Security & Responsible Disclosure — JabalPay
Effective date: March 4, 2026
Last updated: March 4, 2026
JabalPay Inc. (“JabalPay,” “we,” “us”) takes security seriously. This page explains how to report security issues and our expectations for responsible disclosure.
Contact (all security reports and inquiries): [email protected]
1) Reporting a security issue
If you believe you’ve found a security vulnerability or suspect a security incident involving JabalPay, email [email protected] with:
-
a clear description of the issue,
-
steps to reproduce (if applicable),
-
affected URLs, endpoints, or screens,
-
any proof-of-concept details (keep it minimal and safe), and
-
your contact information for follow-up.
Please use the email subject line: “Security Report — Responsible Disclosure”.
2) What we ask from you (responsible disclosure)
To protect users and the ecosystem, you agree that you will:
-
not access, modify, delete, or exfiltrate data that does not belong to you,
-
not disrupt our Services (no denial-of-service, spam, or destructive testing),
-
not attempt social engineering against our team or users,
-
not publicly disclose the issue until we have had a reasonable opportunity to investigate and remediate, and
-
provide enough detail for us to reproduce and fix the issue.
If you unintentionally access sensitive information, stop immediately and notify us at [email protected].
3) What we consider “out of scope”
The following are generally out of scope for responsible disclosure (unless you have explicit written permission):
-
physical attacks or theft,
-
social engineering or phishing of employees/users,
-
denial-of-service (DoS/DDoS) testing,
-
automated scanning that degrades service performance,
-
vulnerabilities in third-party services we do not control (please report those directly to the third party), and
-
reports based only on “best practices” without a clear security impact.
4) Our response process
When you report an issue, we typically will:
-
acknowledge receipt,
-
assess severity and impact,
-
work to remediate as appropriate, and
-
follow up with you if we need additional detail.
We may not be able to share full details of our investigation or remediation for security reasons.
5) No bug bounty (for now)
JabalPay does not currently operate a public bug bounty program. We may still choose, at our discretion, to recognize helpful reports.
6) Legal safe harbor (good-faith research)
We support good-faith security research conducted in line with this policy. We will not pursue legal action for activities that:
-
are conducted in good faith,
-
avoid privacy violations and service disruption, and
-
are reported promptly to [email protected].
This does not limit our ability to take action in response to malicious activity or conduct that violates applicable law.
7) Updates
We may update this policy from time to time. If we do, we will update the “Last updated” date and publish the revised version on our website.
