Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Responsible Disclosure

            Created by Kalin Ivanov, Modified on Tue, 23 Jun at 8:39 AM by Kalin Ivanov

            We welcome reports of security vulnerabilities in SwissPay. This page explains how to send one and what you can expect in response.

            How to report

            Send the report to security@swisspay.ai. Include:

            • A clear description of the vulnerability and where it is.
            • Steps to reproduce, including any specific account state, URLs, or payloads.
            • The potential impact — what an attacker could do.
            • Your name and how you would like to be credited (or not).

            If the report contains anything sensitive (proof-of-concept payloads, internal data accessed during testing), please encrypt the email. We will accept a PGP-encrypted message on request — reach out for the current public key.

            Our commitment to you

            • Acknowledgement of every report within 2 business days.
            • An initial triage assessment within 5 business days — severity, whether we can reproduce, and an indicative timeline.
            • Status updates at least every 14 days until the issue is closed.
            • Public credit in our security advisories (if you want it).

            Scope

            In scope:

            • The SwissPay API at https://app.swisspay.ai and any other endpoint we operate.
            • The SwissPay documentation site (this site).

            Out of scope:

            • The infrastructure of our sub-processors — report these to them directly.
            • Social engineering of SwissPay staff or our customers.
            • Denial-of-service attacks against any production service.
            • Reports based on scanner output alone, without a demonstrated vulnerability.
            • Attacks that require access to a victim's device, account, or network.
            • Issues in third-party software outside our control (browsers, operating systems, etc.).

            Safe harbour

            If you act in good faith, follow the rules above, and give us a reasonable chance to fix the issue before publishing, we will not pursue legal action against you for your research. This includes:

            • Not testing beyond what is necessary to demonstrate the vulnerability.
            • Not accessing or modifying data that is not your own.
            • Not exfiltrating, retaining, or sharing customer data.
            • Not exploiting the vulnerability for any purpose other than confirming it exists.

            Disclosure

            We aim to publish a security advisory after the issue is fixed and our customers have had a reasonable window to update where applicable. Disclosure timing is coordinated with you. We follow a default 90-day disclosure window from initial report — extensions are possible by mutual agreement.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0