DoctorC Bug Bounty

DoctorC, at it's sole discretion, offer compensation (the range goes from INR 5,000 to INR 40,000 depending on the severity of the bug) to ethical security researchers who disclose vulnerabilities transparently and collaborate with us throughout the remediation process. A good reference bug bounty policy is as outlined here - https://mydukaan.io/bugbounty/  

Please fill out the form here to report a bug or an issue.

Form Link -> https://forms.gle/thghNfHpRweJwfHi6

Copied from Dukaan's Excellent page here. The terms are as follows - 

Program rules

• Don't violate the privacy of other users, destroy data, disrupt our services, etc.

• Give us a reasonable time to respond to the issue so that our team will try to triage all reports with priority to the severity, scenario and exploit complexity. We will notify you when the reported vulnerability is remediated, and you may confirm that the solution covers the vulnerability adequately.

• Only target your own accounts in the process of investigating any bugs/findings. Don't target, attempt to access, or otherwise disrupt the accounts of other users without the express permission of our team.

• Don't target our physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDOS) attacks, etc.

• In case you find a severe vulnerability that allows system access, you must not proceed further.

• It is DoctorC’s decision to determine when and how bugs should be addressed and fixed.

• Disclosing bugs to a party other than DoctorC is forbidden, all bug reports are to remain at the reporter and DoctorC’s discretion.

• Threatening of any kind will automatically disqualify you from participating in the program.

• Exploiting or misusing the vulnerability for your own or others' benefit will automatically disqualify the report.

• Bug disclosure communications with DoctorC’s Security Team are to remain confidential. Researchers must destroy all artifacts created to document vulnerabilities (POC code, videos, screenshots) after the bug report is closed.

Eligibility

• Be the first to report the issue to us.

• Must pertain to an item explicitly listed under Vulnerability Categories.

• Must contain sufficient information including a proof of concept screenshot, video, or code snippet where needed.

• You agree to participate in testing the effectiveness of the countermeasure applied to your report.

• You agree to keep any communication with DoctorC private.

Vulnerability Categories

Vulnerability Type

• Cross-Site Request Forgery

• Cross-Site Scripting

• Open Redirects

• Cross Origin Resource Sharing

• SQL injections

• Server Side Request Forgery

• Privilege Escalation

• Local File Inclusion

• Remote File Inclusion

• Leakage of Sensitive Data

• Authentication Bypass

• Directory Traversal

• Payment Manipulation

• Remote Code Execution

• Information Disclosure

• Subdomain Takeover

• Insecure Direct Object Reference (IDOR)

Exclusions

• Missing any best security practice that is not a vulnerability

• Self XSS

• Username or email address enumeration

• Social engineering and flooding of email

• HTML injection and CSV injection

• Open Redirects without demonstrating additional security impact (such as stealing auth tokens)

• Clickjacking in unauthenticated pages or in pages with no significant state-changing action

• Logout or unauthenticated CSRF

• Missing cookie flags on non-sensitive cookies

• Missing security headers that do not lead directly to a vulnerability

• Unvalidated findings from automated tools or scans

• Access to individual paid features on an ineligible plan

• Attacks that require physical access to a user device

• Host header attacks without evidence of the ability to target a remote victim

• Use of a known-vulnerable library (without evidence of exploitability)

• Low-impact descriptive error pages and information disclosures without any sensitive information

• Invalid or missing SPF/DKIM/DMARC/BIMI records

• Password and account policies, such as (but not limited to) reset link expiration or password complexity

• Phishing risk via unicode/punycode or RTLO issues

• Testing on third party plugins and subdomains are ineligible for a reward.

• Missing rate limitations on endpoints (without any security concerns)

• Presence of EXIF information in file uploads

• Ability to upload/download executables

• Lack of mobile binary protection and mobile SSL pinning

• Reports exploiting the behaviour of vulnerabilities in outdated browsers