Vulnerability Disclosure Program Policy

At GCash, security is built into everything we do. Technology isn’t perfect, which is why we constantly strengthen our systems to keep our customers safe.

If you discover a potential security or privacy issue that could affect GCash or our customers, we encourage you to report it to us. While this is a voluntary, non-monetary disclosure program, we are committed to working with you to investigate and address your findings responsibly.

We genuinely appreciate the effort of anyone who helps us identify possible vulnerabilities or errors. Your reports are invaluable in helping us improve the security and reliability of our products and services for everyone.

Safe Harbor and Rules of Engagement

GCash is committed to protecting those who help us secure our platform. We will not initiate legal action or support law enforcement investigations against you for accessing an in-scope system without permission, provided your actions are conducted in good faith and strictly adhere to the conditions below.

While we strongly encourage research on assets explicitly listed as "In-Scope," we understand that security research may occasionally touch upon connected systems. Safe Harbor protections extend to out-of-scope findings only if the report is submitted in good faith and does not violate the fundamental prohibitions listed under the prohibited conduct section.

GCash reserves the right to determine, in its sole discretion, whether a submission and the researcher's conduct comply with these rules.

Expected Conduct

When participating in GCash’s Vulnerability Disclosure Program, you are expected to:

  • Act Responsibly & Lawfully - Use the program only for good-faith research and disclosure. Protect our users, systems, and data at all times. You must not violate any existing laws and regulations while conducting research.
  • Stay Within Scope - Test only the systems, applications, and assets explicitly listed as in-scope. Anything outside scope must not be touched. Unauthorized testing is a violation of this program and voids the safe harbor provision.
  • Avoid Service Disruption - Conduct testing in a manner that does not degrade, interrupt, or impact the availability, reliability, or performance of our products and services.
  • Respect Data Privacy and Data Minimization - Do not intentionally access, copy, alter, or exfiltrate personal data (including customer or employee information). If your testing inadvertently leads you to encounter such data, you must: 1. cease testing immediately; 2. Delete or destroy any copies of the data in your possession; 3. Report the incident immediately in your submission.
  • Minimize Intrusiveness - Use only the minimum level of testing necessary to validate a vulnerability. Proof-of-concept over full exploitation. Avoid automated scanning tools that generate large volumes of traffic. 
  • Maintain Strict Confidentiality - Except for the good-faith report to GCash, do not disclose or publicly discuss any vulnerabilities, findings, or related information (including the fact that a vulnerability exists) until GCash confirms they are remediated and you have received express written permission for disclosure.
  • Provide Clear Reports - Submit well-written, detailed reports that include steps to reproduce, evidence of impact, and remediation suggestions where possible.
  • Mandatory Intake Method: All vulnerability reports must be submitted exclusively via the Report Intake Form on this page or via email at vulnerability-disclosure@gcash.com. Using unauthorized channels (e.g., social media, direct messaging employees) violates this policy and voids your Safe Harbor protection.

Prohibited Conduct

To protect our customers, products and services, the following activities are strictly prohibited:

  • Exploit Vulnerabilities Beyond Reporting - Do not use discovered vulnerabilities and errors for any purpose other than the demonstration necessary for submitting a report to GCash.
  • Misuse Vulnerabilities - Do not attempt to profit from, demand compensation for (extortion), weaponize, resell, or use vulnerabilities for personal gain or malicious activity. 
  • Alter, Delete, or Destroy Data - Do not modify, access, delete, or destroy GCash or customer data under any circumstance. If data exposure is unintentionally encountered, stop immediately, provide assurance of data deletion/non-retention, and report it.
  • Interfere With Systems - Do not manipulate system configurations, accounts, or services in a way that could impact reliability, availability, or integrity. This includes, but is not limited to, changing passwords, modifying access rights, or installing malware.
  • Conduct Social Engineering - Do not attempt phishing, pretexting, impersonation, or other social engineering attacks against GCash employees, customers, or partners.
  • Publicly Disclose Without Approval - Do not share details of any vulnerability outside of the approved coordinated disclosure process with GCash. Violation of this clause results in the immediate revocation of the Safe Harbor protection.
  • Sharing, Transferring, or Disclosing any Personal or Sensitive Information - Do not share, transfer, or disclose any Personal Data inadvertently obtained through testing, whether publicly or privately without the explicit written consent of GCash.
  • Contravene Applicable Laws - Do not engage in any activity that violates applicable laws or regulations, including but not limited to the Cybercrime Prevention Act of 2012 Data Privacy Act of 2012 (RA 10173), and relevant data protection and cybersecurity laws. You are responsible for knowing and adhering to all applicable laws within your jurisdiction.

