Upstox Bug Bounty Program
Found a bug on our platform? Report it and get rewarded. Driven by tech, but led by people Upstox believes in maintaining the highest levels of security at all times. And to do that we need your help. Scrutinize, search and send us reports on any bugs you find on our app or web platform, and together lets bug it out!
*Gmail account is required to submit the vulnerability
Bug Severity Levels
- Pre-authentication reflected or DOM XSS (Cross-site scripting)
- Any stored XSS that is generally accessibly by users
- Command injection (blind command injection should pay more)
- Deserialization attacks
- Forced browsing attackers that supply credentials, including session tokens of logged in users
- SQL injection (2nd order SQLi and command execution through SQLi should pay more)
- Forced browsing leading directly to customer data
- Account takeover vulnerabilities (e.g. an attacker can take control of a user’s account through a logic flaw or inappropriate session handling)
- Post-authentication reflected or DOM XSS
- CSRF vulnerabilities that involve purchases, sales, or funds transfers
- OTP bypass
- Logic flaws allowing manipulation of data
- Directory browsing enabled for forced browsing leading to bulk sensitive data download
- Session fixation
- Logic flaws resulting in potential privilege escalation
- Most CSRF vulnerabilities (those not listed explicitly in the high category)
- Directory browsing enabled for forced browsing leading to isolated data download
- Logic flaws not resulting in privilege escalation, but resulting in data integrity issues
- Account enumeration where rate limiting is not enforced
- Logic flaws that do not result in privilege escalation or data integrity issues
- Directory browsing enabled, no critical files available
- Any display of information not critical to business
- Internal asset enumeration/disclosure (e.g. internal path names, IP addresses, etc)
- Clickjacking possibility, aka X-Frame-Options (User Interface)
Not in Scope
- Content Security Policy (CSP) not deployed/implemented
- Text Injection
- CSRF, CORS, HSTS
- HttpOnly flag not set on cookies
- Outdated software for which public exploits do not exist
- Outdated software that cannot be exploited in the current configuration
- Lack of SPF, DKIM & DMARC records
- Missing HTTP security headers that do not directly lead to exploitable conditions
- DoS / DDoS attacks
- UAT / DEV environment
- Session expiration
- Rate Limiting
- Origin IP found
- Exif data
- Bug bounty form and services
Rules of Disclosure
- The security researcher knows his responsibility and adheres to all ethical guidelines.
- The security researcher reporting the bug or members of any external organization who were/are part of the supporting development teams and their relatives are not allowed to participate in the Bug Bounty Program.
- The security researcher may report any security breaches and vulnerabilities found in the system or network.
- The security researcher should keep their discoveries confidential at all times and not disclose the vulnerability to the public or other organizations.
- The security researcher shall not copy, paste, share, transfer, replicate, or any such activity that would lead to data breach and shall maintain utmost precaution in handling the data shared by the Upstox and shall at all times adhere to the data security policy of the Upstox.
- The security researcher shall act professionally, including but not limited to testing activities, and shall not be associated with malicious hackers or malicious activities.
- Testing and identification of the bug should not affect any commercial/trading service at Upstox. Also, you must not break any laws to discover and identify the vulnerabilities.
- The use of social engineering techniques on our customers or staff is not accepted.
- The bugs identified in the UAT / Dev environment are not accepted.
- The security researcher shall always maintain data protection of all the Customers of the Upstox.
- The monetary reward and severity will be decided based on the criticality of the issue on a case-to-case basis.
- Vulnerabilities reported should be from the latest stable version.
- The bug must be new and not previously reported. The Upstox Security team will send a reply to you within a couple of working days if your submitted vulnerability has been previously reported.
- We may choose not to provide any monetary benefit if we feel the vulnerability is not critical or the submission doesn’t follow any of the guidelines provided by Upstox.
- The program may be amended or discontinued, without notice, at any time.
- The bug should not be a random occurrence (i.e., it can be reproduced easily). It must be remotely exploitable by us in a standard configuration.