At POLi Payments, ensuring the safety and security data is paramount. It underpins everything we do, and ensures we maintain the highest security standards across our products and services. We are committed to working with our merchant, end users, security researchers, and other third parties to respond to legitimate reported security vulnerabilities. We encourage the community to participate in our responsible reporting process.

If you would like to report a security vulnerability, please send an email
Please provide your name, contact information, your PGP public key and company name (if applicable) with each report.
We will acknowledge receipt of your vulnerability report within 2 days and send you regular updates about our progress.

Download the POLi Payments PGP (encryption) Key here.

Responsible Disclosure Guidelines


To encourage responsible reporting, we will not take legal action against you providing you comply with the following Responsible Disclosure Guidelines:

  • Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC);
  • Do not cause service interruption including degradation of service or destruction of data;
  • Do not access, modify, delete or share data that does not belong to you;
  • Do not use social engineering techniques;
  • Give POLi Payments a reasonable time to correct the issue before sharing with any other party and/or person(s) or making any information public.

Third-party software security vulnerabilities

If security vulnerabilities reported to us affect a third-party code library, service or vendor, POLi Payments reserves the right to forward details of the vulnerability to that party without further approval. We will do our best to coordinate and communicate with researchers through this process. POLi Payments reserves the right to accept or reject any vulnerability disclosure coordination role at our discretion.

Any inquiries regarding this policy should be directed to