Skip to main content
All CollectionsDevelopers
Mamo Bug Bounty Program
Mamo Bug Bounty Program
Updated today

The primary objective of our Bug Bounty Program is to encourage the responsible disclosure of security vulnerabilities in our products and services. By providing incentives to security researchers, we aim to improve the overall security posture of our organization and protect our users' data.

To notify Mamo of a vulnerability, please submit your findings here: goto.mamopay.com/bug-bounty

Eligible vulnerabilities

This program is open to anyone who discovers and responsibly reports security vulnerabilities in Mamo's products and services. It however excludes the following:

  • Mamoers.

  • Employees of third-party vendors and contractors working for / with Mamo.

For the vulnerability to qualify, the reporter must showcase a security exploit that is reproducible in the submission form.

Note that only domains that are currently being used to deliver Mamo’s core services qualify for this program. For sub-domains managed by other service providers, please report issues to their respective security teams.

The list of vulnerabilities covered include:

  • Cross-Site Scripting (XSS)

  • Cross-Site Request Forgery (CSRF)

  • Significant vulnerabilities in access control setup.

  • Server-Side Request Forgery (SSRF).

  • Injection flaws.

  • Cryptographic failures.

  • Significant security misconfigurations.

  • Significant product flaws that compromise our user’s assets.

Common vulnerability exclusion list

The following are ineligible for rewards:

  • Impacts requiring attacks that the reporter has already exploited themselves, leading to damage.

  • Impacts caused by attacks requiring access to leaked keys/credentials.

  • Mentions of secrets, access tokens, API keys, private keys, etc. will be considered out of scope without proof that they are in-use in production.

  • Self-XSS.

  • Login/Logout CSRF.

  • CSRF configuration issue without exploitable proof of concept.

  • Best practice recommendations

  • Feature requests

  • Absent security headers which do not directly result in a vulnerability.

  • Vulnerabilities in third-party components, depending on severity and exploitability.

  • Rate Limit on emails sent during registration, authentication, and email change confirmations.

  • EXIF not removed from uploads, unless discoverable outside of the workspace.

  • Denial of Service (DOS) and rate limiting issues.

  • Bugs requiring highly improbable user interaction.

  • Social engineering attacks.

  • Flaws affecting users of outdated browsers and plugins.

  • Enumeration or disclosure of non-sensitive information.

  • Enumeration of information within a single workspace context.

  • Lack of input validation without exploitable proof of concept.

  • Email bombing and flooding.

  • Email and domain spoofing.

Some reported issues may not qualify if they don't present a significant risk to the business.

Guidelines

  • Do not disclose the bug publicly before it has been resolved.

  • Do not attempt to access another user's account or data. Use your own test accounts for cross-account testing.

  • Do not conduct any attack that could compromise the reliability or integrity of our services data. DDoS or spam attacks are prohibited.

  • Do not exploit the vulnerability to gain unauthorized access or harm our systems or users.

  • Do not affect other users with your testing, including testing for vulnerabilities in accounts you don't own. We may suspend your account and block your IP address if you do so.

  • Do not use scanners or automated tools to find vulnerabilities. They're disruptive and we may suspend your account and block your IP address.

  • Provide all necessary details for us to reproduce and validate the vulnerability.

Reporting process

  1. Security researchers who identify a potential vulnerability should report it to Mamo by submitting the form.

  2. Our security team will review the submission and acknowledge receipt within 48 hours.

  3. Once validated, we will work with the reporter to assess the severity and impact of the vulnerability.

  4. Depending on the severity of the vulnerability, we will provide an initial assessment and work towards a resolution.

  5. If the vulnerability is accepted, the reporter will receive a reward based on the severity and impact of the issue.

How we deal with submissions

  • We will respond promptly to your submission.

  • We will keep you informed as we work to resolve the bug you submitted.

  • We will not take legal action against you if you adhere to the guidelines and act in good faith.

Related Articles
Getting started with Mamo Business
Who is Mamo?
Cybersecurity
Using the Mamo Card
How reliable and secure is Mamo?
Did this answer your question?