Security & Responsible Disclosure
Last updated: 8 May 2026 · Operated by DevServe HK Limited
Security is foundational to PayBees. This page describes the technical safeguards we apply to the website and the process for reporting a security issue to us.
Our security posture
PayBees follows OWASP best-practice guidance for public-facing web applications:
- HTTPS-only — enforced via HSTS with a 2-year max-age,
includeSubDomains, and preload eligibility. - Strict CSP — first-party scripts and styles only, plus narrowly allowlisted Google Fonts; no third-party advertising or analytics.
- Clickjacking protection —
X-Frame-Options: DENYplus CSPframe-ancestors 'none'. - MIME-sniff blocking —
X-Content-Type-Options: nosniff. - Permissions hardening — camera, microphone, geolocation, payment, and USB APIs denied by default via
Permissions-Policy. - Cross-origin isolation —
Cross-Origin-Opener-Policy: same-originandCross-Origin-Resource-Policy: same-originagainst Spectre-class attacks. - Email authentication — outbound mail from
paybees.moneyis signed with DKIM and aligned via SPF and DMARC, in line with the 2024 Gmail / Yahoo / Microsoft sender requirements. - No third-party trackers — no Google Analytics, no behavioural tracking, no fingerprinting.
- No PII in client storage —
localStorageis used only for the user's theme and language preferences.
Production roadmap
Before any production payment processing, the PayBees platform will operate under SOC 2 Type II controls and applicable payment-services licences in each jurisdiction we serve, including, where relevant, Hong Kong's SVF and MSO regimes, the United States MSB framework, the European EMI framework, and the United Arab Emirates VARA regime.
Responsible disclosure
Found a security issue? Please report it privately to security@paybees.money. We will not pursue legal action against good-faith researchers who follow this policy.
What's in scope
paybees.moneyand any subdomain we operate (currently the apex only).- Email addresses on the
paybees.moneydomain.
What's out of scope
- Findings that require physical access to a user's device or social engineering of staff.
- Denial-of-service attacks or volumetric load tests of any kind.
- Issues in third-party services we use (e.g., Netlify, Google Workspace) — please report those directly to the relevant provider.
- Reports based purely on missing best-practice headers without a demonstrated impact.
- Spam, phishing, or social-engineering attempts impersonating PayBees that originate outside our infrastructure (please report these to security@paybees.money for tracking, but they fall outside our remediation scope).
What to include in your report
- A clear, concise description of the issue and where it was found (URL, parameter, request).
- Steps to reproduce, with sample requests or a proof-of-concept where possible.
- Impact assessment from your perspective.
- Your name or handle if you would like to be credited; otherwise we will treat the report as anonymous.
Our commitments
- We aim to acknowledge receipt within 48 hours (Hong Kong business days).
- We aim to provide an initial triage assessment within 5 business days.
- We will keep you reasonably informed of progress until the issue is resolved.
- We will publicly credit you, with your permission, once a fix is deployed.
Safe harbour
Provided that your testing is consistent with this policy, follows applicable law, and is limited to in-scope assets, DevServe HK Limited will:
- Consider your activity authorised under our terms of use, despite Section 4 (Acceptable use) of the Terms & Conditions.
- Not bring or support a private legal action against you in connection with that testing.
- Work with you in good faith to understand and resolve the issue quickly.
Safe harbour does not apply to testing that violates third-party rights, accesses or copies third-party data, or causes service degradation.
Contact
DevServe HK Limited — Security Team
Unit 1411, 14/F, COSCO Tower, 183 Queen's Road Central, Sheung Wan, Hong Kong
Email: security@paybees.money