follow us on twitter . like us on facebook . follow us on instagram . subscribe to our youtube channel . announcements on telegram channel . ask urgent question ONLY . Subscribe to our reddit

Recent Posts

Pages: 1 2 [3] 4 5 ... 10
Bug bounty programs / Files Bug Bounty
« Last post by Angelina on September 20, 2023, 06:47:29 pm »
submit bug report:

Here at, we celebrate security and we encourage independent security researchers to help us keep our products secure.
We offer a Security Bug Bounty Program (the "Program") to create an incentive and reward structure so that researchers are able to devote resources to working on
We will pay $100 to $10,000, at our discretion, to any researcher who discovers a significant security vulnerability in We pay quickly and fairly, every time, as long as you follow our rules.
If you've found a vulnerability or would like to perform security research against, please read through the rules below.
NOTE: Testing is only authorized on the targets listed as In-Scope. Any domain/property of or Action Verb LLC (the owner and operator of not listed in the targets section is out of scope. This includes any/all subdomains not listed in the In-Scope section.
Reports We Are Looking For
We want to know about anything about our platform that poses a significant security vulnerability to either us or our customers.
These can include:
Privilege Escalation
Authentication Bypass
Leakage of Sensitive Data
Remote Code Execution
SQL Injection
Cross-Site Request Forgery (XSRF)
Cross-Site Scripting (XSS)
Code Injection
... and more!
On the marketing site asset ( we are looking for vulnerabilities that lead to a vulnerability on the actual * platform.
Bug Bounty Program Requirements
To participate in our program, you must create trial account on our platform by navigating to and clicking the button to start a Free Trial. That Trial sign up process will create the '' URL to be used for testing.
VERY IMPORTANT: Your account must include the phrase "[BUGBOUNTY]" in the "Company Name" used when registering. (Without the quotes, no space between the two words, but with square brackets.)
Here is an example of the values to use in the Trial sign up form:
Company name: [BUGBOUNTY] Trial Company
Phone Number: 555-555-5555
Work email: [email protected]
Password: Pa55w0rd
Absolutely do not under any circumstances input payment card information (credit card or debit card) or make a payment unless you intend to pay the charge in full. If you properly tag your account as a [BUGBOUNTY] site by following the directions above, we will not prompt you for payment during your testing period.
Failure to abide by the above will result in your full disqualification from this program.
Additional Rules:
Do not create more than four trial accounts within a 60-day period for the purpose of conducting security research against our platform.
Do not attempt to gain access to another user's account or data.
Do not impact other users with your testing.
Do not perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are not allowed.
Do not publicly disclose a bug either before or after it has been fixed. Public disclosure means disclosure to anyone, even on private "Hacker" websites and forums.
Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
Do not upload information about the vulnerability to any site you do not directly own. This includes uploading videos to YouTube, Vimeo, etc, even if marked private.
Any scanners or automated tools used to find vulnerabilities need to be rate limited.
Decisions made by us regarding the eligibility of submissions are final. Do not write back to dispute a decision.
You are expected to be 100% professional and pleasant to work with via E-Mail.
Reports That Do Not Qualify
The following types of reports do not qualify and will not pay a bounty.
Anything related to billing, pricing, ability to get "free" service, ability to not be charged for certain types of usage, etc. Our billing is all manually reviewed and none of these things are a problem in practice.
Reports related to actual authenticated Site Admins being able use their position as Site Admin to attack other users by using sitewide administration features.
Vulnerabilities that only affect outdated or unpatched browser/plugin versions.
Vulnerabilities requiring exceedingly unlikely user interaction.
Vulnerabilities, such as timing attacks, that prove the existence of a user or site.
Vulnerabilities requiring social or physical attacks.
Reports related to denial of service attacks or DNSsec.
Insecure cookie settings for non-sensitive cookies.
Reports related to HTTP Digest authentication being better than HTTP Basic (it isn't)
Reports related to password strength requirements
Disclosure of public information and information that does not present significant risk.
Vulnerabilities that have already been submitted by another user, that we are already aware of, or that have been classified as ineligible.
Scripting or other automation and brute forcing of intended functionality.
Issues that we can't understand or reproduce.
Vulnerabilities that involve running local code to modify or manipulate the desktop application on Windows or Mac.
Reports related to the Quarantine feature on Mac.
Commonly False Positive Reports is an FTP, SFTP, and WebDAV hosting service. Obviously this means that we will have an open FTP server on port 21, SFTP on port 22, and it means that our servers respond to DAV verbs.
EXIF Geolocation data not being stripped. does not alter uploaded content in any way. Users are free to upload and share content any way they want. offers the ability to make a folder publicly hosted at This hosting mode is intended to be full-featured web hosting just like any other web hosting provider, meaning that the ability to serve full websites with Javascript is intended. This means that you can upload malicious Javascript to that folder and have it be served. That's intentional. In order for an XSS attack related to public hosting to be in scope, it needs to relate to one customer attacking another customer, rather than attacking itself.
Important Terms
We aim to pay bounties as quickly as possible and will pay bounties sometimes before the issue is patched. Therefore, we require that you do not disclose any vulnerability publicly, either before or after the bounty is paid.
If paid a bounty, you may disclose that you received a bounty, but you may not disclose the amount or any information related to the type of vulnerability you found. Under no other circumstances may you disclose anything about your participation in this program.
You are still bound by the Terms of Service you agreed to upon signup for your Trial account. Please read and understand this document as it affects your rights.
To Report a Vulnerability
To report a vulnerability, first re-read this entire page to be sure that you understand the terms. We may refuse to pay bounties if you violate the terms on this page, even if we act on the submission.
We will respond as quickly as possible to your submission.
Bug bounty programs / Silverstreet Bug Bounty
« Last post by Angelina on July 31, 2023, 06:03:35 pm »
submit bug report:

