Developer Documentation

Pentest Scope

Penetration Test Scope

This document is a preparation template for an authorized test only.

Target

• Base URL: https://api.sikaahub.com/v1
• Test environment: staging/sandbox only unless written approval says otherwise.
• Production testing requires a maintenance window and approval.

In Scope

• Authentication and refresh tokens
• Customer and merchant onboarding
• KYC upload/review APIs
• Wallet, ledger, payment, withdrawal, settlement APIs
• Admin operations APIs
• Developer API keys and partner APIs
• Webhooks and provider simulation
• Rate limiting and idempotency
• File access controls

Out of Scope

• Social engineering
• DDoS or destructive load testing
• Real provider/telco/bank/GhIPSS systems
• Physical security
• Mobile app UI, dashboard UI, and public website UI until built

Test Accounts

Use docs/pentest-test-accounts-template.md. Do not place real passwords or secrets in this repository.

Reporting

Report findings with severity, endpoint, reproducible steps, evidence, impact, and remediation guidance.

Responsible disclosure contact placeholder: security@sikaahub.com.