Bug Bounty Program Documentation
Program Overview
Our Bug Bounty Program is an open initiative designed to strengthen the security and integrity of our digital services. We extend an open invitation to ethical security researchers, penetration testers, and cybersecurity enthusiasts worldwide to responsibly probe our applications and services for potential vulnerabilities. Through this initiative, we aim to foster a collaborative relationship with the global security community and continuously enhance the safety of our infrastructure.
The program provides a transparent and rewarding platform where researchers can safely test and responsibly disclose security flaws they identify in our systems. We highly value the contributions of those who take the time to help us secure our platform, and we believe that by working together, we can create a more resilient, trustworthy environment for our users and partners.
Our scope includes a wide range of assets: public-facing websites, mobile applications, cloud-hosted services, and backend APIs. We carefully define these assets to ensure researchers have clear, actionable targets while respecting operational safety and user privacy. In-scope assets may change as we expand our services, and the program dashboard will always reflect the latest updates.
Participants in the program are expected to adhere to strict rules of engagement to ensure the safety and integrity of our systems and users. This includes avoiding actions that could cause disruption or harm, such as denial of service attacks, social engineering, or accessing sensitive user data. We also encourage researchers to halt any testing immediately if they encounter personal data and report it as soon as possible.
Valid vulnerability reports will be rewarded based on a severity-based tier system aligned with industry standards like CVSS v3.1. The reward structure ranges from recognition on our public hall of fame to monetary rewards, depending on the impact and criticality of the reported issue. The aim is to recognize meaningful contributions while ensuring fair compensation for effort and expertise.
Beyond financial rewards, top contributors may receive exclusive invitations to participate in private bounty programs, early-access beta testing, and cybersecurity workshops hosted by our team. We aim to cultivate an engaged, knowledgeable, and diverse security community that grows alongside our platform.
Our security team is dedicated to triaging and addressing valid reports promptly. Every submission is reviewed and verified, with researchers receiving timely updates throughout the lifecycle of their report. We believe in fostering transparent communication and trust within the security community, and our disclosure timelines reflect a balance between protecting our users and acknowledging the contributions of researchers.
We are excited to work with you in creating a safer, more secure digital experience for everyone. Whether you’re a seasoned professional or an aspiring security researcher eager to make your mark, we invite you to participate and help shape the security future of our platform.
Scope (In-Scope and Out-of-Scope Assets)
To maintain clarity and operational safety, we provide a comprehensive and frequently updated list of assets that are considered in-scope for testing. Researchers are expected to focus their security assessments exclusively on these designated assets. Any assets not explicitly mentioned here should be considered out-of-scope unless otherwise stated.
In-Scope Assets:
- Web Applications: All publicly accessible websites and web portals hosted under our official domains (e.g.,
example.com
,*.example.com
). This includes:- User-facing websites (marketing pages, login portals, dashboards)
- Partner portals and internal-facing web interfaces (if listed explicitly)
- Administrative panels accessible via approved test accounts
- Mobile Applications: Officially published mobile apps available on the Apple App Store and Google Play Store under our company account. Researchers must use test accounts or anonymized profiles for testing.
- Public APIs: Documented or publicly accessible API endpoints under our main domain or subdomains. This includes:
- RESTful and GraphQL APIs exposed to external developers and users
- Authentication, session management, and payment processing APIs
- API documentation interfaces (e.g., Swagger, Postman collections)
- Cloud Services & Infrastructure: As detailed in the program dashboard. This may include:
- Publicly exposed cloud-hosted services
- DNS records and CDN endpoints associated with our domains
- Third-party integrations explicitly listed as in-scope
- Beta / Staging Environments: Specific test environments that have been made publicly available for security testing purposes, as documented on our program dashboard.
Out-of-Scope Assets:
- Third-party services not explicitly listed as in-scope
- Physical infrastructure or office networks
- Internal corporate systems, unless specifically authorized
- Employee or contractor personal devices and email accounts
- Denial of Service (DoS/DDoS) and resource exhaustion attacks
- Social engineering attempts targeting our staff, customers, or vendors
Testing any asset not explicitly included in the in-scope list without prior written approval is strictly prohibited and may result in legal action. All in-scope assets, targets, and their current operational status can be found on the program dashboard, which is updated regularly.