You create the message
we handle the delivery
Connect with anybody, anytime, anywhere. We offer programmable SMS, AI Messaging, 2FA, and Omnichannel communication platforms for you as tools to boost your business. Integrate with our easy-to-use API and benefit from our 24/7 support and global network coverage.

Twizo Communicate
Customise your campaign with a few clicks.

Twizo Authenticate
Protect your customer data with Two Factors Authentication.

Send SMS in large quantities through the highest quality routes in a fast, scalable and cost effective way.

Number Lookup
Check the operator before sending to perform a better cost effective campaign.

Number Lookup
Mobile Number Portability (MNP) is now a worry of the past.

Protect your service and your customers by preventing fraud and security breaches through the use of Number Lookup.

Twizo Authenticate
Security Authentication - Quick Integration, Many Solutions.

Twizo makes online security simple through easy integration and a variety of authentication solutions. We serve customers globally allowing them to scale their businesses while we worry about their security.

Twizo Communicate
Seamlessly navigate through our services.

Our cloud based mobile communicator provides you with access to all of our features to manage your campaign, engage with your customers and track the results of your efforts.

A powerful way to communicate with your customers on a global scale.

Our API enables you to send SMS in large quantities through the highest quality routes in a fast, scalable and cost effective way. A powerful tool to communicate with your customers across the globe.

Number Lookup
Bug bounty programs / SEEK Bug Bounty
« Last post by Angelina on July 31, 2023, 05:51:12 pm »
submit bug report:

For this program, we're inviting researchers to test SEEK's web applications and services - with a focus of identifying security weaknesses that might lead to the compromise of our customer data (mainly, job seekers profiles and resumes).

Thank you for participating!

A Few Important Requirements for SEEK:
Denial of Service, Rate Limiting, and other automated attacks are not allowed. Please do NOT use automated tooling when conducting testing on SEEK assets.
All testing must be conducted using your email ID only. If you fail to use your email ID, you run the risk of getting blocked from accessing SEEK applications.
Customer instances are not to be accessed in any way (i.e. no customer data is accessed, customer credentials are not to be used or "verified")
If you believe you have found sensitive customer data (e.g., login credentials, API keys etc) or a way to access customer data (i.e. through a vulnerability) report it, but do not attempt to successfully validate if/that it works.
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that a vulnerability priority will be modified due to its likelihood and impact. In any instance where an issue is downgraded, SEEK will provide a reasonable justification to the researcher.

