Upstox Bug Bounty Program
Found a bug on our platform? Report it and get rewarded.
Driven by tech, but led by people Upstox believes in maintaining the highest levels of security at all times. And to do that we need your help. Scrutinize, search and send us reports on any bugs you find on our app or web platform, and together lets bug it out!
Bug Severity Levels
- Pre-authentication reflected or DOM XSS (Cross-site scripting)
- Any stored XSS that is generally accessibly by users
- Command injection (blind command injection should pay more)
- Deserialization attacks
- Forced browsing attackers that supply credentials, including session tokens of logged in users
- SQL injection (2nd order SQLi and command execution through SQLi should pay more)
- Forced browsing leading directly to customer data
- Account takeover vulnerabilities (e.g. an attacker can take control of a user’s account through a logic flaw or inappropriate session handling)
- Post-authentication reflected or DOM XSS
- CSRF vulnerabilities that involve purchases, sales, or funds transfers
- OTP bypass
- Logic flaws allowing manipulation of data
- Directory browsing enabled for forced browsing leading to bulk sensitive data download
- Session fixation
- Logic flaws resulting in potential privilege escalation
- Most CSRF vulnerabilities (those not listed explicitly in the high category)
- Directory browsing enabled for forced browsing leading to isolated data download
- Logic flaws not resulting in privilege escalation, but resulting in data integrity issues
- Account enumeration where rate limiting is not enforced
- Clickjacking possibility, aka X-Frame-Options (you might consider this not in scope)
- Logic flaws that do not result in privilege escalation or data integrity issues
- Directory browsing enabled, no critical files available
- Any display of information not critical to business
- Internal asset enumeration/disclosure (e.g. internal path names, IP addresses, etc)
Not in Scope
- Content Security Policy (CSP) not deployed/implemented
- HttpOnly flag not set on cookies
- Outdated software for which public exploits do not exist
- Outdated software that cannot be exploited in the current configuration
- Lack of SPF or DKIM records
- Missing HTTP security headers that do not directly lead to exploitable conditions
Rules of Disclosure
- The monetary reward and severity will be decided based on the criticality of the issue on a case-to-case basis by us and the vulnerability should only be submitted at firstname.lastname@example.org
- The person reporting the bug or members of any external organization who were/are part of the supporting development teams, and their relatives are not allowed to participate in the Bug Bounty Program.
- Vulnerabilities reported should be from the latest stable version.
- The bug must be new and not previously reported. The Upstox Security team will send a reply to you within couple of woking days if your submitted vulnerability has been previously reported.
- We may choose not to provide any monetary benefit if we feel the vulnerability is not critical and/or the submission doesn’t follow any of the guidelines provided by Upstox.
- Your testing and identification of the bug should not affect any commercial/trading service at Upstox, Also you must not break any laws to discover and identify the vulnerabilities.
- In the absence of confidentiality, the contributor will not be eligible for any reward. Rewards will be transferred only when the patch for the vulnerability is in place.
- The program may be amended, or discontinued, without notice, at any time.
- The bug should not be a random occurrence (i.e. can be reproduced easily). It must be remotely exploitable by us in a standard configuration.