Policy
No technology is perfect, and People Interactive believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service; we encourage you to notify us. We welcome working with you to resolve the issue promptly.
Disclosure Policy
Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third party. Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
Bounty Eligibility
● You must be 18 or older to be eligible to participate in this program/award.
● You must agree to and adhere to the Program Rules and Legal terms as stated in this policy.
● You must be the first to report the issue in order to be eligible for a bounty.
● You must be available to supply additional information, as needed by our team, to reproduce and triage the issue.
● Shaadi.com Partners, employees, and their friends are not eligible for participation in this program.
In-Scope
● *shaadi.com
● Android: Play Store com.shaadi.android
● iOS: App Store com.shaadi.iphone
Out Of Scope
● min.shaadi.com
● help.shaadi.com
● s18.shaadi.com
● response.shaadi.com
● blog.shaadi.com
● Tech.shaadi.com
Focus Areas
● Access Control Issues (Insecure Direct Object Reference Issues, Privilege Escalation,etc)
● Leakage of PII Information of individual or other users
● Blind Cross-site Scripting (XSS)
● User Account Takeover
● Cross-Site Request Forgery (CSRF)
● Server-Side Request Forgery (SSRF)
● SQL Injection
● Directory Traversal Issues
● Local File Disclosure (LFD) and Remote File Inclusion (RFI)
● Business Logic Vulnerabilities
● XML External Entity Attacks (XXE)
● Remote Code Execution (RCE)
● Mobile-specific API vulnerabilities
Exclusions(Web Application)
● Denial of service
● Social engineering (including phishing) of People Interactive staff
● Any physical attempts against People Interactive property or data centers
● Findings as reported by automated tools without additional analysis as to how and what is vulnerable
● Contact information of the member received via any front-end feature working as desired e.g. a type of premium membership may allow free members to access premium contact details. Publicly accessible login panels
● Open redirects / Lack of security speed bump when leaving the site
● Accessible Non-sensitive files and directories (e.g. README.TXT, CHANGES.TXT, robots.txt, .gitignore, etc.)
● Descriptive error messages (e.g. stack traces, application or server errors, path disclosure)
● Clickjacking is out of scope unless it has an impact on the user’s data
● CSRF issues that don't impact the integrity of an account
● HTTPS mixed content scripts
● Missing best practices in Content Security Policy
● Reflected Cross-site Scripting (XSS)
Exclusions(Mobile Application)
● Vulnerabilities requiring a rooted, jailbroken, or otherwise modified device
● Vulnerabilities requiring extensive user interaction
● Exposure of non-sensitive data on the device
● Vulnerabilities on third-party libraries without showing a specific impact on the target application (e.g. a CVE with no exploit)
What to include in your report
A well-written report will allow us to quickly and accurately triage your submission. So please include:
● A clear description of the issue, including the impact you believe it has on the user, Proof of Concept(POC), Specific reproduction steps including the environment used for testing (browsers, devices, tools, configuration), and any accounts used during testing.
● Your recommendations to resolve the issue.
● You can email your report at bugbounty@peopleinteractive.in with the subject "Bug Bounty" and your contact details are mentioned in it.
Rewards
All bounty amounts will be at the discretion of the Shaadi.com Bug Bounty team, which will be evaluated for severity, impact, and quality of the report to determine the bounty level. There could be submissions that we accept the risk and will not fix.
Severity Level ---- Reward
Informational Certificate of Appreciation
Low Bounty of INR 5,000 + Certificate of Appreciation
Medium Bounty of INR 10,000 + Certificate of Appreciation
High Bounty of INR 15,000 + Certificate of appreciation
Critical Bounty of INR 20,000 + Certificate of Appreciation
Legal
Shaadi.com reserves the right to modify the terms and conditions of this program and your participation in the Program constitutes acceptance of all terms. Please visit this website regularly as we routinely update our program terms and its eligibility, which will be effective upon posting. We reserve the right to cancel this program at any time without any notice, obligation, or liability to anyone.
Safe Harbour
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep People Interactive and our users safe!