To maximize your reward and payout time frame, please make sure to include the following in your report:

An attack scenario: What is the most likely way an attacker could abuse this vulnerability?
Clear reproduction steps: If we can't easily replicate what you are describing, we may not consider the issue as serious.
Recommended fix: If you have any good ideas on ways to mitigate the risk without impacting normal users, your submission will have more value.
Triage SLA
For P1/P2 issues, we aim to complete our triage within one business week of the issue being reported. For other issues, it may take us up to three business weeks to triage the issue.
Bug bounty programs / Robeco Bug Bounty
« Last post by Angelina on July 31, 2023, 05:49:42 pm »
submit bug report:

Working on system security
Every day, specialists at Robeco are busy improving the systems and processes. This helps to protect the details of our clients against misuse and also ensures the continuity of our services. However, this does not mean that our systems are immune to problems. If problems are detected, we would like your help.

What can we expect from one another?
Report any problems about the security of the services Robeco provides via the internet. If you discover a problem or weak spot, then please report it to us as quickly as possible. Examples of vulnerabilities that need reporting are:

cross-site scripting vulnerabilities
SQL-injection vulnerabilities
encryption weaknesses
What do we expect from you?
Ensure that you do not cause any damage while the detected vulnerability is being investigated. Your investigation must not in any event lead to an interruption of services or lead to any details being made public of either the asset manager or its clients.

What do we do with your report?
A team of security experts investigates your report and responds as quickly as possible. We ask you not to make the problem public, but to share it with one of our experts. Give them the time to solve the problem. We will let you know what our assessment of your report is, whether we will provide a solution and when we plan to do that.

Rules of the game
There is a risk that certain actions during an investigation could be punishable. If you act in good faith, carefully and in line with the rules of the game supplied, there is no reason for Robeco to report you. So follow the rules as stated in these responsible disclosure guidelines and do not act disproportionately:

Do not use social engineering to gain access to a system.
Do not place a backdoor in an information system in order to then demonstrate the vulnerability, as this can lead to further damage and involves unnecessary security risks.
Make as little use as possible of a vulnerability. Only perform actions that are essential to establishing the vulnerability.
Do not edit or delete any data from the system and be as cautious as possible when copying data (if one record is enough to demonstrate the problem, then do not proceed further).
Do not introduce any system changes.
Do not try to repeatedly access the system and do not share the access obtained with others.
Do not use any so-called 'brute force' to gain access to systems. After all, that is not really about vulnerability but about repeatedly trying passwords.
How should you submit a report?
If you have detected a vulnerability, then please contact us using the form below.

What does not need to be reported via the disclosure point?
The disclosure point is not intended for:

submitting complaints about services
making fraud reports and/or suspicions of fraud reports from false mail or phishing e- mails
reporting viruses
submitting complaints or questions about the availability of the website
Bug bounty programs / ResMed Bug Bounty
« Last post by Angelina on July 31, 2023, 05:48:12 pm »
submit bug report:

Our security
ResMed, a global leader in digital health, is dedicated to proactively solving the complex challenges of information security, strengthening our defenses against threats and mitigating risks. We’ve built our processes and protocols from best practices in order to maintain confidentiality and data integrity for the business, our employees, our partners and our patients. Below are a sample of the controls we utilize across ResMed and subsidiary companies:


Layers   Threats   Defenses
Physical   Physical intrusion, social engineering   Badged access, data center controls, training, assessments
Cloud   Data loss, misconfiguration   Data loss prevention (DLP), configuration monitor, security information and event management (SIEM), web application firewall
Network   Hacking, denial of service (DOS)   IDS/IPS firewalls, Strict ACLs virtual private network (VPN), app security, SIEM
Platform   Phishing, malware, hacking   Employee training, phishing campaigns, URL filtering, security ops center, email security
PCs and mobile devices   Malware, ransomware, hacking, device loss   Traditional and next-generation anti-virus, device encryption, asset management
Application   SQL injection, man-in-the-middle, software vulnerability, hacking   Penetration testing, coding standards, patching, secure software development life cycle (SDLC)
Data   Unauthorized access   Encryption, IDS/IPS firewalls, backup/recovery, VPN, Multi-factor authentication (MFA)
Response   Security event, breach, data corruption or loss, system loss   SIEM incident response, dedicated security team, third-party support
Security news
Okta Breach

ResMed is aware of the LAPSUS$ attack on Okta and are assured that none of our customer's information has been impacted. This has been confirmed both by our internal teams and by Okta.

