Security disclosure policy
OID4Pay welcomes coordinated disclosure of security vulnerabilities in
the authorization server, the wallet portal, the merchant SDKs, the
CDN bundle, and any document published under oid4pay.com.
How to report
The fastest path is the RFC 9116 contact channel: /.well-known/security.txt. Submissions arrive at security@oid4pay.com. Please encrypt non-trivial reports with the team PGP key linked from the security.txt file.
What to include
- A reproducer (curl invocation, code snippet, or screenshot).
- The host the report applies to. The production AS, wallet, and
merchant SDKs are in scope; the testmode sandbox at
sandbox.oid4pay.comis in scope but lower-severity by default. - Your preferred attribution; the Acknowledgments file links researcher names and dates of confirmation.
Response SLO
| Stage | Target SLO |
|---|---|
| Acknowledgment | 24 hours |
| Triage decision | 5 working days |
| Fix shipped (critical or high) | 30 days from triage |
| Public advisory | after fix lands or at researcher request |
Safe harbor
Good-faith research conducted within scope MUST not expect legal consequences. We will not pursue civil or criminal claims for research that:
- Discloses only to the official security contact above.
- Does not access more data than the minimum needed to demonstrate the issue.
- Avoids degradation of service for other principals or merchants.
- Refrains from exploiting the issue beyond demonstration.
Out of scope
- Volumetric denial-of-service or spam.
- Social engineering against OID4Pay personnel or merchants.
- Vulnerabilities in upstream services (Cloudflare, Stripe, Postgres) reachable via OID4Pay only as a dependency.