Wibmo Bug Bounty Program
Wibmo is committed to ensuring the security and integrity of our services. As part of this commitment, we are launching the Wibmo Bug Bounty Program. Through this program, we encourage security researchers to responsibly disclose any potential vulnerabilities they find on our platforms, thereby contributing to our continuous drive to enhance the safety and security of our systems.
Total Submissions
125
Researchers
11558
Unique Visitors
969
Submission Rate
0.84%
Wibmo
Wibmo, a leading technology and service provider for the financial services industry, was founded in Cupertino, CA, in 1999. It is a global full-stack PayTech company and an industry leader in payment security and digital payments, partnering with 130 banks across 25 countries. It is the largest authentication service provider in India, one of the world's leading digital payment markets. Wibmo also offers solutions ranging from mobile payments, fraud and risk management, prepaid solutions, and a host of merchant and acquiring services. Wibmo is the only merchant acquiring, prepaid, and fraud management platform to truly evolve as the only full-stack payment processing company which is 3DS2.0 certified. With a strong foothold across the globe, including countries such as the USA, Philippines, Indonesia, UAE, Kenya, Nigeria, and South Africa, going further, it envisions increasing its global footprint with a presence in key countries across APAC, Europe, the Americas, and MEA. On the back of its vast value proposition and robust expansion over the next few years, Wibmo was acquired by PayU in 2019. Security and compliance are always a top priority at Wibmo. The company’s net set of policies are in line with regional and regulatory compliance including GDPR, ISO27K, ISO27701, SOC2, PCI, PASSLC, RBI, MASTRM, etc. The company is also targeting to be certified in several other industry-leading certifications. Wibmo's Accosa IVS, ACS products are certified under EMVco, Visa, MasterCard, Amex, Union Pay, and Rupay. And Wibmo's TRIDENT FRM is a two-time award-winning Fraud and Risk Management Solution, having won the IDC Future Enterprise Awards India 2021 in the Future of Trust category and Payments Industry Awards 2021 in the Security Innovation of the Year category. Operating with payment domain experts, Wibmo revels in its key tenets of unique value creation, customer-centricity, overseas expansion, and nurturing talent.
Rewards Listing
| Technical Severity | Created | Bounty Range |
|---|---|---|
|
Critical (P1)
|
11 March 2025 | 4000.00 - 7500.00 |
|
Severe (P2)
|
11 March 2025 | 2000.00 - 4000.00 |
|
Moderate (P3)
|
11 March 2025 | 1000.00 - 2000.00 |
|
Low (P4)
|
11 March 2025 | 500.00 - 1000.00 |
|
Informational (P5)
|
11 March 2025 | Certificate of Appreciation |
Earn Recognition for Your Contributions
This program awards certificates to researchers for their significant contributions and achievements. Researchers can be granted a certificate for their accepted reports by the organization, recognizing their effort and success.
| Severity | Resolution (in days) |
|---|---|
|
P1
|
7 |
|
P2
|
14 |
|
P3
|
30 |
|
P4
|
60 |
|
P5
|
90 |
Security researchers must not:
- Test any system other than the systems set forth in the ‘Scope’ section above.
- Disclose vulnerability information except as set forth in the ‘Reporting a Vulnerability’ and ‘Disclosure’ sections below
- engage in physical testing of facilities or resources,
- engage in social engineering,
- send unsolicited electronic mail to Wibmo users, including “phishing” messages.
- execute or attempt to execute “Denial of Service” or “Resource Exhaustion” attacks,
- introduce malicious software,
- test in a manner which could degrade the operation of Wibmo systems or intentionally impair, disrupt, or disable Wibmo systems,
- test third-party applications, websites, or services that integrate with or link to or from Wibmo systems, Wibmo data, or render Wibmo data inaccessible, or
- use an exploit to exfiltrate data, establish command line access, establish a persistent presence on Wibmo systems, or “pivot” to other Wibmo systems.
Security researchers may:
- View or store Wibmo nonpublic data only to the extent necessary to document the presence of a potential vulnerability.
Security researchers must:
- cease testing and notify us immediately upon discovery of a vulnerability,
- cease testing and notify us immediately upon discovery of an exposure of nonpublic data, and
- purge any stored Wibmo nonpublic data upon reporting a vulnerability.
- Age: Participants must be 18 years of age or older at the time of entry.
- Affiliation: Individuals affiliated with Wibmo, including employees, contractors, and their immediate families, are not eligible to participate.
- Country of Residence: we accept submissions globally.
- Compliance: Researchers must be in full compliance with all terms and conditions of the Wibmo Bounty Initiative.
- Denial of Service (DoS/DDoS) Attacks: Any attempts to disrupt the service are strictly prohibited.
- Physical Security: Physical attacks against offices, data centers, or any other physical assets.
- Third-party Platforms: Vulnerabilities in third-party components or services used by Wibmo but not under our direct control.
- Social Engineering: This includes spear-phishing, pretexting, baiting, and any other form of obtaining information through deception.
- Clickjacking on pages with no sensitive actions.
- Issues related to software or protocols not under Wibmo control.
- Unconfirmed Reports: reports without a clear proof-of-concept or lacking detailed steps to reproduce.
Carefully review and understand the rules and scope of the bug bounty program. Each program has specific guidelines, eligibility criteria, and a defined scope of systems, applications, or services that are in-scope for testing. Focus your efforts on these areas to ensure your findings are eligible for rewards.
When reporting a vulnerability, commit to providing clear and comprehensive details to help the organization reproduce and validate your findings. Include step-by-step instructions, proof-of-concept code if applicable, and any other relevant information that can assist the organization's security team in understanding and verifying the issue.
Engage in professional communication with the organization's security team. Be responsive to any requests for clarification, additional information, or coordination during the vulnerability verification process. Maintain open and respectful communication throughout the entire process, understanding that both parties are working together to improve security.
Always adhere to responsible disclosure practices. When you discover a vulnerability, avoid exploiting it for malicious purposes or sharing it with unauthorized parties. Instead, immediately report the vulnerability to the program organizers following the reporting process outlined in the program guidelines. This allows the organization to address the issue before potential harm can occur.
Researchers participating in our programs are expected to adhere to specific Safe Harbor provisions. They are assured Legal Protection; by complying with all program terms, they're granted a legal safe harbor, ensuring they won't face lawsuits or legal actions for their reported findings. Participants also commit to Responsible Disclosure, providing ample time to address and rectify vulnerabilities and doesn't disclose any findings publically what so ever. Testing should be confined only to systems they have explicit authorization to assess. Furthermore, during the assessment, data access should be minimized, focusing only on what's necessary to validate a vulnerability, and retaining no user data beyond what is absolutely required.