IndiaMART Bug Bounty Program

Welcome to the IndiaMART Bug Bounty Program

Introduction

IndiaMART bug bounty program is our way to reward security researchers for finding serious security vulnerabilities in our core application indiamart.com. Please report any vulnerabilities with full details to bughunter@indiamart.com.

Policies

Eligibility:

The scope of the bug bounty program is limited to the vulnerability listed under in scope. Valid vulnerabilities on any indiamart.com domain which are not explicitly listed in the scope will be accepted but shall be ineligible for a bounty reward. For example, vulnerabilities on any indiamart.com properties not listed below will not be awarded a bounty unless impact on indiamart.com security posture can be demonstrated.

All software components that are used within the indiamart.com application may be exploited in your attack. Please note that bugs in third party components only qualify if you can prove that they can be used to successfully attack our systems or applications. Reports having genuinity and consisting of actual security or privacy impact shall be rewarded.

For Bounty eligible assets, indiamart.com default policy is to award the bounty after our Technical and Security Team confirms the issue during the Triage process. We generally won't wait to award a bounty until the item is fixed,however, we may make an exception to this policy on a report-by-report basis as and when we deem fit.

If you need further clarification of the rules or scope of our bug bounty program, you may email us at infosec@indiamart.com.

Bounty Amounts Calculations:
Bounty amounts will be determined using our CVSS Bounty Calculator. In most cases, we will only triage and reward vulnerabilities with a CVSS score greater than 0.

Rewards

LowINR 1000
MediumINR 3500
HighINR 7000
CriticalINR 350000

Program Rules

  1. Do not run automated scans without checking with us first. 
  2. Do not test the physical security of indiamart.com offices, employees, equipment, etc.
  3. Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  4. Do not perform DoS or DDoS attacks.
  5. In any way, attack our end users, or engage in trade of stolen user credentials.
  6. Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  7. You must disclose all possible ways to exploit an issue in your original report. indiamart.com will not issue a bounty, follow-on bounty, or bonus if we believe you are abusing the report system by not providing complete information in your initial report.
  8. Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. This usually requires a working proof-of-concept typically in the form of a clickable link that we can verify. Videos or screenshots are not considered definitive proof.
  9. Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  10. When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
  11. Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
  12. If you are a IndiaMART employee or are related to an employee (parent, sibling, spouse), you are not eligible for the bounty bug program
  13. If you are a IndiaMART customer or a security researcher interested in making our systems safe, you are eligible
  14. Bounties are issued solely at the discretion of indiamart.com.

In Scope:

  1. Indiamart.com and its sub-domain
  2. Our mobile sites - m.indiamart.com
  3. Our mobile apps - Android & iOS 
  4. Broken Authentication (including OAuth bugs)
  5. Broken Session flaws
  6. Code Executions
  7. Server Side Request Forgery (SSRF)
  8. Privilege Escalations
  9. Authentication Bypasses
  10. File inclusions (Local & Remote)
  11. Misuse/Unauthorized use of our APIs
  12. Improper TLS protection
  13. Leakage of sensitive data
  14. Directory Traversal
  15. Payment manipulation
  16. Open Redirects (With significant security impact)

Out of Scope:

  1. Vulnerabilities affecting users of outdated browsers or platforms
  2. Any kind of Data breach activities
  3. Any hacker activities for the purpose of disruption of service.
  4. Missing HTTP security headers, specifically OWASP Headers
  5. Issues that require unlikely user interaction
  6. Best practices/issues
  7. Unverified Results of automated tools or scanners
  8. Issues related to networking protocols or industry standards
  9. Cross-Site Scripting (XSS).
  10. Cross-Site Request Forgery (CSRF)
  11. SQL Injection
  12. Unsecured S3 buckets
  13. Out of Scope bugs for Android
    • Absence of certificate pinning
    • Sensitive data stored in app private directory
    • User data stored unencrypted on external storage
    • Lack of binary protection control in android app
    • Shared links leaked through the system clipboard.
    • Any URIs leaked because a malicious app has permission to view URIs opened
    • Sensitive data in URLs/request bodies when protected by TLS
    • Lack of obfuscation
    • oauth &#;app secret#; hard-coded/recoverable in apk
    • Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope)
  14. Out of Scope bugs for IOS
    • Absence of certificate pinning
    • Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
    • Path disclosure in the binary
    • User data stored unencrypted on the file system
    • Lack of binary protection (anti-debugging) controls
    • Lack of obfuscation
    • Lack of jailbreak detection