Log4j (Log4Shell) Vulnerability

Read about how ResMed is dealing with this threat here: Log4j Security Bulletin


ResMed Statement on the Role of CPAP in Mitigating the Effects of COVID-19

Ripple20 Security Vulnerabilities

On June 16 2020, a set of vulnerabilities in the Treck TCP/IP stack was made public. If exploited these vulnerabilities could interfere with the function of medical devices.

We have examined our devices and have confirmed that some products use the affected components - ResMed Connectivity Module Hospital (RCMH), Astral, and TxLink. The ethernet port is disabled at the time of shipping for RCMH and Astral which prevents access to the TCP/IP stack. The TxLink device is intended for use within private networks under supervised conditions and is considered low risk with respect to Ripple20.

URGENT/11 Security Vulnerabilities

On July 29 2019, the URGENT/11 set of vulnerabilities in Real-Time Operating Systems was made public. If exploited these vulnerabilities could interfere with the function of medical devices, particularly within hospital networks.

We have examined our devices and can confirm that the vulnerable Operating Systems are not in use within our medical devices and that we are not exposed to this set of vulnerabilities.

Recruitment Fraud Alert
It has come to our attention that various individuals and organizations are offering false employment opportunities on behalf of ResMed. Such fraudulent communications may come from various sources, including fake websites and/ or unsolicited emails. These communications seek to obtain personal data and payment from victims by offering jobs at ResMed that do not exist.

Please be advised ResMed would never ask for payment to progress a job application. When in doubt, please check to see if the position is posted on our website before applying.

Additionally, please report any suspicious recruiting activity to

ResMed Responsible Disclosure Program
Response targets

ResMed will make a best effort to meet the following SLAs for hackers participating in our program:

Type of response   SLA in business days
First response   5 days
Time to triage   10 days
Time to resolution   depends on severity and complexity
We’ll try to keep you informed about our progress throughout the process.

Disclosure policy

Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
Follow HackerOne's disclosure guidelines.

Program rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Physical attacks are prohibited.
Disclosing any client or patient information is prohibited.
Disclosing the vulnerability publicly in any way before ResMed provides permission is prohibited.
Testing on third party vendors is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Out-of-scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

Highly speculative/theoretical vulnerabilities or previously known vulnerable libraries without a working proof of concept
Best practice suggestions that are not vulnerabilities (i.e. missing HTTP Only or Secure flags, SSL/TLS configuration, etc.)
Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
Credential re-use from public dumps
Automated scan reports or search engine results (i.e., Shodan, SSL Labs, Etc.) without valid proof of concept
Vulnerabilities only affecting users of outdated or unpatched browsers [fewer than two stable versions behind the latest released stable version]
Clickjacking on pages with no sensitive actions
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
Attacks requiring MITM or physical access to a user's device
Comma Separated Values (CSV) injection without demonstrating a vulnerability
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Rate limiting or bruteforce issues on non-authentication endpoints
Software version disclosure/banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)
Open redirect - unless an additional security impact can be demonstrated
Issues that require unlikely user interaction

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep ResMed and our users safe!
Bug bounty programs / Relaso Bug Bounty
« Last post by Angelina on July 31, 2023, 05:46:22 pm »
submit bug report:

Vulnerability Reporting Policy
The security team acknowledges the valuable role that independent security researchers play in Internet security. Keeping our customers’ data secure is our number-one priority, and we encourage responsible reporting of any vulnerabilities that may be found in our site or application. is committed to working with the security community to verify and respond to any potential vulnerabilities that are reported to us. Additionally, pledges not to initiate legal action against security researchers for penetrating or attempting to penetrate our systems as long as they adhere to the conditions below.

