Chapa
Sign InGet Started

Security

Bug Bounty Program

Help us keep Chapa safe. If you've found a security vulnerability in any Chapa product or service, we want to hear from you.

⚠️

Notice: As of April 10, 2024, we are not accepting submissions except from local testers.

Chapa recognizes the importance of the security community in our quest to provide a safe and secure experience for our customers and stakeholders. By submitting a security bug or vulnerability, you acknowledge that you have read and agreed to the Program Terms and Conditions, and you agree not to publicly disclose your findings without Chapa's prior written approval.

On this page

IntroductionSubmit a VulnerabilityScopeAuthorized TestingPermitted ActivitiesProhibited ActivitiesResponsible DisclosureNo Legal ActionsRewards & RecognitionProgram ChangesSafe HarborProgram DurationIneligible VulnerabilitiesVulnerability Categories

Bug Bounty Program

Introduction

Chapa recognizes the importance of the security community in our quest to provide a safe and secure experience for our customers and stakeholders. If you are a security researcher who has found a vulnerability in any Chapa product or service, we would like to hear from you.

By submitting a security bug or vulnerability to Chapa via email, you acknowledge that you have read and agreed to the Program Terms and Conditions below. By providing a submission, you agree not to publicly disclose your findings or the contents of your submission to any third parties without Chapa's prior written approval.

Bug Bounty Program

Submit a Vulnerability

Please include detailed reporting and a working Proof of Concept in your report.

Send your submission to

security@chapa.co

Your report should include a clear description of the vulnerability, steps to reproduce, and a working Proof of Concept (PoC). Submissions without sufficient detail may not be accepted.

Bug Bounty Program

Scope

In-Scope

*.chapa.co

Any subdomain under chapa.co is eligible for testing and reporting.

Out-of-Scope

internal.chapa.co

Testing or probing of this domain is strictly prohibited. Vulnerabilities found here will not be accepted.

Bug Bounty Program

Authorized Testing

Bug hunters are only authorized to test and report security vulnerabilities on the domains within the in-scope domain, specifically any subdomains under *.chapa.co. Testing or probing of internal.chapa.co is strictly prohibited and any vulnerabilities discovered on this domain will not be accepted under this bug bounty program.

Bug Bounty Program

Permitted Activities

Bug hunters may perform the following activities:

Information gathering (reconnaissance)

Vulnerability scanning and assessment

Exploitation of vulnerabilities for proof of concept

Reporting of security vulnerabilities

Bug Bounty Program

Prohibited Activities

Bug hunters are not permitted to:

Engage in any activity that may disrupt the normal operation of the services under test.

Access, modify, or delete data on the systems.

Share discovered vulnerabilities with any third parties until they have been properly disclosed to and accepted by the program maintainers.

Bug Bounty Program

Responsible Disclosure

All vulnerabilities must be reported responsibly and promptly through the bug bounty platform or contact information provided by the program maintainers. Do not publicly disclose vulnerability details before Chapa has had a reasonable opportunity to address the issue.

Bug Bounty Program

Rewards & Recognition

Rewards will be provided based on the severity of the reported vulnerability and at the discretion of the program maintainers. Recognition may be given to individuals who responsibly report and help fix security issues.

Reward amounts are determined by Chapa based on the validated severity, impact, and quality of the report. Duplicate reports or reports of ineligible vulnerabilities will not qualify for rewards.

Bug Bounty Program

Program Changes

The program maintainers reserve the right to modify the rules, scope, or rewards of the bug bounty program at any time without prior notice. Continued participation in the program constitutes acceptance of any such changes.

Bug Bounty Program

Safe Harbor

Bug hunters who abide by these rules and act in good faith will be protected from legal actions by the program maintainers. “Good faith” means conducting research in a manner that does not harm Chapa, its customers, or its systems, and disclosing vulnerabilities responsibly.

Bug Bounty Program

Program Duration

The bug bounty program is ongoing, and there is no set end date. Bug hunters are encouraged to continuously test for vulnerabilities within the defined scope.

⚠️

Notice: As of April 10, 2024, we are not accepting submissions with the exception of those from local testers.

Bug Bounty Program

Ineligible Vulnerabilities

Chapa does not consider the following to be eligible vulnerabilities:

API Key Disclosure without Proven Business Impact

Arbitrary File Upload without Proof of the Existence of the Uploaded File

Banner Grabbing / Version Disclosure

Best Practice Reports without a Valid Exploit

Best Practices Violations (Password Complexity, Expiration, Re-Use, etc.)

Blind SSRF without Proven Business Impact (Pingbacks are Not Sufficient)

Bypassing Rate-Limits or the Non-Existence of Rate-Limits

Clickjacking without Proven Impact / Unrealistic User Interaction

Content Injection without Being Able to Modify the HTML

Content / Text Spoofing

CSV Injection

CORS Misconfiguration on Non-Sensitive Endpoints

Denial of Service

Disclosed / Misconfigured Google Maps API Keys

Disclosure of Server or Software Version Numbers

Email Bombing

Anything Related to Email Spoofing, SPF, DMARC, or DKIM

Homograph Attacks

HTTP Request Smuggling without Any Proven Impact

Hypothetical Subdomain Takeovers without Supporting Evidence

Missing Cookie Flags

Missing Security Headers

Not Stripping Metadata of Files

Pre-Auth Account Takeover

Reports Exploiting the Behavior of, or Vulnerabilities in, Outdated Browsers

Reports of Spam

Reverse Tabnabbing

Self-XSS that Cannot be Used to Exploit Other Users

Session Invalidation or Improved Security Related to Account Management when a Credential is Already Known

Sessions Not Being Invalidated (Logout, Enabling 2FA, etc.)

Tokens Leaked to Third Parties

Unconfirmed Reports from Automated Vulnerability Scanners

User / Merchant Enumeration

Verbose Messages / Files / Directory Listings without Disclosing Sensitive Information

XMLRPC Enabled

Bug Bounty Program

Vulnerability Categories

Rewards are tiered based on the severity of the reported vulnerability. The following categories are used to classify eligible reports:

Low Severity

Minor Info Disclosure

Low-Impact XSS

Open Redirects

Medium Severity

Stored XSS

SQL Injection (Low)

Session Fixation

Insecure Direct Object Reference (IDOR)

High Severity

SQL Injection (High)

Sensitive Data Exposure

Significant XSS

Server-Side Request Forgery (SSRF)

Broken Authentication

XML External Entity (XXE)

Insecure Deserialization

Privilege Escalation

For questions about this program, contact security@chapa.co

Chapa
Chapa is the leading online payment gateway that enables businesses in Ethiopia to accept digital payments from anyone and anywhere at any time.

Why Chapa