harbor

PayNow will not pursue legal action against researchers who:

  • Act in good faith and follow this policy
  • Do not exploit vulnerabilities beyond what's necessary for verification
  • Do not violate the privacy of our users
  • Do not destroy or corrupt data

Response Timeline

We acknowledge receipt within 3 business days and review all reports within 30 days. Low priority or out of scope issues may not receive a response.

Public Disclosure

Public disclosure should only be made after confirmation from the PayNow team. We'll work with you to coordinate disclosure timing.

Bug Bounties

We generally do not offer bug bounties except for critical vulnerabilities involving:

  • Personally identifiable information (PII) exposure
  • Payment processing or financial exploits
  • Cross-tenant data leaks

Bounty eligibility is determined by our internal severity criteria.

Out of Scope

The following issues are considered out of scope:

Issue Type
Description
Account Squatting
Preventing users from registering with certain email addresses
Physical Access / MITM Attacks
Attacks requiring physical access to a user's device or man-in-the-middle position
Missing Best Practices without Exploits
Security weaknesses without concrete exploits (CSP, SSL/TLS configs, email configs, cookie flags, rate limits, security headers)
Non-sensitive Clickjacking
Clickjacking on pages with no sensitive actions
CSV Injection without Vulnerability
CSV injection without demonstrating actual compromise
Content Spoofing without Attack Vector
Text injection without ability to modify HTML/CSS
Non-sensitive CSRF
CSRF on unauthenticated or non-sensitive forms
Denial of Service
DoS attacks of any kind
Information Disclosure
Software versions, server banners, stack traces, descriptive errors
Hypothetical Subdomain Takeovers
Subdomain takeovers without supporting evidence
Open Redirects
Unless additional security impact can be demonstrated
Vulnerable Libraries
Known vulnerable libraries without working proof of concept
Rate Limiting on Non-auth Endpoints
Brute force issues on non-authentication endpoints
Outdated Browser Exploits
Vulnerabilities only affecting outdated browsers (2+ versions behind stable)
Spam
Reports of spam issues
Social Engineering
Phishing, tabnabbing, or social engineering attacks
Web Crawler Results
URLs indexed by search engines or archives
Session Management
Session invalidation issues when credentials are known
Self-XSS and Self-Exploitation
Issues requiring users to compromise their own security
Automated Scanner Reports
Unverified automated scanner results without working exploits

Contact

Questions about this policy? Contact us at [email protected]