Rules of Engagement
To ensure the safety of our systems, protect user data, and promote responsible disclosure, all participating researchers must adhere to the following Rules of Engagement. These rules establish clear expectations and boundaries for testing activities conducted under this program.
Researchers Must:
- Test Only Authorized, In-Scope Assets: Conduct security assessments solely against the systems, applications, and APIs explicitly listed as in-scope in this document or program dashboard. Do not test third-party services, employee systems, or infrastructure not listed.
- Avoid Destructive Testing: Do not perform any actions that may harm the availability, integrity, or confidentiality of systems or data. This includes, but is not limited to:
- Denial of Service (DoS/DDoS) attacks or resource exhaustion tests
- Automated brute-force attacks on login, password reset, or API endpoints
- Data deletion, data modification, or database dropping attempts
- Avoid Social Engineering: Do not attempt to gain unauthorized access through social engineering, phishing emails, phone calls, or physical visits targeting our staff, customers, or vendors.
- Cease Testing if Sensitive Data is Encountered: Immediately stop any testing activity if sensitive, personally identifiable, financial, or protected health information is unintentionally accessed. Securely delete any local copies and promptly report the incident.
- Limit Automated Scans: Avoid using automated scanning tools without explicit permission, as they can affect service availability and distort operational metrics. If necessary, coordinate timing and scope with the security team.
- Use Test Accounts Where Possible: Perform all testing activities using non-production or approved test accounts provided by our security team to minimize operational impact.
- Report Vulnerabilities Promptly and Confidentially: Submit findings immediately through the designated reporting process, maintaining strict confidentiality until coordinated public disclosure is approved.
- Do Not Access or Modify Other Users' Data: Under no circumstances should researchers intentionally access, modify, or delete data belonging to other users, customers, or third parties.
- Respect System Availability: Ensure your activities do not degrade the availability or stability of production services for legitimate users.
Failure to comply with these rules may result in disqualification from the program, forfeiture of rewards, revocation of testing privileges, and possible legal action. By participating in this program, researchers agree to act in good faith and with integrity.
Vulnerability Disclosure Policy
We highly value the contributions of independent security researchers and encourage the responsible disclosure of vulnerabilities. Our goal is to resolve legitimate security issues quickly to keep our users and data safe. This policy outlines our expectations and commitments to researchers who choose to report vulnerabilities in good faith.
Disclosure Expectations:
- Vulnerabilities should be reported promptly upon discovery through our designated reporting platform or via email at shvetgharework@example.com.
- Do not publicly disclose, discuss, or share vulnerability details until a fix has been implemented and you have received explicit written permission from our security team.
- We request a reasonable period of 90 days from the date of submission to investigate, validate, and resolve reported issues before any public disclosure.
- Coordinate disclosure timelines and possible exceptions with our security team when necessary — we are open to adjusting the timeline for particularly complex or critical vulnerabilities.
Our Commitments to Researchers:
- We will acknowledge receipt of valid reports within 5 business days.
- Provide regular updates on report status and remediation progress, including estimated timelines for resolution.
- Offer public recognition in our Hall of Fame or contributor page for impactful discoveries, with the researcher’s consent.
- Provide financial rewards (if applicable) according to our publishedReward Structure based on the severity of the reported vulnerability.
- Grant legal Safe Harbor protections, as outlined in our Legal Safe Harbor policy, to researchers acting in good faith and within the program’s rules.
We believe in a collaborative security approach and encourage responsible researchers to help us improve the security and resilience of our systems.
Reward Structure (Severity-Based Tiers)
Rewards are assessed based on the severity of the reported vulnerability, following the CVSS v3.1 (Common Vulnerability Scoring System) framework. The final reward decision may also consider factors like business impact, exploitability, and the quality of the report.
