BUG BOUNTY

Report a vulnerability.

Tanqory partners with security researchers worldwide. Submit a vulnerability and we will acknowledge it within 24 business hours and respond with an initial assessment within 10 business days.

Email security@tanqory.com Read the full policy

Scope

Test only the surfaces listed as in-scope. Use test accounts and synthetic data — do not touch real customer data. If you discover a vulnerability in something not listed, contact us before testing.

In scope

-*.tanqory.com production domains (api, admin, store, mytanqory, and other listed subdomains)
-Tanqory iOS merchant app (com.tanqory.merchant)
-Tanqory Android merchant app (com.tanqory.merchant)
-Tanqory REST and GraphQL APIs
-Authentication, account, and merchant/admin/partner portals

Out of scope

-Third-party services we depend on (Stripe, Cloudflare, AWS, and others) — report directly to the provider
-Social engineering of Tanqory staff, customers, or partners
-Physical attacks against Tanqory facilities or staff
-Denial of service or distributed denial of service
-Issues in features that are explicitly marked beta or sandbox
-Self-XSS without amplification
-Missing security headers without a working exploit
-Theoretical issues without a working proof of concept

Severity and rewards

Severity is rated on CVSS v3.1 with business-context adjustment. Reference ranges are listed below; the final award also considers exploitability, report quality, and uniqueness.

Severity	Reward range	Examples
Critical	USD 10,000 – 18,000	Remote code execution, payment-data SQL injection, authentication bypass, payment tampering, mass data breach, critical cloud or IAM takeover.
High	USD 4,000 – 10,000	Stored XSS on critical surfaces, internal SSRF with impact, payment IDOR, broken access control affecting sensitive data or flows.
Medium	USD 750 – 4,000	CSRF password change, reflected XSS with realistic impact, subdomain takeover, business-logic abuse with fraud potential.
Low	USD 100 – 750 (or swag)	Low-impact technical issues with limited risk.
Informational	Recognition only	Hardening recommendations, defence-in-depth observations, security telemetry hygiene.

Bonuses

-First valid Critical of a quarter: +25%.
-Multi-step exploit chain with end-to-end impact: +50%.
-High-quality report (clean reproduction, working exploit, remediation guidance): +10–25%.

All amounts are in USD. FX is applied at the approval date if a different currency is requested. Payment is by bank transfer or PayPal; W-8BEN/W-9 may be required for tax compliance.

How to submit

Submit via the channels below. Encrypt sensitive details with our PGP key (publication pending). The Bug Bounty Policy on the Legal Center is authoritative for what a report must contain.

Primary

security@tanqory.com

Use subject line "[Bug Bounty] <short summary>". Acknowledgement within 24 business hours.

Backup

bounty@tanqory.com

Used if the primary mailbox is unreachable.

PGP key

trust.tanqory.com/pgp-key.txt

Publication pending. Until then, encrypt with the key on our security.txt fingerprint.

Future bounty portal

security.tanqory.com/bounty

Currently DNS-only. Deployment pending — please use the email channels above.

security.txt (RFC 9116)

trust.tanqory.com/.well-known/security.txt

Machine-readable security contact, encryption, and policy references.

What to include in a report

-Researcher contact information.
-Target hostname, endpoint, or app identifier.
-Steps to reproduce, ordered and minimal.
-Working proof of concept (screenshot, screen recording, or script).
-Impact statement and a proposed CVSS v3.1 base score.
-Description of any data observed during the test (do not exfiltrate beyond what is needed).

Rules of engagement

Researchers acting in good faith within scope and within these rules will not face legal action from Tanqory. Stepping outside this envelope voids safe harbor.

Do

-Use test accounts and synthetic data only.
-Stop testing the moment you encounter real customer data and report immediately.
-Rate-limit automated tools and stop on HTTP 429.
-Report duplicates clearly — first complete report prevails.
-Hold disclosure until a coordinated date (default 90 days from initial report).

Do not

-Do not exfiltrate or modify customer data.
-Do not run social-engineering or phishing campaigns against Tanqory staff, customers, or partners.
-Do not run DoS, DDoS, or stress tests without prior written approval.
-Do not use mass fake accounts or bypass anti-abuse controls.
-Do not sell, weaponise, or publicly disclose findings before an agreed disclosure window.

Researchers who act in good faith, within scope, and within these rules are covered by safe harbor. Local laws that require explicit authorisation to test are not overridden by safe harbor — researchers must obtain and retain such authorisations.

Responsible disclosure

Tanqory follows coordinated disclosure. Default embargo is 90 days from initial report, extended where remediation requires it and shortened where there is no impact to customers.

Acknowledgement

Within 24 business hours

Initial human acknowledgement of your report. Receipt notice is automatic.

Status update

Within 5 business days

Triage outcome, severity rating, duplicate check, and the engineering owner.

Initial assessment

Within 10 business days

Confirmed severity, reward range, and target remediation window. If we need more time we tell you.

Disclosure window

Default 90 days

Coordinated disclosure window, adjustable by agreement. We will credit researchers (with consent) after remediation.

Eligibility

-18+ or have parental consent where required by local law.
-Not on US OFAC, EU, or UN sanctions lists.
-Not a current Tanqory employee, contractor, or immediate family member within the last 12 months.
-Comply with local cybersecurity and data-protection laws as well as Singapore law.

Common questions about the bug bounty program

How long does triage take?

Acknowledgement within 24 business hours, status update within 5 business days, initial assessment within 10 business days. If we need more time we will tell you.

Will I get public credit?

Yes, on opt-in. A hall-of-fame surface is maintained on the security portal. We credit researchers (with consent) after the fix ships.

What if my report is a duplicate?

The first complete report prevails. Later reports may receive recognition if they add material new information (for example a new attack chain or a better PoC).

Can I test in production?

Yes, against the in-scope production surfaces, but only with test accounts and synthetic data, and only with rate-limited tooling. Stop on HTTP 429. No destructive PoC (data deletion, transaction tampering).

What if I find a vulnerability in a third-party service?

Report it directly to that provider's program (for example Stripe, Cloudflare, AWS). Tanqory does not pay bounties for third-party services we depend on. If the third-party vulnerability has a Tanqory-specific exploitation path, send us a separate report with the chained impact.

Do you pay for low-severity issues?

Yes, USD 100 to 750 or swag. We do not pay for scanner noise, version disclosure without exploit, SPF/DKIM/DMARC findings, clickjacking on static pages, non-sensitive cookie flags, self-XSS, or purely theoretical attacks without a working PoC.

What payment methods do you support?

Bank transfer or PayPal. KYC and tax forms (W-8BEN or W-9 as applicable) are required for payouts. Payouts target 15 business days after the reward amount is agreed.

Found something? Tell us.

Email security@tanqory.com or read the full Bug Bounty Policy on the Legal Center. We respond to every report.

Email security@tanqory.com