We, at Impact Guru Technology Ventures Pvt Ltd, work hard to keep our applications and user data secure and make every effort to be on top of the latest threats. We believe that information security is as important as any other part of an enterprise and should be considered the utmost priority. So to strengthen the same, we have introduced our Bug Bounty Program known as ImpactGuru’s Responsible Disclosure Bug Bounty Program.
If you believe you have found a security vulnerability in our applications (refer scope provided below), we encourage you to let us know as soon as possible.We will investigate the submission and if found valid, take necessary corrective measures. We may request you for additional information regarding the vulnerability(ies), for which you will cooperate, by providing the necessary information. We request you to review our bug bounty policy as mentioned below along with the reporting guidelines, before you report a security issue. By submitting any information to us, you agree to be bound by these terms and conditions ("T&Cs").
To show our appreciation for the security researchers, we offer a monetary reward for all valid security issues based on the severity impact and complexity of the same, along with the monetary reward, the individual will be given a certificate and also a honourable mention in our Hall of Fame
Targets in scope
Out of scope targets
- whitehat.impactguru.com (Please use username: whitehat and password: aUV9NLtDZaVqLAjN )
- ImpactGuru Mobile app (Android | IOS)
In Scope vulnerabilities
- All the sandbox and staging environments are out of scope.
- All external services / software, which are not managed or controlled by Impact Guru are considered as out of scope / ineligible for recognition.
Report a bug that could compromise the integrity of user data, circumvent the privacy protections of user data or enable access to a restricted/sensitive system within our infrastructure.
Example of such bugs are:
- Cross-Site Scripting (XSS)
- SQL Injection
- XML external entity (XXE) injection
- Server Side Template Injection (SSTI)
- Server Side Request Forgery (SSRF)
- Cross-Site Request Forgery (on sensitive actions)
- Broken Authentication / Authorization
- Broken Session flaws
- Remote Code Execution (RCE)
- Privilege Escalation
- Business Logical flaws
- Payment Related Issues
- Misuse/Unauthorized use of our API’s
- Open Redirects (which allow stealing secrets/tokens)
Out of Scope Vulnerabilities
Some of the reported issues, which carry low impact, may not qualify. Although we review them on a case-by-case basis, here are some of the common low-risk issues, which typically do not earn any recognition:
- Bugs requiring exceedingly unlikely user interaction (e.g Social engineering)
- Spamming (e.g. SMS/Email Bombing)
- Any kind of spoofing attacks or any attacks that leads to phishing (e.g. Email spoofing, Capturing login credentials with fake login page)
- Denial-of-service attacks or vulnerabilities that leads to DOS/DDOS
- Login - Logout cross-site request forgery
- Self XSS
- Presence of server/software banner or version information
- Stack traces and Error messages which do not reveal any sensitive data
- Third party API key disclosures without any impact or which are supposed to be open/public.
- OPTIONS / TRACE HTTP methods enabled
- Missing HTTP Security Headers (e.g. Strict-Transport-Security - HSTS)
- Missing Cookie Flags (e.g. HttpOnly, secure etc)
- Host Header Injection
- Broken Links (e.g. 404 Not Found page)
- Known public files or directories disclosure (e.g. robots.txt, css/images etc)
- Browser ‘autocomplete’ enabled
- HTML / Text Injection
- Forced Browsing to non-sensitive information (e.g. help pages)
- Certificates/TLS/SSL related issues (e.g. BREACH, POODLE)
- DNS issues (e.g. Missing CName, SPF records etc.)
- End of Life Browsers / Old Browser versions (e.g. internet explorer 6)
- Weak CAPTCHA or CAPTCHA bypass (e.g. using browser addons)
- Coupon Misuse
- Brute force on forms (e.g. Contact us page)
- Brute force on “Login with password” page
- Account lockout not enforced
- CSV injection
- Any kind of vulnerabilities that requires installation of software like web browser add-ons, etc in victim's machine
- Rate limit mechanism bypass
- Kiosk mode / Screen pinning bypass
- Any kind of vulnerabilities that requires physical device access (e.g. USB debugging), root/jailbroken access or third-party app installation in order to exploit the vulnerability
- Bypassing root/jailbroken detection
- SSL Pinning bypass
- Tap jacking
- Reporting usage of known-vulnerable software/known CVE’s without proving the exploitability on Impact Guru’s infrastructure by providing a proper proof of concept
- Bug which Impact Guru is already aware of or those already classified as ineligible
Reporting a vulnerability
If you have identified a vulnerability in any of the application as mentioned in the scope, we request you to follow the steps outlined below:-
- Please contact us by sending an email to [email protected] with all necessary details which will help us to reproduce the vulnerability scenario.
- All reports must include concise Proof-of-Concept (PoC) and clear reproduction steps. Reports with only a PoC video (Google Drive link) without any textual description may be ineligible for a reward.
- Our team will try to triage all reports within three days from the date of submission and priority of remediation will be assessed by the severity, scenario and exploit complexity. We will notify you when the reported vulnerability is remediated, and you may confirm that the solution covers the vulnerability adequately.
ImpactGuru provides rewards to vulnerability reporters at its discretion. To show our appreciation towards vulnerability reporters, we offer monetary rewards for all valid security issues based on the severity of the vulnerability, complexity, impact that it can create and the quality of the report. Along with monetary reward, the individual will also be given a certificate and an honourable mention in our Hall of Fame
Responsible Disclosure & Reporting Guidelines
- Do not use scanners or automated tools to find vulnerabilities since they’re noisy. Doing so will invalidate your submission and you will be completely banned from the Program.
- Always use accounts, email addresses, phone numbers that you own for testing our products and only interact with accounts you own.
- You are bound by utmost confidentiality with ImpactGuru. You will not publicly or otherwise disclose any information regarding a bug or security incident without ImpactGuru’s prior approval.
- Please understand that due to the high number of submissions, it might take some time to triage the submission or to fix the vulnerability reported by you. Therefore, give us a reasonable amount of time to respond to you.
- Please make sure that any information like proof of concept videos, scripts etc., should not be uploaded on any 3rd party website and should be directly attached as a reply to the acknowledgement email that you receive from us.
- You will not access any data/internal resources of ImpactGuru as well as the data of our customers without prior approval from ImpactGuru’s security team.
- You must be respectful to our existing applications, and in any case you should not run test-cases which might disrupt our services.
- We also request you not to attempt attacks such as social engineering, phishing etc. These kinds of findings will not be considered as valid ones, and if caught, might result in suspension of your account and appropriate legal action as well.
- Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data.
- Do not reveal the problem to others until it has been resolved and the confirmation of the same has been given by the security team.
Prerequisites to qualify for reward or recognition:
- Be the first researcher to responsibly disclose the bug. Duplicate submissions are not eligible for any reward or recognition.
- Must adhere to our Responsible disclosure & reporting guidelines (as mentioned above).
- This program is applicable only for individuals not for organizations.
- Verify the fix for the reported vulnerability to confirm that the issue is completely resolved.
- You are obliged to share any extra information if asked for, refusal to do so will result in invalidation of the submission.
- Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to your participation to the Bug Bounty Program.
By participating in ImpactGuru’s Responsible Disclosure Bug Bounty Program, you acknowledge that you have read and agree to ImpactGuru’s Terms of Service as well as the following:
- Your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.
- You are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments when we run bug bounty programs in the future.
- Impact Guru reserves the right to terminate or discontinue the Program at its discretion.