Vulnerability Disclosure Program

1. Introduction

PawPayments is committed to building and operating secure payment infrastructure. Like any real-world software system, however, our platform may contain security issues despite careful engineering, code review, monitoring, and testing.

This Vulnerability Disclosure Program explains how independent security researchers can report suspected vulnerabilities to us responsibly. It defines what may be tested, what activities must be avoided, how to submit a useful report, and what you can expect from PawPayments after a report is received.

2. Guidelines

When researching or reporting a security issue, you must:

  • Notify us as soon as reasonably possible after discovering a real or potential vulnerability.
  • Make every effort to avoid privacy violations, service degradation, disruption of production systems, and destruction or manipulation of data.
  • Use any exploit only to the minimum extent necessary to confirm the vulnerability.
  • Stop testing and contact us immediately if you encounter personal data, merchant data, payment data, credentials, private keys, secrets, or any other sensitive information.
  • Give us a reasonable amount of time to investigate and remediate the issue before making any public disclosure.
  • Submit clear, actionable reports and avoid a high volume of low-quality, automated, duplicate, or speculative findings.

3. Scope

The following PawPayments-owned assets are in scope for this program:

  • Public website and merchant dashboard served from pawpayments.com, including authentication flows, merchant management, withdrawals, ticketing, and account settings.
  • Public and authenticated API endpoints exposed by PawPayments for dashboard and merchant use, including api.pawpayments.com.
  • Hosted checkout flows used by merchants to accept cryptocurrency payments.
  • Official PawPayments integration documentation and examples where a security defect could materially affect merchants or end users.

Third-party services integrated with PawPayments, including wallet providers, fiat on-ramp providers, KYC/AML providers, captcha providers, analytics services, email delivery providers, and external support tools, are not in scope unless the issue is caused by PawPayments’ own implementation.

4. Things to Avoid

While testing, do not perform or attempt any of the following:

  • Denial-of-service, stress, load, or resource-exhaustion testing.
  • Brute forcing, credential stuffing, password spraying, or MFA bypass spam.
  • Social engineering, phishing, vishing, smishing, or physical attacks.
  • Exfiltrating, downloading, modifying, deleting, or publicly exposing data.
  • Testing against merchants, end users, employees, support operators, or third-party systems without explicit authorization.
  • Creating fraudulent payments, withdrawals, refunds, chargebacks, or other financial activity except where explicitly coordinated with us in advance.
  • Using scanners or automation that generate high request volume or interfere with normal platform operation.

5. Our Response

After you submit a report, we aim to acknowledge receipt within 48 hours. We will review the report, attempt to reproduce the issue, assess its severity and impact, and prioritize remediation based on risk.

Many issues can be fixed quickly. Vulnerabilities that require architectural changes, third-party coordination, compliance review, or merchant-impacting changes may take longer. We will try to keep you informed when a report is accepted as valid and when the issue has been resolved.

If you act in good faith, follow this policy, avoid harm to users and systems, and report issues through the process below, PawPayments will not pursue legal action against you for the security research described in your report.

6. Recognition and Compensation

PawPayments may, at its sole discretion, provide recognition or compensation for valid reports that identify a previously unknown, reproducible security issue with meaningful impact. Eligibility and amount depend on severity, exploitability, report quality, affected asset, and whether the issue was already known to us. Eligible verified reports may receive compensation in the range of $100 to $5,000, depending on the criticality and practical impact of the vulnerability.

We do not guarantee payment for every report. Reports based only on automated scanner output, missing security headers without practical impact, self-XSS, clickjacking on non-sensitive pages, rate-limit suggestions without demonstrated risk, or issues requiring unrealistic user interaction may be closed as informational.

7. Reporting

To report a vulnerability, email security@pawpayments.com with the subject line Security report. Please include as much detail as possible:

  • Affected URL, endpoint, flow, account type, or integration.
  • Clear reproduction steps and expected versus actual behavior.
  • Impact assessment, including who could be affected and under what conditions.
  • Proof-of-concept code, screenshots, request/response samples, or logs.
  • Any accounts, merchant IDs, payment IDs, or test data you created during research.
  • Your preferred contact details for follow-up.

Do not include sensitive personal data, secrets, private keys, seed phrases, or large data exports in the initial report. If encrypted communication is needed, ask us for a secure submission method in your first email.

8. Vulnerability Disclosure

We ask that you do not publicly disclose a vulnerability until PawPayments has investigated and remediated it, or until we have mutually agreed on a disclosure timeline. For critical issues with broad user, merchant, or payment impact, we may notify affected users through appropriate channels, which may include in-product notifications, email, status updates, support channels, or a public post.

Any public disclosure by PawPayments will focus on the nature of the issue, the affected systems, the remediation, and practical steps users or merchants should take where applicable.