Severity Tiers & Reward Ranges:
- Low (0.1–3.9): ₹1,000 – ₹3,000
- Information disclosure without direct impact (e.g., server banners, internal IP leakage)
- Missing security headers
- Clickjacking on non-sensitive pages
- Medium (4.0–6.9): ₹3,000 – ₹8,000
- Authenticated XSS (Cross-Site Scripting)
- Open redirects on production domains
- Insecure direct object references (IDOR) on low-impact resources
- Privilege escalation without critical access
- High (7.0–8.9): ₹8,000 – ₹20,000
- Unauthenticated XSS affecting sensitive pages
- SQL Injection (with proof of data retrieval)
- Critical misconfigurations exposing internal services
- IDOR leading to unauthorized access of sensitive data
- Critical (9.0–10.0): ₹20,000 – ₹50,000+
- Remote Code Execution (RCE)
- Database dump or full account takeover
- Authentication bypass on critical systems
- Massive data leak impacting multiple users
- Severe business-impacting flaws
All reward amounts are determined at the discretion of our security team based on the impact, severity, quality of the report, and reproducibility of the issue. Exceptional submissions may be eligible for higher payouts.
Reporting Guidelines
To help us triage and resolve vulnerabilities efficiently, please ensure your report is thorough, clear, and structured. A well-written report increases the likelihood of eligibility for higher rewards.
Your report should include the following:
- Clear Title & Summary: A concise, descriptive title summarizing the issue (e.g., "Stored XSS in User Profile Bio Field").
- Description & Impact: A detailed explanation of the vulnerability, its security implications, and potential business or user impact.
- Vulnerability Location: Precise URLs, API endpoints, or affected components (e.g.,
/user/profile
, mobile app version 2.3.1). - Steps to Reproduce: A clear, step-by-step guide demonstrating how to replicate the issue. Screenshots, logs, videos, or code snippets are encouraged.
- Proof of Concept (PoC): If applicable, provide a working exploit or example payload demonstrating the vulnerability’s existence and impact.
- Affected Systems or Services: Specify which assets are impacted (e.g.,
api.example.com
, iOS app v2.1). - Optional CVSS Severity Assessment: If possible, provide your own estimated severity rating based on CVSS v3.1 guidelines.
- Contact Information: Your preferred method of contact (email, platform username) in case our security team needs clarification.
- Any Additional Context: Such as mitigating factors, previous related reports, or public references (if relevant).
Reports missing critical information or lacking clarity may result in delays or lower reward eligibility. High-quality, reproducible, and responsible reports are highly valued.
Legal Safe Harbor
We value the contributions of the security research community in helping us maintain a secure ecosystem. To encourage responsible disclosure and protect researchers acting in good faith, our program provides a comprehensive legal safe harbor policy.
Scope of Authorization: Security research activities performed within the scope of this program are considered authorized. This includes:
- Testing and identifying vulnerabilities on in-scope assets listed in the program scope section.
- Accessing or interacting with test data and dummy accounts specifically provisioned for testing purposes.
- Non-destructive and non-disruptive methods of testing that do not degrade service availability or access to legitimate users.
Good-Faith Commitment: If your security research activities comply with our program's scope, rules of engagement, and reporting guidelines, we commit to:
- Not pursue civil action against you.
- Not refer the matter to law enforcement for prosecution, provided there is no evidence of malicious intent.
- Work with you to clarify any accidental rule breaches and resolve the matter collaboratively.
Exclusions: The safe harbor does not apply to:
- Activities targeting out-of-scope assets or violating other organizations' legal rights.
- Use of destructive testing, denial of service (DoS), or techniques causing significant data loss, service disruption, or harm to users.
- Any actions performed outside of this program’s published rules or without proper authorization.
We strongly encourage security researchers to include full, timely, and responsible disclosures. Our goal is to work together to improve security for our users and services while ensuring you remain protected when acting in good faith.
Contact & Support Information
We value open, transparent, and collaborative communication with the security community. If you discover a vulnerability within our in-scope assets, please submit your findings through one of the official reporting channels listed below.
Vulnerability Submissions:
- Use our official Bug Bounty Submission Platform to submit reports securely.
- Alternatively, email your detailed report toshvetgharework@example.com with the subject line:
[Bug Bounty Submission]
.
Response Commitment: Our security team acknowledges all valid submissions within 2 business days and aims to provide regular updates on the status of your report, including:
- Initial triage confirmation
- Expected remediation timeline (if applicable)
- Reward eligibility assessment
- Final resolution summary and reward issuance (if earned)
General Security Inquiries: For policy clarifications, questions about scope, safe harbor protections, or collaboration proposals, reach out via:
- Email: shvetgharework@example.com
- Visit our Security Advisory Page for program announcements and updates.
We deeply appreciate the time and effort of all ethical security researchers contributing to a safer digital ecosystem.