Security

Responsible Disclosure

Help us keep Nimo Forex secure. We appreciate the efforts of security researchers who report vulnerabilities responsibly.

Our Security Commitment

At Nimo Forex (operated by Paywize Forex Pvt Ltd), the security of our customers' data and financial information is our highest priority. As an RBI Licensed FFMC, we maintain robust security infrastructure and follow industry best practices including PCI-DSS compliance, AES-256 encryption, and regular security audits.

We recognise that no system is perfect and that the security research community plays a vital role in keeping organisations and their customers safe. We welcome and encourage responsible security research and are committed to working with researchers who identify potential vulnerabilities in our systems.

What to Report

We are interested in receiving reports about the following types of security issues:

Cross-Site Scripting (XSS) vulnerabilities
Cross-Site Request Forgery (CSRF) vulnerabilities
SQL Injection and other injection flaws
Authentication or authorisation bypass issues
Server-Side Request Forgery (SSRF)
Remote Code Execution (RCE)
Sensitive data exposure or information leakage
Business logic vulnerabilities that could lead to financial loss
Privilege escalation issues
Insecure Direct Object References (IDOR)
Vulnerabilities in our mobile applications

How to Report

If you have discovered a security vulnerability, please report it to us by sending an email to:

Security Team

security@nimoforex.com

Please include the following information in your report:

A detailed description of the vulnerability and its potential impact
Step-by-step instructions to reproduce the issue
The URL, endpoint, or component where the vulnerability was discovered
Any proof-of-concept code, screenshots, or video recordings
Your contact information for follow-up communication
Suggested remediation steps, if any

Guidelines

To ensure the safety and privacy of our customers while we investigate and resolve reported vulnerabilities, we ask that you:

Give us a reasonable amount of time to investigate and address the vulnerability before making any public disclosure (minimum 90 days).
Do not access, modify, or delete data belonging to other users. Use only your own test accounts for verification.
Do not perform any actions that could disrupt or degrade our services, including denial of service attacks, spam, or social engineering.
Do not exploit the vulnerability beyond what is necessary to demonstrate the issue.
Do not share details of the vulnerability with third parties until we have had a reasonable opportunity to address it.
Act in good faith and comply with all applicable Indian laws throughout the research and disclosure process.

What We Promise

In return for responsible disclosure, we commit to the following:

We will acknowledge receipt of your report within 48 hours of submission.
We will provide an initial assessment of the report within 7 business days.
We will keep you informed about the progress of the investigation and the steps being taken to address the issue.
We will work diligently to resolve valid security issues in a timely manner.
We will credit your contribution (with your permission) when the vulnerability is resolved, unless you prefer to remain anonymous.
We will not pursue legal action against researchers who follow this policy in good faith.

Out of Scope

The following issues are generally considered out of scope for this programme:

Vulnerabilities in third-party applications, services, or libraries not under our control
Social engineering attacks (including phishing) targeting our employees or customers
Denial of Service (DoS/DDoS) attacks
Physical attacks against our offices, data centres, or infrastructure
Issues relating to email spoofing, SPF, DKIM, or DMARC configuration
Clickjacking on pages with no sensitive actions
Missing security headers that do not lead to a demonstrable exploit
Software version disclosure or banner identification without a demonstrable vulnerability
Rate limiting or brute force issues on non-authentication endpoints
Reports from automated tools or scanners without manual verification

Legal Safe Harbour

Paywize Forex Pvt Ltd will not initiate legal action against security researchers who discover and report security vulnerabilities in accordance with this Responsible Disclosure Policy, provided that the researcher:

Acts in good faith and follows the guidelines outlined in this policy
Does not cause harm to our users, systems, or data
Does not violate any applicable laws during the research process
Does not exploit the vulnerability for personal gain or for the benefit of others
Reports the vulnerability directly to us and does not disclose it publicly before resolution

We consider security research conducted in accordance with this policy to be authorised and will not pursue civil or criminal action against researchers who comply with these terms. If legal action is initiated by a third party against a researcher for activities conducted in compliance with this policy, we will make reasonable efforts to make it known that the researcher's actions were conducted in accordance with this policy.

Questions about this policy?

Contact our security team at security@nimoforex.com or reach our general support at support@nimoforex.com.

Last updated: February 2026