Testing for security vulnerabilities
Conduct all vulnerability testing against Trial or Developer Edition organizations (instances) of our online services to minimize the risk to our customers’ data.

Reporting a potential security vulnerability
Privately share details of the suspected vulnerability with by sending an email to [email protected]
Provide full details of the suspected vulnerability so the security team may validate and reproduce the issue does not permit the following types of security research
Causing, or attempting to cause, a Denial of Service (DoS) condition
Accessing, or attempting to access, data or information that does not belong to you
Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you

The security team commitment
To all security researchers who follow this Vulnerability Reporting Policy, the security team commits to the following:

To respond in a timely manner, acknowledging receipt of your report

To provide an estimated time frame for addressing the vulnerability
To notify the reporting individual when the vulnerability has been fixed

No compensation does not compensate people for reporting a security vulnerability, and any requests for such compensation will be considered a violation of the conditions above. In such an event, reserves all of its legal rights.
Bug bounty programs / Philips Bug Bounty
« Last post by Angelina on July 31, 2023, 05:43:49 pm »
submit bug report:

Philips is committed to ensuring the safety and security of patients, operators and customers who use our products and services. Philips maintains a global network of product security officers for developing and deploying advanced best practice security and privacy features for our products and services, as well as for managing security events.



Philips operates under a global product security policy, which guides our incident management and all risk assessment activities relating to potential security and potential privacy vulnerabilities identified in our products and services. Philips supports coordinated vulnerability disclosure, and encourages vulnerability testing by security researchers and by customers, with responsible reporting to Philips. To this end, Philips maintains a product security page with information on coordinated vulnerability disclosure at

When submitting reports of vulnerability findings, please ensure the following procedures are followed, for safe and efficient support.

Our PGP public key (2.0KB)
Reporting Procedure

1. Please use our PGP public key to encrypt any email submissions to us at [email protected].
2. Please provide us with your reference/advisory number and sufficient contact information, such as your organization and contact name so that we can get in touch with you.
3. Please provide a technical description of the concern or vulnerability.
        a) Please provide information on which specific product you tested, including product name and version number; the technical infrastructure tested, including operating system and version; and any relevant additional information, such as network configuration details.
        b) For web based services, please provide the date and time of testing, URLs, the browser type and version, as well as the input provided to the application.
4. To help us to verify the issue, please provide any additional information, including details on the tools used to conduct the testing and any relevant test configurations. If you wrote specific proof- of-concept or exploit code, please provide a copy. Please ensure all submitted code is clearly marked as such and is encrypted with our PGP key.
5. If you have identified specific threats related to the vulnerability, assessed the risk, or have seen the vulnerability being exploited, please provide that information also PGP-encrypted.
6. If you communicate vulnerability information to vulnerability coordinators such as ICS-CERT, CERT/CC, NCSC or other parties, please advise us and provide their tracking number, if one has been made available.
7. When possible provide the report in English to expedite the process.
Bug bounty programs / Panzura Bug Bounty
« Last post by Angelina on July 31, 2023, 05:42:51 pm »
submit bug report:

Panzura lets you put your data to work.

Create comprehensive workloads in any public cloud without sacrificing security or egressing data.
Leverage actionable intelligence to increase time-to-value from internal data.
Simplify complex processes using our efficient, highly-secure single platform.
Eliminate duplicated data & locate missing files in seconds.
Bug bounty programs / Panasonic Bug Bounty
« Last post by Angelina on July 31, 2023, 05:41:09 pm »
submit bug report:

Panasonic Product Security Incident Response Team
Please read the information below concerning Panasonic's policy on personal information practices on the website, and indicate your consent by clicking the "I agree; go to the next page" button. This will take you to Inquiry Form.
Note: You cannot proceed to Inquiry Form if you do not indicate your consent to the contents below. Thank you for your understanding.

