Flipkart's responsible disclosure policy
At Flipkart, we take the security of our systems very seriously, and it is our constant endeavour to make our products secure for our customers. However, in the rare case when some security researcher or member of the general public identifies a vulnerability in our systems, and responsibly shares the details of it with us, we appreciate their contribution, work closely with them to address such issues, and ensure that they are rewarded fairly for their contribution.
How to report an issue?
The Flipkart Bug Bounty Program is now Public on HackerOne. If you think you have discovered a valid in scope vulnerability, Please report it to us via the submission form available here.
Once we receive your submission, the team will investigate your report and work with you to understand and remediate the vulnerability. Meantime, please don’t discuss or disclose the vulnerability details until we close the report.
Program Rules
- Please do not use any vulnerabilities to cause direct damage to our products or customers.
- Please do not perform password spraying on any real user accounts in any of our applications.
- Please refrain from using automated scanners/tools as some actions could trigger changes or damage our production systems and data.
- Please do not send our employees or users malware as a part of testing. Also, social engineering against employees (phishing, vishing, smishing, etc.) is not acceptable.
- Please do not attempt to sneak into our premises either secretly or by using social engineering.
- Any subsidiaries, parents, affiliates are not in scope unless explicitly mentioned in the in-scope section.
- Outdated software versions are subject to a 30 days blackout period to grant time for internal patching and testing (for instance, issues resulting from a 0day, 1day etc). Rewards will not be given for outdated software versions reported during this period.
- Please keep all communication within the HackerOne program. Please do not directly contact our Customer Support or any Flipkart employee regarding the status of a submission. This will result in automatic disqualification for any reward, regardless of severity.
Out of scope vulnerabilities
- Mobiles apps of Flipkart and Myntra are OOS for this engagement
- Username Enumeration via signup and account & recovery forms
- Rate-limiting related issues.
- Vulnerabilities regarding SPF/DMARC/DKIM records without verifiable proof of spoofing to a major mail client
- Best practice concerns like cookie is not marked secure and http only, missing HSTS, SSL/TLS configuration, missing security headers.
- Vulnerabilities reported by automated tools and scanners without additional proof of concept
- Vulnerabilities that only affect outdated app versions or browsers - we consider vulnerabilities only in the versions of our applications that are currently in the app store and exploits only in the latest browser versions
- Denial of Service(DoS) and Distributed Denial of Service(DDoS) attacks
- Exploits that need MITM or physical access to the victim’s device
- Clickjacking on pages with no sensitive actions.
- Unauthenticated/logout/login CSRF
- Previously known vulnerable libraries without a working Proof of Concept
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Open redirect vulnerabilities are out-of-scope by default, If you chain it with a different vulnerability and make it impactful we would be interested.
- Stack traces, directory listings or path disclosures
- Self XSS
- Social engineering attacks, both against users or Flipkart employees
- CVEs for outdated software with Low or Medium severity impact won't be considered for reward.
- Internal credential leak related reports will not be awarded a bounty. However exceptions can be made in cases where there is direct impact to the organization in accordance with the discreteness of the Flipkart security team.
- Credential leaks from personal repositories are not eligible for bounty. However exceptions can be made in cases where there is direct impact to the organization in accordance with the discreteness of the Flipkart security team.
- Document exposures are generally out-of-scope and are not eligible for a reward, however it can differ from scenario to scenario depending on our discretion.
Cloud Bucket Leak - Please note that only leaks pertaining to customer data will be eligible for bounty
Acknowledgements
Our bounty payouts are directly tied to security impact, But, If we think that for a particular bug a researcher went an extra mile we might add a bonus to the existing payout. For public disclosure, we would need to review the report and ask you to hide certain details and also we can acknowledge your contributions in the HoF section.
A big thank-you!
- Siddhant Shukla
- Sean Pesce
- Sachin Kumar
- Mehmet SARAY
- Abhinav kumar
- Hariharan S
- Siva Krishna Samireddy
- Anshuman Srivastav
- Daniel Lublin
- Harinder Singh
- Siddhesh Rajendra Sonje
- Naman Shah
- Venkatesh L (x00)
- Sudhanshu Rana
- Maulik Tanna
- K Mohammed Danish faraz
- Ibrahim Saud M
- Lohith Kumar M.D
- Raju Kumar (Mrcyberwarrior)
- Gourab Sadhukhan
- Abhishek Sharma
- Jeevanantham.P
- Vinoth Kumar
- Rajat Sharma
- Tannay Bagga
- Abdul raheem khan
- Akshansh Jaiswal
- Nitin S. Patil
- Jochith Nagarajan
- Kamakshya Prasad Kar
- Harshit
- Athul Jayaram
- Pawan Lal
- Sahil tikoo
- Rahul D Kankrale
- kirit sankar gupta
- R. Sanoj Kumar
- Pal Patel
- Sreedeep.Ck Alavil
- Johns Simon
- Abhishek Sidharth
- Rahul Vijay Manekari
- Abhaychandra Bhaskar chede
- Tanmay S Dikshit
- Navjeet Rathore
- Rahul Soni
- Shashank Chaurasia
- Rajesh kumar
- Sameer Phad
- Vikash Chaudhary
- Raigor Night
- Anurag Karundia
- Lucky Bhandari