logo
Omoney RESPONSIBLE DISCLOSURE PROGRAM

Introduction

At Omoney, we take system security very seriously and continuously work to maintain a safe and secure environment for all users. However, ensuring system security is an ongoing process, and we welcome any reports of security vulnerabilities associated with our Omoney services.

Omoney invites skilled security researchers to participate in our Vulnerability Disclosure Program. As external security researchers, you can engage with Omoney by reporting any vulnerabilities to us in accordance with our Responsible Disclosure Policy. Omoney reserves the right to validate the reports' validity based on the impact of the vulnerability.

Policy

Omoney genuinely values the assistance of security researchers and others in the security community to help keep our systems secure. However, we insist that researchers follow the rules set out in this Responsible Disclosure Policy when reporting a security vulnerability to us.

  • Reach out to [email protected] if you have found any potential vulnerabilities in our product and infrastructure that meet the criteria mentioned in the policy below.
  • Our security team will acknowledge your submission within 24 hours.
  • Omoney will define the severity of the issue based on its impact and ease of exploitation.
  • We may take 3 to 5 days to validate the reported issue.
  • Please refrain from accessing sensitive information (by using a test account and/or system), performing actions that may negatively affect other Omoney users (such as denial of service), or sending reports from automated tools.
  • You must not exploit a security vulnerability that you discover for any reason.
  • Perform research only within the scope set out below.
  • As a researcher, you are not permitted to access, download, or modify data residing in any other account that does not belong to you or attempt to do any such activities.
  • Keep information about any vulnerability confidential until the issue is resolved. Do not publicly disclose details of a security vulnerability that you have reported without Omoney's permission.
  • Omoney determines recognition in the Hall of Fame based on a variety of factors, including (but not limited to) impact, ease of exploitation, and quality of the report. Note that extremely low-risk vulnerabilities may not qualify for the Hall of Fame at all.
  • In the event of duplicate reports, we give recognition to the first person to submit a vulnerability. (Omoney determines duplicates and may not share details on the other reports).

Reporting Guidelines

To register yourself after identifying a vulnerability, please send an email to [email protected] with the details.

After registration, please only use the registered email ID when interacting with the Omoney security team. Do not use personal emails, social media accounts, or other private connections to contact a member of the security team regarding vulnerabilities or any program-related issues, unless instructed to do so.

In your report, please provide the following details:

  • Description and potential impact of the vulnerability;
  • A detailed description of the steps required to reproduce the vulnerability;
  • Screenshots and video POC, if available;
  • Your preferred name/handle for recognition in our Security Researcher Hall of Fame.

Target Scope

Only the following domains are included in the scope of this program, and researchers are recommended to look for security vulnerabilities within them:

  • *.Omoney.com

Out of Scope

  • https://wcdev.Omoney.com
Exclusion of Third-Party Software:

As part of providing services to its customers, Omoney uses integrations with various third-party software. This program does not extend to any such third-party software, and bugs or vulnerabilities detected in such third-party software will not be considered a valid find. Nonetheless, any such vulnerabilities communicated to Omoney may be further transmitted/informed to the third-party service provider.

In-Scope Vulnerabilities

  • Remote code execution (RCE)
  • Able to bypass payment flow
  • Account takeover attack (ATO)
  • Price manipulation with a successful transaction (transaction id required)
  • SQL/XXE Injection and Command injection
  • Stored Cross-Site Scripting and impactful Reflected XSS
  • Server-side request forgery (SSRF)
  • Misconfiguration issues on servers and application
  • Authentication and Authorization vulnerabilities including horizontal and vertical escalation
  • Cross-site request forgeries (CSRF)
  • Sensitive information leak and IDOR
  • Domain take-over vulnerabilities
  • Any vulnerability that can affect the Omoney Brand, User (Customer/Merchant) data, and financial transactions

Out-of-Scope Vulnerabilities

  • Social engineering (including phishing) with any Omoney staff or contractors
  • Denial of Service, Distributed-DoS
  • X-Frame-Options related, missing cookie flags on non-sensitive cookies;
  • Missing security headers that do not lead directly to a vulnerability (unless you deliver a PoC)
  • Version exposure (unless you deliver a PoC of working exploit)
  • Directory listing with already publicly readable content
  • HTML injection and Self-XSS
  • Information disclosure not associated with a vulnerability, i.e.: stack traces, application or server errors, robots.txt, etc
  • Use of known-vulnerable libraries without proof of exploitation such as OpenSSL
  • Log-in or forgotten password page brute forcing and account lockout not being enforced
  • Application denial of service by locking user accounts
  • Reports from automated scripts or scanners
  • Clickjacking and issues only exploitable through clickjacking
  • No / weak captcha/captcha bypass
  • SSL issues such as BEAST, BREACH, renegotiation attack, forward secrecy not enabled, weak/insecure cipher suites, and missing best practices
  • HTTP TRACE or OPTIONS methods enabled
  • Login/logout CSRF
  • Open ports without an accompanying proof-of-concept demonstrating vulnerability
  • Reflected XSS (unless you deliver a PoC showing impact)
  • Formula Injection or CSV Injection
  • EXIF data not stripped on images
  • Rate limiting
  • Missing HTTP security headers and cookie flags on insensitive cookies
  • Email - issues related to SPF/DKIM/DMARC
  • User email enumeration

Omoney reserves its right to expand this list and includes additional exclusions when required.