Help & Support

Policy

No technology is perfect, and People Interactive believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service; we encourage you to notify us. We may need to ask you for more information about the vulnerability. We appreciate your cooperation in providing the necessary details. Before you report any security issues, we kindly ask that you first review our bug bounty policy and familiarise yourself with the reporting guidelines. This will help you understand the process better and ensure a smoother experience when reporting security concerns. We welcome working with you to resolve the issue promptly.

Disclosure Policy

To ensure the utmost confidentiality, you are required to keep all information regarding bugs or security incidents with Shaadi.com strictly private. Prior approval from Shaadi.com is necessary before disclosing such information publicly or in any other manner. Please understand that it may take some time for us to review your bug bounty submission and address the reported vulnerability. Therefore, we kindly ask for your patience and allow us a reasonable amount of time to respond to you. Accessing any data or internal resources of Shaadi.com, as well as the data of our customers, is strictly prohibited without prior approval from the Shaadi.com security team. We also request that you refrain from engaging in attacks such as social engineering or phishing. Please note that these types of findings will not be considered valid, and if identified, they may result in the suspension of your account and appropriate legal action being taken.

Bounty Eligibility

● You must be 18 or older to be eligible to participate in this program/award.

● You must agree to and adhere to the Disclosure Policy and Legal terms as stated in this policy.

● You must be the first to report the issue in order to be eligible for a bounty. Duplicate submissions are not eligible for any reward or recognition.

● You must be available to supply additional information, as needed by our team, to reproduce and triage the issue.

● Shaadi.com Partners, employees, and their friends are not eligible for participation in this program.

In-Scope

● *shaadi.com

● Android: Play Store com.shaadi.android

● iOS: App Store com.shaadi.iphone

Out Of Scope

● min.shaadi.com

● help.shaadi.com

● s18.shaadi.com

● response.shaadi.com

● blog.shaadi.com

● Tech.shaadi.com

● affiliate.shaadi.com

● fev.shaadi.com

Focus Areas

● Access Control Issues (Insecure Direct Object Reference Issues, Privilege Escalation,etc)

● Leakage of PII Information of individual or other users

● Blind Cross-site Scripting (XSS)

● User Account Takeover

● Cross-Site Request Forgery (CSRF)

● Server-Side Request Forgery (SSRF)

● SQL Injection

● Directory Traversal Issues

● Local File Disclosure (LFD) and Remote File Inclusion (RFI)

● Business Logic Vulnerabilities

● XML External Entity Attacks (XXE)

● Remote Code Execution (RCE)

● Mobile-specific API vulnerabilities

Exclusions(Web Application)

● Denial-of-service attacks or vulnerabilities that leads to DOS/DDOS

● Social engineering

● Any physical attempts against People Interactive property or data centers

● Findings as reported by automated tools without additional analysis as to how and what is vulnerable

● Contact information of the member received via any front-end feature working as desired e.g. a type of premium membership may allow free members to access premium contact details. Publicly accessible login panels

● Open redirects / Lack of security speed bump when leaving the site

● Accessible Non-sensitive files and directories (e.g. README.TXT, CHANGES.TXT, robots.txt, .gitignore, etc.)

● Descriptive error messages (e.g. stack traces, application or server errors, path disclosure)

● Clickjacking

● CSRF issues that don't impact the integrity of an account

● HTTPS mixed content scripts

● Missing best practices in Content Security Policy

● Reflected Cross-site Scripting (XSS)

● Server/software banner or version information.

● HTML/Text Injection

● Email verification deficiencies, expiration of password reset links, and password complexity policies

● Login or Forgot Password page brute force and account lockout not enforced

● Rate limit mechanism bypass

● Third party API key disclosures without any impact or which are supposed to be open/public.

● CORS (Cross-Origin Resource Sharing)

● Any kind of spoofing attacks or any attacks that leads to phishing (e.g. Email spoofing, Capturing login credentials with fake login page)

Exclusions(Mobile Application)

● Vulnerabilities requiring a rooted, jailbroken, or otherwise modified device

● Vulnerabilities requiring extensive user interaction

● Exposure of non-sensitive data on the device

● Vulnerabilities on third-party libraries without showing a specific impact on the target application (e.g. a CVE with no exploit)

What to include in your report

A well-written report will allow us to quickly and accurately triage your submission. So please include:

● A clear description of the issue, including the impact you believe it has on the user, Proof of Concept(POC), Specific reproduction steps including the environment used for testing (browsers, devices, tools, configuration), and any accounts used during testing.

● Your recommendations to resolve the issue.

● You can email your report at bugbounty@peopleinteractive.in with the subject "Bug Bounty" and your contact details are mentioned in it.

Rewards

All bounty amounts will be at the discretion of the Shaadi.com Bug Bounty team, which will be evaluated for severity, impact, and quality of the report to determine the bounty level. There could be submissions that we accept the risk and will not fix.

Severity Level ---- Reward

Informational     Certificate of Appreciation

Low                   Bounty of INR 5,000 + Certificate of Appreciation

Medium             Bounty of INR 10,000 + Certificate of Appreciation

High                  Bounty of INR 15,000 + Certificate of appreciation

Critical               Bounty of INR 20,000 + Certificate of Appreciation

Legal

Shaadi.com reserves the right to modify the terms and conditions of this program and your participation in the Program constitutes acceptance of all terms. Please visit this website regularly as we routinely update our program terms and its eligibility, which will be effective upon posting. We reserve the right to cancel this program at any time without any notice, obligation, or liability to anyone.

Safe Harbour

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep People Interactive and our users safe!