At Volopay, protecting our platform and customer data is a top priority. We value collaboration with the security research community and encourage responsible disclosure of potential vulnerabilities.

To recognize meaningful security contributions, we operate a responsible vulnerability disclosure program. covering Volopay-owned web assets.

Security reports should be submitted to responsible-disclosure@volopay.co and will be reviewed based on their severity and potential impact.

Scope of the Program

The program generally covers Volopay-operated web services that process or store sensitive user information.

This includes most services located under the domain:

*.volopay.com

*.volopay.co

If you are uncertain whether a system is within scope, you may still report it and our team will review it accordingly.

Eligible Vulnerabilities

We welcome reports that identify security weaknesses affecting the confidentiality, integrity, or security of user data.

Examples include issues caused by flaws in design, implementation, or configuration of Volopay web applications.

The program focuses strictly on technical vulnerabilities within Volopay-managed web applications.

Researchers must avoid actions that could harm the platform or its users, including but not limited to:

• Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) attacks

• Social engineering attempts

• Spam or automated abuse of services

• Any disruptive or destructive testing

Vulnerabilities That Are Not Eligible for Rewards

The following findings are excluded from the vulnerability program:

Testing Methods

• Use of automated vulnerability scanners

• Any testing that generates excessive traffic or disrupts services

Informational Findings

• Discovery of publicly available files or directories (e.g., robots.txt)

• Exposure of non-sensitive information

• General source code disclosures without security impact

Low-Risk or Non-Impactful Issues

• Clickjacking vulnerabilities

• Content spoofing

• Username or email enumeration

• Enabled HTTP OPTIONS method

• Missing HTTP security headers such as:

Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy, Cache-Control, Pragma

CSRF Related Cases

• CSRF affecting public or anonymous forms

• CSRF requiring prior knowledge of a CSRF token

• Logout CSRF

SSL / TLS Related Findings

Examples include:

• Known SSL attack patterns such as BEAST or BREACH

• Lack of forward secrecy

• Weak or legacy cipher suites

XSS Restrictions

• Self-XSS vulnerabilities

• XSS that requires local access or manual header manipulation

The only exception may apply if the report demonstrates a realistic remote exploitation scenario.

Email & DNS Configuration

• Missing or misconfigured SPF records

• Missing or incorrect DMARC policies



Abuse Scenarios

• Email flooding or rate-limiting related reports

Non-Qualifying Reports

Even if a vulnerability is technically valid, it may not qualify for a vulnerability if:

• The impact is minimal

• The issue does not pose a realistic risk to the platform or users

• It requires extreme or impractical user interaction

Each submission is evaluated individually.

Reward Determination

Reward amounts are determined by our internal review panel and are generally aligned with industry standards for responsible vulnerability disclosure programs.

Factors that influence the reward amount include:

• Severity and potential impact

• Quality and clarity of the report

• Ease of exploitation

• Creativity or uniqueness of the finding

Additional notes:

• Particularly innovative or critical discoveries may receive higher rewards.

• Reports requiring unusual user interaction may receive lower payouts.

• Multiple reports describing the same underlying issue may be treated as one vulnerability.

• Rewards are granted on a first valid report basis.

Responsible Testing Practices

Researchers must follow responsible security testing practices:

• Only test using accounts you own or control

• Do not attempt to access other users’ data

• Avoid actions that could damage or disrupt services

If you encounter sensitive user data during your research:

• Do not copy, store, or share the information

• Immediately report the issue to our team

Our goal is to identify vulnerabilities — not expose user data.

Reporting Vulnerabilities

Please include the following information when submitting a report:

• Description of the vulnerability

• Steps to reproduce the issue

• Proof-of-concept or screenshots (if applicable)

• Potential impact of the vulnerability

Reports should be sent to:

responsible-disclosure@volopay.co

Note that we can only assist with security vulnerability reports. Issues related to account access or general platform problems should be directed to the customer support team.

Legal Safe Harbor

Volopay considers good-faith security research to be authorized conduct. We will not initiate legal action against researchers who attempt to find and report vulnerabilities in accordance with these guidelines.

As long as you follow this policy, do not disrupt our services, and do not access or leak user data, we waive any restricted-access claims (such as under the Computer Fraud and Abuse Act or local equivalents) and will support your research as a helpful contribution to our security.

Responsible Disclosure Policy

We request that all researchers act in good faith and follow responsible disclosure practices.

Please do not publicly disclose vulnerabilities without prior coordination and approval from Volopay.

In return, we commit to:

• Acknowledging reports promptly

• Investigating vulnerabilities thoroughly

• Fixing confirmed issues within a reasonable timeframe

Reports that violate responsible disclosure practices may not qualify for rewards, although exceptions may be reviewed individually.