Vulnerability Disclosure Policy, Mercemur

Purpose

Mercemur welcomes coordinated vulnerability reports from external security researchers, customers, merchants, and the public. This policy describes what is in scope, how to report, the safe harbor we provide for good-faith research, and the timeline we will work to with you.

Scope

In scope

mercemur.com, www.mercemur.com, api.mercemur.com, app.mercemur.com, stores.mercemur.com, cdn.mercemur.com, status.mercemur.com, docs.mercemur.com
Merchant custom domains where Mercemur is responsible for the application layer
Public APIs documented in our OpenAPI spec
Mercemur-owned mobile clients (when released)
Mercemur-owned GitHub repositories that are publicly accessible

Out of scope

Social engineering of Mercemur employees, contractors, or merchants
Physical attacks against Mercemur facilities, employees, or vendors
Denial-of-service testing
Third-party services (Stripe, Razorpay, Dodo, Wasabi, Cloudflare, Resend, GitHub, Google), report to those vendors directly
Testing against live merchant data or live merchant accounts without their explicit consent
Spam-related reports (DMARC, SPF, DKIM misconfigurations), use abuse channels
Issues already reported and tracked by Mercemur
Issues requiring physical access or an already-compromised endpoint device

Safe harbor

Mercemur will not pursue civil or criminal action against researchers who in good faith comply with this policy. Specifically, please:

Make every effort to avoid privacy violations, data destruction, service interruption, and degradation.
Only interact with accounts you own or have explicit permission to access.
Do not exfiltrate data. Proof of concept only.
Stop testing and notify us immediately if you encounter sensitive data.
Do not disclose publicly before the coordinated timeline expires.
Comply with all applicable laws.

If you are uncertain whether a particular activity is in scope, write to support@mercemur.com before proceeding.

Reporting channels

Primary, PGP-encrypted email: support@mercemur.com. PGP key at /.well-known/pgp-key.txt.
Web form: mercemur.com/security/report, if email is not feasible.
Postal mail: Zemuria Inc., Bengaluru registered office, as a last resort.

Please include: a vulnerability description, affected systems, reproduction steps, observed impact, a CVSS-style severity estimate, your contact info (or "anonymous"), and any preferred coordinated disclosure timeline.

Response SLA

Severity	Acknowledgment	Triage	Patch target	Disclosure window
Critical	24 hours	3 business days	7 days	30 days minimum, 90 days maximum
High	24 hours	5 business days	30 days	60 to 90 days
Medium	3 business days	10 business days	90 days	90 days
Low	5 business days	15 business days	180 days	90 days

If we cannot meet a patch target, the Security Lead will negotiate an extension with the researcher. The disclosure clock pauses while patches are tested with researcher cooperation.

Coordinated disclosure timeline

Default 90 days from initial report. Negotiable based on severity, complexity, and whether active exploitation is observed. With your consent, you receive credit on our Hall of Fame once patches are deployed and disclosure is appropriate.

Hall of Fame

We publish researcher credits at mercemur.com/security/hall-of-fame for valid coordinated disclosures, with researcher consent. A bug bounty program is targeted for 2027 Q1. Until then: public credit and Mercemur swag for valid reports.

Rate limit coordination

If you plan sustained testing against /licenses/validate, /hooks/*, or /store/customers/me/downloads/*, please announce your source IP range to support@mercemur.com first. Otherwise our Cloudflare WAF and backend rate limiters will treat your probes as an attack.

What not to do

Do not exfiltrate any data, including synthetic data.
Do not disrupt service for other merchants or end customers.
Do not pivot to other merchants' data.
Do not access employee or customer accounts beyond your own test account.
Do not publicly disclose before the agreed timeline.
Do not extort, threaten, or demand payment in exchange for disclosure.
Do not test against production merchant data without explicit consent.

Contact and PGP

Primary contact: support@mercemur.com. PGP key at /.well-known/pgp-key.txt and on keys.openpgp.org.

PGP fingerprint: 65A4 2B91 7E03 D5C8 0F1B 94E2 88AC 7F3D 1234 5678

Our machine-readable contact card lives at /.well-known/security.txt per RFC 9116.

Scope

In scope

mercemur.com, www.mercemur.com, api.mercemur.com, app.mercemur.com, stores.mercemur.com, cdn.mercemur.com, status.mercemur.com, docs.mercemur.com

Merchant custom domains where Mercemur is responsible for the application layer

Public APIs documented in our OpenAPI spec

Mercemur-owned mobile clients (when released)

Mercemur-owned GitHub repositories that are publicly accessible

Out of scope

Social engineering of Mercemur employees, contractors, or merchants

Physical attacks against Mercemur facilities, employees, or vendors

Denial-of-service testing

Third-party services (Stripe, Razorpay, Dodo, Wasabi, Cloudflare, Resend, GitHub, Google), report to those vendors directly

Testing against live merchant data or live merchant accounts without their explicit consent

Spam-related reports (DMARC, SPF, DKIM misconfigurations), use abuse channels

Issues already reported and tracked by Mercemur

Issues requiring physical access or an already-compromised endpoint device

Safe harbor

Mercemur will not pursue civil or criminal action against researchers who in good faith comply with this policy. Specifically, please:

Make every effort to avoid privacy violations, data destruction, service interruption, and degradation.

Only interact with accounts you own or have explicit permission to access.

Do not exfiltrate data. Proof of concept only.

Stop testing and notify us immediately if you encounter sensitive data.

Do not disclose publicly before the coordinated timeline expires.

Comply with all applicable laws.

If you are uncertain whether a particular activity is in scope, write to support@mercemur.com before proceeding.

Reporting channels

Primary, PGP-encrypted email: support@mercemur.com. PGP key at /.well-known/pgp-key.txt.

Web form: mercemur.com/security/report, if email is not feasible.

Postal mail: Zemuria Inc., Bengaluru registered office, as a last resort.

Response SLA

Severity	Acknowledgment	Triage	Patch target	Disclosure window
Critical	24 hours	3 business days	7 days	30 days minimum, 90 days maximum
High	24 hours	5 business days	30 days	60 to 90 days
Medium	3 business days	10 business days	90 days	90 days
Low	5 business days	15 business days	180 days	90 days

If we cannot meet a patch target, the Security Lead will negotiate an extension with the researcher. The disclosure clock pauses while patches are tested with researcher cooperation.

What not to do

Do not exfiltrate any data, including synthetic data.

Do not disrupt service for other merchants or end customers.

Do not pivot to other merchants' data.

Do not access employee or customer accounts beyond your own test account.

Do not publicly disclose before the agreed timeline.

Do not extort, threaten, or demand payment in exchange for disclosure.

Do not test against production merchant data without explicit consent.

Coordinated Vulnerability Disclosure

Purpose

Scope

In scope

Out of scope

Safe harbor

Reporting channels

Response SLA

Coordinated disclosure timeline

Hall of Fame

Rate limit coordination

What not to do

Contact and PGP

Coordinated Vulnerability Disclosure

Purpose

Scope

In scope

Out of scope

Safe harbor

Reporting channels

Response SLA

Coordinated disclosure timeline

Hall of Fame

Rate limit coordination

What not to do

Contact and PGP