Fusion Bug Bounty Program


Fusion are serious about security and our platforms are designed to protect both merchants and end users. We continuously monitor transactions and evolve our fraud detection techniques. We adhere to industry-leading standards to manage our network, secure our web and client applications, and set policies across our organization. As part of this approach we invite responsible white hat security researchers to partake in our Bug Bounty Program.

If you believe you have discovered a security vulnerability, please follow the guidelines below.

Report Guidelines

If you think you have found a security vulnerability in any Fusion product, please report it to us straight away by emailing bugs@fusion-payments.com

Please include detailed steps to reproduce and a brief description of what the impact is:

  • Detailed steps on reproducing the bug. If valuable, please include any screenshots, links you clicked on, pages visited, etc.
  • Describe the versions of all relevant components of the attack (eg browser, OS, mobile app version).
  • Describe a concrete attack scenario. How will the problem impact Fusion users or merchants? Put the problem into context.

We encourage responsible disclosure (as described below), and we promise to investigate all legitimate reports in a timely manner and fix any issues as soon as we can.

Bounty Program

Bug reports will be evaluated in terms of severity and compensated as follows:

  • Critical: Any bug that might grant unauthorized access to confidential payment information like cards or pins, or allows an attacker to make payments on a users behalf:
    • Critical bugs have a minimum bounty of Rp5.000.000
  • Severe: Any bug that might grant unauthorized access to a users account but not allow for its exploitation for payments:
    • Severe bugs have a minimum bounty of Rp2.000.000
  • Minor: Any bug that enables an attacker to exploit promotions or rewards schemes, or bugs that might otherwise potentially impact the security of our service.
    • Interesting minor bugs have a minimum bounty of Rp500.000

In order to qualify for a bounty, you must meet the following criteria

  • Adhere to our responsible disclosure policy
  • Adhere to our reporting guidelines

Note the scope of this bounty program is limited to the following domains:

  • BerUang.co.id
  • fpay.io
  • fusionpay.io

The following types of attack are not in scope / eligible for the bounty:

  • Spam or social engineering techniques.
  • Denial-of-service attacks.
  • Content injection is ineligible unless you can clearly demonstrate a significant risk.

Responsible Disclosure Policy






We ask that during your research you make every effort to maintain the integrity of our users' data, avoiding violating privacy or degrading our service. You must give us reasonable time to fix any vulnerability you find before you make it public. In return we promise to investigate reports promptly and not to take any legal action against you.

We aim to make a more secure service for users and merchants, and want to work with people who share that goal.