Payos
Sign Up
Security & Trust

Responsible Disclosure

Helping us maintain the highest standards of security for our platform and users.

Last Updated: March 27, 2026 Policy Version: 2.1

Our Commitment

  • Promptly acknowledge receipt of your report and work to understand and resolve the issue quickly.
  • Validate, respond, and fix vulnerabilities in accordance with our commitment to security and privacy.
  • Publicly acknowledge and recognize your responsible disclosure in our Hall of Fame.

1. Introduction

Payos takes the security of our systems and data very seriously. We are continuously striving to maintain a safe and secure environment for everyone. If you've discovered any security vulnerabilities associated with any of our services, we appreciate your help in disclosing it to us in a responsible manner.

2. In-Scope Domains

This policy applies to the following Payos services and domains:

  • Web Application: payos.co.in and its subdomains.
  • API: api.payos.co.in
  • Mobile Apps: Payos iOS and Android applications.
  • Dashboard: dashboard.payos.co.in

3. Focus Areas

We are particularly interested in the following types of vulnerabilities:

  • SQL Injections
  • Authentication Bypass
  • Price Manipulation
  • Remote Code Execution
  • Sensitive Data Leakage
  • Payment Flow Bypass

4. Out of Scope

The following issues are generally considered out of scope:

  • Spam, Social Engineering, or Phishing.
  • DDOS or DOS attacks.
  • UI/UX bugs or spelling mistakes.
  • Vulnerabilities requiring physical access to a device.
  • Rate limiting (unless severe threat to data).

5. Rules of Engagement

CRITICAL RULE:

Automated tools or scripts are STRICTLY PROHIBITED. Any POC submitted should have a proper step-by-step guide to reproduce the issue.

  • Make every effort to avoid privacy violations, degradation of user experience, and disruption to production systems.
  • Only use your own test accounts for vulnerability research. Do not attempt to access or modify data belonging to other users.
  • Do not disclose the vulnerability to any third party until it has been resolved by Payos.

6. Reporting Process

If you believe you've found a security vulnerability, please send your report to info@payos.co.in. Include the following details:

  • Description: A detailed description of the vulnerability.
  • Steps to Reproduce: Clear, step-by-step instructions (or scripts/screenshots).
  • Impact: The potential risk or impact of the vulnerability.
  • Recommendations: Any suggestions for remediation.