Trust and security

Vulnerability disclosure policy

How to report security vulnerabilities to Payabli
View as MarkdownOpen in Claude

At Payabli, the security of our platform, customers, and partners is a top priority. We value the security community and encourage responsible disclosure of potential vulnerabilities in our systems.

This policy outlines how to report security issues to Payabli and what you can expect from us in return.

Our commitment

If you identify a security vulnerability and report it to us in accordance with this policy, Payabli commits to:

  • Acknowledge receipt of your report within a reasonable timeframe
  • Investigate the issue promptly
  • Work to remediate validated vulnerabilities based on severity and risk
  • Not pursue legal action for good faith security research conducted in accordance with this policy

We appreciate responsible disclosure and collaboration that helps improve our security posture.

Scope

This policy applies to vulnerabilities in:

  • Publicly accessible Payabli websites
  • Public APIs and developer endpoints
  • Applications and services owned and operated by Payabli

Out of scope

The following aren’t covered by this policy:

  • Third-party vendors, partners, or integrations not owned by Payabli
  • Social engineering, phishing, or physical testing of employees
  • Denial of service (DoS/DDoS) testing
  • Automated scanning that degrades performance
  • Any testing that violates applicable law

If you aren’t sure whether a system is in scope, contact us before proceeding.

How to report a vulnerability

Submit vulnerability reports to vulnerability@payabli.com.

To help us triage quickly, include:

  • A detailed description of the issue
  • Affected URL, endpoint, or system
  • Steps to reproduce
  • Proof of concept (screenshots, request/response samples, etc.)
  • Any potential impact you identified
  • Your contact information

We request that you refrain from public disclosure until we’ve had a reasonable opportunity to investigate and remediate.

Responsible disclosure guidelines

We ask that you:

  • Act in good faith
  • Avoid accessing, modifying, or exfiltrating customer data
  • Limit testing to what’s necessary to demonstrate the vulnerability
  • Cease testing immediately if sensitive data is encountered and notify us
  • Don’t attempt privilege escalation, persistence, or lateral movement

Testing that causes service disruption or operational impact isn’t authorized.

Safe harbor

If you conduct research in good faith and in accordance with this policy, Payabli won’t pursue legal action related to your findings.

This safe harbor applies only to activities that comply with this policy and applicable laws.

Rewards and recognition

Payabli doesn’t operate a formal bug bounty program.

We may, at our sole discretion:

  • Provide public recognition (with your permission)
  • Offer non-monetary acknowledgment
  • Provide discretionary compensation

Submission of a report doesn’t create an entitlement to compensation. Any reward or payout is determined solely at Payabli’s discretion.

Policy changes

Payabli reserves the right to modify or terminate this vulnerability disclosure policy at any time.

Was this page helpful?