In-Scope Vulnerabilities

The following types of vulnerabilities are considered in scope, but are not limited to:

  • Disclosure of PII or SPI that does not belong to you
  • Cross-Site Scripting (XSS)
  • Injection issues (e.g., SQL, Command, etc.)
  • Server-Side Request Forgery (SSRF)
  • Server-Side Template Injection (SSTI)
  • XML External Entity (XXE)
  • Remote Code Execution (RCE)
  • Insecure Direct Object References (IDOR)
  • Local File Inclusions (LFI)
  • Remote File Inclusions (RFI)
  • Account Takeover (ATO)
  • Privilege Escalation (Horizontal/Vertical)
  • Authorization and Authentication Flaws (Broken Access Control)
  • Business logic flaws
  • Significant security misconfiguration with verifiable security impact
  • Clever vulnerabilities that bypass our security controls

Out-of-Scope Vulnerabilities

The following issues are considered out of scope for our Vulnerability Disclosure Program.

  • Cosmetic Issues
    • UI or UX bugs, spelling mistakes
    • Broken links or link takeover
    • Tabnabbing
    • Content spoofing / HTML injection
    • EXIF geolocation data
    • Presence of autocomplete on web forms
  • Best practice or configuration issues without clear impact
    • Missing SSL/TLS best practices
    • Missing cookie attribute best practices
    • Missing email configuration best practices
    • Missing security headers
    • Server version disclosure
    • Infrastructure configuration (e.g., SSL certificates, DNS, TLS versions, open ports) without demonstrated impact
    • Failure to Invalidate Session issues
    • Descriptive error messages (e.g. stack traces, application or server errors, path disclosure)
  • Testing or reporting issues
    • Scanner-only output or automated scanner reports
    • Vulnerabilities already known (previously reported by other researchers, partners, vendors, or internal audits)
    • Vulnerabilities in third-party libraries without showing actual impact
  • Attacks with no meaningful or practical security risk
    • Clickjacking on non-sensitive pages or those requiring multiple user interactions
    • CSRF without any security impact (Login, Logout, Forgot Password, etc)
    • Self-XSS (payloads entered by the victim)
    • User enumeration (e.g., identifying accounts via error messages)
    • Lack of rate limiting
    • Any issue requiring highly unlikely or unrealistic user interaction, such as disabling browser controls
    • Open Redirects - We only accept reports of open redirects if they can be chained with another issue to demonstrate a more serious vulnerability.
    • Host header injection without verifiable impact
    • DNSSEC Findings
    • Internal IP address disclosure
  • Non-technical or out-of-bound activities
    • Physical attacks against GCash property or data centers
    • Social engineering of employees or impersonation attempts (including via chat, social media, or personal domains)
    • Use of stolen employee, consumer, or merchant credentials
    • Exploits requiring physical access to a device
    • Spamming
  • Other specific exclusions
    • CSV injection
    • Disclosure of known public files or directories (e.g., robots.txt)
    • Abandoned/unclaimed domains, domain squatting, link rot, social media hijacking, etc.
    • No Captcha / Weak Captcha / Captcha Bypass
    • Findings related to Insecure Storage
Assets

Mobile Applications

You may visit GCash Help Center to learn more about our mobile application.

Asset Tags
GCash Android App Android, Java, Kotlin, API Testing
GCash PocketPay Android App Android
GCash Pera Outlet Plus Android App Android
GCash IOS App iOS, Swift, API Testing

Web Components

Subdomains with labels like lab, sit, uat, test, or anything similar are treated as non-production environments.

Asset Tags
Production *.gcash.com Website Testing, API Testing
Production *.mynt.xyz Website Testing, API Testing
FUSE Lending website Website Testing
MYNT website Website Testing
Submit Report
Got questions about GCash?
Visit Help Center

G-Xchange, Inc. (GCash) is regulated by the Bangko Sentral ng Pilipinas (www.bsp.gov.ph)

Need Help? Visit the GCash Help Center or Call 2882 (Globe/TM) / (02) 7213-9999 (other networks; fees may apply)

W Global Center, Lane P Cor. 9th Avenue, 
Bonifacio Global City, Taguig, Philippines

Customer

Get StartedServicesNewsroomPromosCareers

Business

EnterpriseMSMEPartner SolutionsDigicities

Copyright © 2025 GCash. All Rights Reserved.