[Personal Information Practices on the Website]

(1) Company name and personal information protection manager
Panasonic Corporation Panasonic PSIRT

(2) Purposes of use of personal information
Personal information entered and obtained will be used as follows:
To solve the vulnerabilities and record them

(3) Provision of personal information
In some cases we will provide personal information we have obtained, such as a customer's name and contact information, to an affiliate of the Panasonic Group, by paper or electronic medium, when we have determined that it is appropriate for the affiliate of the Company Group to respond to a product inquiry. In such cases, customers are able to request that the Company stop providing their personal information to group companies.

(4) Consignment of personal information management
In some cases we will consign all or part of the management of personal information we have obtained within a necessary scope determined by the purposes described above.

(5) Disclosure of personal information subject to disclosure and call center
Individuals who have provided personal information to Panasonic may request that Panasonic perform any of the following actions in respect to such information that is subject to disclosure.
a) Notify them of the purpose
b) Disclose the content of the information held
c) Revise or make corrections to information
d) Add new information
e) Remove information no longer relevant
f) Terminate the usage of personal information held
g) Dispose of all personal information held
h) Terminate the provision of personal information to third parties
For requests concerning any of the above actions, please contact us via inquiry form.
Panasonic Corporation Panasonic PSIRT

(6) Notes on entering personal information
In some cases, we will contact individuals by e-mail or telephone. Please note that if you do not enter your telephone number or e-mail address we may be unable to contact you.

(7) Acquisition of personal information by means that cannot identify individuals easily
We do not obtain personal information using means such as cookies or Web beacons by which individuals cannot be easily identified.

(8) Bug Bounties
Panasonic Corporation does not run a bug bounty program for its products.

(9) Vulnerability Coordination Policy / Vulnerability Disclosure Policy
Panasonic PSIRT will handle reported vulnerabilities in accordance with this policy.

(10) CVE Numbering Authority (CNA)
As of December 1, 2021, Panasonic PSIRT has become a CVE Numbering Authority (CNA). As a CNA, Panasonic PSIRT will assign CVE ID to vulnerabilities found in Panasonic products. For Panasonic products reported with vulnerabilities, we will assign CVE IDs and disclose them in a timely manner to protect the security and safety of our products and customers.
Bug bounty programs / OLA Bug Bounty
« Last post by Angelina on July 31, 2023, 05:39:54 pm »
submit bug report:

Bug Bounty Program Information
The Ola Bug Bounty Program ("Program") is designed to encourage security researchers to find security vulnerabilities in Ola's software and to recognize those who help us create a safe and secure product for our customers and partners. The Program is operated and facilitated by ANI Technologies Private Limited and its affiliates (together "Ola").

If you believe you have found a security vulnerability in Ola software, we encourage you to let us know as soon as possible.We will investigate the submission and if found valid, take necessary corrective measures. We may request you for additional information regarding the vulnerability(ies), for which you will cooperate in providing. We request you to review our bug bounty policy as mentioned below along with the reporting guidelines, before you report a security issue. By submitting any information to us, you agree to be bound by these terms and conditions ("T&Cs").

To show our appreciation for the security researchers,we offer a monetary reward/ goodies for all valid security issues based on the severity impact and complexity of the same, the individual will also be given a honourable mention in our Hall of Fame.

The information on this page is intended for security researchers interested in reporting security vulnerabilities to Ola security team. If you are an Ola customer and have concerns regarding non-information security related issues or seeking information about your Ola account / complaints, please reach out to customer support

Reporting security issues
Go to the Report a Vulnerability page to report security issues related to our applications.

We offer monetary rewards for security issues which meet the following criteria:

The minimum monetary reward for eligible bugs is 1000 INR. All reward amounts, once communicated by Ola, are non-negotiable.
We may reward only with awesome goodies depending on the severity of the vulnerability.
Apart from monetary benefits, vulnerability reporters who work with us to resolve security bugs in our products will be honored on the Hall of Fame page.
Rewards are decided based on the severity, impact, complexity and the awesomeness of the vulnerability reported and it is at the discretion of Ola Bug Bounty panel.
* All the monetary rewards mentioned on this page are in Indian Rupees (INR).

