DoctorC, at it's sole discretion, offer compensation (the range goes from INR 5,000 to INR 40,000 depending on the severity of the bug) to ethical security researchers who disclose vulnerabilities transparently and collaborate with us throughout the remediation process. A good reference bug bounty policy is as outlined here - https://mydukaan.io/bugbounty/
Please fill out the form here to report a bug or an issue.
Form Link -> https://forms.gle/thghNfHpRweJwfHi6
Copied from Dukaan's Excellent page here. The terms are as follows -
Program rules
Don't violate the privacy of other users, destroy data, disrupt our services, etc.
Give us a reasonable time to respond to the issue so that our team will try to triage all reports with priority to the severity, scenario and exploit complexity. We will notify you when the reported vulnerability is remediated, and you may confirm that the solution covers the vulnerability adequately.
Only target your own accounts in the process of investigating any bugs/findings. Don't target, attempt to access, or otherwise disrupt the accounts of other users without the express permission of our team.
Don't target our physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDOS) attacks, etc.
In case you find a severe vulnerability that allows system access, you must not proceed further.
It is DoctorC’s decision to determine when and how bugs should be addressed and fixed.
Disclosing bugs to a party other than DoctorC is forbidden, all bug reports are to remain at the reporter and DoctorC’s discretion.
Threatening of any kind will automatically disqualify you from participating in the program.
Exploiting or misusing the vulnerability for your own or others' benefit will automatically disqualify the report.
Bug disclosure communications with DoctorC’s Security Team are to remain confidential. Researchers must destroy all artifacts created to document vulnerabilities (POC code, videos, screenshots) after the bug report is closed.
Eligibility
Be the first to report the issue to us.
Must pertain to an item explicitly listed under Vulnerability Categories.
Must contain sufficient information including a proof of concept screenshot, video, or code snippet where needed.
You agree to participate in testing the effectiveness of the countermeasure applied to your report.
You agree to keep any communication with DoctorC private.
Vulnerability Categories
Vulnerability Type
Cross-Site Request Forgery
Cross-Site Scripting
Open Redirects
Cross Origin Resource Sharing
SQL injections
Server Side Request Forgery
Privilege Escalation
Local File Inclusion
Remote File Inclusion
Leakage of Sensitive Data
Authentication Bypass
Directory Traversal
Payment Manipulation
Remote Code Execution
Information Disclosure
Subdomain Takeover
Insecure Direct Object Reference (IDOR)
Exclusions
Missing any best security practice that is not a vulnerability
Self XSS
Username or email address enumeration
Social engineering and flooding of email
HTML injection and CSV injection
Open Redirects without demonstrating additional security impact (such as stealing auth tokens)
Clickjacking in unauthenticated pages or in pages with no significant state-changing action
Logout or unauthenticated CSRF
Missing cookie flags on non-sensitive cookies
Missing security headers that do not lead directly to a vulnerability
Unvalidated findings from automated tools or scans
Access to individual paid features on an ineligible plan
Attacks that require physical access to a user device
Host header attacks without evidence of the ability to target a remote victim
Use of a known-vulnerable library (without evidence of exploitability)
Low-impact descriptive error pages and information disclosures without any sensitive information
Invalid or missing SPF/DKIM/DMARC/BIMI records
Password and account policies, such as (but not limited to) reset link expiration or password complexity
Phishing risk via unicode/punycode or RTLO issues
Testing on third party plugins and subdomains are ineligible for a reward.
Missing rate limitations on endpoints (without any security concerns)
Presence of EXIF information in file uploads
Ability to upload/download executables
Lack of mobile binary protection and mobile SSL pinning
Reports exploiting the behaviour of vulnerabilities in outdated browsers