We take security seriously — and so do you. Thank you for that. The security of our systems and the privacy of our users matter deeply to us. If you've discovered a vulnerability in one of our products, you're making a real contribution to a safer internet — and we genuinely appreciate that. This page explains how to share your findings with us safely and responsibly.
Security research is valuable work, and we want to make it easy for you to report findings without hesitation. If you act in good faith and follow the guidelines on this page, you have our commitment that we will not pursue legal action against you — and we will not involve law enforcement. Should a third party take legal action against you for activities that fall within this policy, we will make clear that your actions were conducted with our knowledge and authorization.
We ask only that you stay within the defined scope, avoid accessing data beyond what's necessary to demonstrate the issue, and give us a fair chance to fix it before disclosing publicly.
In short: act responsibly, and we've got your back — regardless of where in the world you're based.
In scope: Any opago-managed services, APIs, and web applications. Includes *.opago.com and *.opago-pay.com.
Out of scope: Third-party integrations, Denial of Service (DoS) attacks, social engineering & physical testing, or automated scanner results without manual verification.
Send us an email. To help us triage your report quickly, please include the following information:
Please do not exploit the vulnerability or access data beyond what's necessary to demonstrate it. And please keep your findings confidential until we've had a chance to remediate — we work under a 90-day coordinated disclosure window.
| Name / Alias | URL | Vulnerability |
|---|
No entries yet. Be the first to responsibly disclose a vulnerability.