Responsible disclosure & reporting guidelines
You are bound by utmost confidentiality with Ola. You will not publicly or otherwise disclose any information regarding a bug or security incident without Ola’s prior approval.
Please understand that due to the high number of submissions, it might take some time to triage the submission or to fix the vulnerability reported by you. Therefore, give us a reasonable amount of time to respond to you.
Originality, quality, and content of the report will be considered while triaging the submission, please make sure that the report clearly explains the impact and exploitability of the issue with a detailed proof of concept.
Please make sure that any information like proof of concept videos, scripts etc., should not be uploaded on any 3rd party website and should be directly attached as a reply to the acknowledgement email that you receive from us.
You are obliged to share any extra information if asked for, refusal to do so will result in invalidation of the submission.
You will not access any data/internal resources of Ola as well as the data of our customers without prior approval from the Ola security team.
You must be respectful to our existing applications, and in any case you should not run test-cases which might disrupt our services.
Do not use scanners or automated tools to find vulnerabilities since they’re noisy. Doing so will invalidate your submission and you will be completely banned from the Program.
We also request you not to attempt attacks such as social engineering, phishing etc. These kinds of findings will not be considered as valid ones, and if caught, might result in suspension of your account and appropriate legal action as well.
Responsibility at our end
We will be fast and will try to get back to you as soon as possible.
We will keep you updated as we work to fix the bug you have submitted.
The Hall of Fame will be updated only once the vulnerability has been fixed.
Targets in scope
Ola Cabs mobile app ( Android | iOS )
Ola Lite mobile app - Lighter version of Ola Cabs app ( Android )
Ola Money mobile app ( Android | iOS )
Ola Operator mobile app ( Android )
Ola Partner mobile app ( Android | iOS)
Out of Scope Targets
All the sandbox and staging environments are out scope.
All external services/software which are not managed or controlled by Ola are considered as out of scope / ineligible for recognition.
Newly acquired company websites/mobile apps are subject to a 12 month blackout period. Issues reported sooner in such websites/mobile apps won't qualify for any reward or recognition.
Prerequisites to qualify for reward or recognition:

Be the first researcher to responsibly disclose the bug. Duplicate submissions are not eligible for any reward or recognition.
Must adhere to our Responsible disclosure & reporting guidelines (as mentioned above).
This program is applicable only for individuals not for organizations.
Verify the fix for the reported vulnerability to confirm that the issue is completely resolved.
In scope vulnerability examples
Report a bug that could compromise the integrity of user data, circumvent the privacy protections of user data or enable access to a restricted/sensitive system within our infrastructure.

Example of such bugs are:

Cross-Site Scripting (XSS)
Sql Injection
XML external entity (XXE) injection
Server Side Template Injection (SSTI)
Server Side Request Forgery (SSRF)
Cross-Site Request Forgery (on sensitive actions)
Broken Authentication / Authorization
Broken Session flaws
Remote Code Execution (RCE)
Privilege Escalation
Business Logical flaws
Payment Related Issues
Misuse/Unauthorized use of our APIs
Open Redirects (which allow stealing secrets/tokens)
Out of scope vulnerabilities
Some of the reported issues, which carry low impact, may not qualify. Although we review them on a case-by-case basis, here are some of the common low-risk issues which typically do not earn any recognition:

Bugs requiring exceedingly unlikely user interaction (e.g Social engineering)
Spamming (e.g. SMS/Email Bombing)
Any kind of spoofing attacks or any attacks that leads to phishing (e.g. Email spoofing, Capturing login credentials with fake login page)
Denial-of-service attacks or vulnerabilities that leads to DOS/DDOS
Login - Logout cross-site request forgery
Self XSS
Presence of server/software banner or version information
Stack traces and Error messages which do not reveal any sensitive data
Third party API key disclosures without any impact or which are supposed to be open/public.
OPTIONS / TRACE HTTP methods enabled
Missing HTTP Security Headers (e.g. Strict-Transport-Security - HSTS)
Missing Cookie Flags (e.g. HttpOnly, secure etc)
Host Header Injection
Broken Links (e.g. 404 Not Found page)
Known public files or directories disclosure (e.g. robots.txt, css/images etc)
Browser ‘autocomplete’ enabled
HTML / Text Injection
Forced Browsing to non-sensitive information (e.g. help pages)
Certificates/TLS/SSL related issues (e.g. BREACH, POODLE)
DNS issues (e.g. Missing CName, SPF records etc.)
End of Life Browsers / Old Browser versions (e.g. internet explorer 6)
Weak CAPTCHA or CAPTCHA bypass (e.g. using browser addons)
Coupon Misuse
Brute force on forms (e.g. Contact us page)
Brute force on “Login with password” page
Account lockout not enforced
CSV injection
Any kind of vulnerabilities that requires installation of software like web browser add-ons, etc in victim's machine
Rate limit mechanism bypass
Kiosk mode / Screen pinning bypass
Any kind of vulnerabilities that requires physical device access (e.g. USB debugging), root/jailbroken access or third-party app installation in order to exploit the vulnerability
Bypassing root/jailbroken detection
SSL Pinning bypass
Reporting usage of known-vulnerable software/known CVE’s without proving the exploitability on Ola’s infrastructure by providing a proper proof of concept
Bug which Ola is already aware of or those already classified as ineligible
Terms and Conditions
By participating, you agree to comply with Ola’s Terms and Conditions which are as follows:

You shall abide by all the applicable laws of the land. Ola will not be responsible for any non-adherence to applicable laws on your part.
You shall not engage in any confidentiality or privacy breaches or violations, destruction, removal or amendment of data (personal or otherwise), or interruption or degradation of our services during your participation in this Program. In case of any breach or violation, Ola reserves the right to ban you from the Program and/ or take legal action.
Eligibility for reward or recognition is at the discretion of Ola.
Exploiting or misusing the vulnerability for your own or others' benefit will automatically disqualify the report.
Threatening of any kind will automatically disqualify you from participating in the program.
All the communications with Ola related to this program are to remain fully confidential. Researchers must destroy all artifacts created to document vulnerabilities (POC code, videos, screenshots) after the bug report is closed. Failure to do so shall constitute a material breach of these T&Cs.
Ola reserves the right to discontinue the responsible disclosure program at any time without notice.
You may only investigate, or target vulnerabilities against your own account. Testing should not violate any law, or disrupt or compromise any data or access data that does not belong to you.
Vulnerabilities which Ola determines as accepted risk will not be eligible for any kind of recognition.
Any solutions, recommendation or suggestions, including any intellectual property contained therein, provided by you to Ola under this Program, shall immediately transfer to Ola without any limitations or exceptions, and once communicated to Ola you waive all rights, title, ownership and interest therein. If requested, you shall provide Ola with appropriate documentation to formalise any such transfer or assignment.
Changes to Program Terms
The Program, including its policies, is subject to change or cancellation by Ola at any time, without notice. As such, Ola may amend these Program T&Cs and/or its policies at any time by posting a revised version on our website. By continuing to participate in the bug bounty program after Ola posts any such changes, you implicitly agree to comply with the updated Program terms

Program Termination
In the event you breach any of these T&Cs or any other Program terms that Ola releases, Ola may immediately terminate your participation in the Program and/or take any further legal actions as necessary. In some cases all your previous contributions may also be invalidated.

Legal points
We shall not issue reward or recognition to any individual who does not follow the guidelines of our program and depending upon the action of an individual, we could take strict legal action. Ola does not commit to any compensation other than as outlined in these T&Cs or as communicated to you at the time of your submission. Ola shall not be liable to make any payments or rewards towards you in any other circumstances. Ola shall also not be liable in the event of delayed response to you for any submission.

Testing using Tools
Don't be evil. Practice safe checks. You must not use any automated tools/scripts as those can be disruptive or cause systems to misbehave, doing so will invalidate your submission and you will be completely banned from Ola bug bounty program.
Pages: 1 2 [3] 4 5 ... 10