Introducing Makaan.com Bug Bounty program
At Makaan.com, we treat all security reports as urgent and give utmost priority in resolving them in a reasonable timeframe. If you found a serious security vulnerability on makaan.com or it's Android/iOS apps, we appreciate your help in letting us know responsibly. As a token of our appreciation, we offer a monetary bounty for all legitimate security reports depending on the impact of the issue.
Responsible Disclosure Guidelines:
- You will not publicly disclose the vulnerability before it has been fixed.
- You will protect our users' privacy and data and will not access or modify data without our permission.
- You will ensure that no disruption is caused to the production systems, degradation of user experience and destruction of data during security testing.
- If any privacy violation is inadvertently caused by you while testing, you are liable to disclose it immediately to us
- You will abstain from exploiting a security issue you discover for any reason
- Due to a high number of submissions, we may take a reasonable time to fix the vulnerability reported by you. You have to allow us time to respond to you.
- You will not attempt phishing or security attacks.
- You do not violate any other applicable laws or regulations.
- We will get back to you preferably within 5 working days.
- We will keep you updated about the bug reported and its fixture at our end
- We will work with you if needed to investigate and resolve the issue as quickly as possible
- We will suitably reward you for your effort
- We will mention your name on Wall of Fame (will take your consent)
- If you are a Makaan.com employee or are related to an employee (parent, sibling, spouse), you are not eligible for the bounty bug program
- If you are a customer or a security researcher interested in making our systems safe, you are eligible
Report the bugs to email@example.com email id.
Monetary bounties for security reports are entirely at Makaan.com sole discretion and will be decided based on risk, impact, and other factors. To qualify for a bounty, you need to meet the following requirements:
- Adhere to our Responsible Disclosure Policy.
- Report a security bug: that is, identify a vulnerability in our services or infrastructure which creates a security or privacy risk
- Your report must describe a problem involving one of the products or services listed under "Bug Bounty Program Scope".
- You will render necessary assistance with our team to resolve the issue.
- The bounty will be paid only after the issue has been fully resolved by Makaan.com.
- We reserve the right to publish reports (and accompanying updates) without seeking your approval.
- All payments will be made in Indian Currency (INR).
- In the event of duplicate reports, we award a bounty to the first person to submit an issue. A given bounty is only paid to one individual.
- We verify that all bounty awards are permitted by applicable laws
- Note that extremely low-risk issues may not qualify for a bounty at all. We will have the sole discretion to ascertain the risk category.
- We seek to pay similar amounts for similar issues, but qualifying issues & amounts that are paid may change. Past rewards do not guarantee similar results in the future.
- A bounty shall only be paid for bugs which have been unknown to Makaan.com. Already known bugs will not receive a bounty. Note: Reference is our internal bug tracking system.
- You refrain from contacting any employee of Makaan.com via any other means/ channels regarding the program
- If you disclose a bug/security issue via social media, you will be rendered ineligible for this program
Scope for the bug bounty program includes only these sites and apps
- makaan.com (web & mobile apps)
Breach of program terms & guidelines
We expect you to respect all the terms and conditions of the program & responsible disclosure as stated above. Any breach will automatically disqualify you from the bug bounty program and serious breaches of the guidelines might result in the suspension of your account and/or legal action.
Changes to Program Terms
The Bug Bounty Program, including its policies, are subject to change or cancellation by Makaan.com at any time, without notice. As such, we may amend these Program Terms and/or its policies at any time by posting a revised version here.
Ineligible Reports and False Positives
Some submission types are excluded because they are dangerous to assess, and/or because they have a low impact on us. This section contains issues that are not accepted under this program, will be immediately marked as invalid, and are not rewardable.
- Security issues in third-party services that integrate with our platforms. These are not managed by Makaan.com and do not qualify under our guidelines for security testing.
- Findings from physical testing such as office access (e.g. open doors, tailgating).
- Findings derived primarily from social engineering (e.g. phishing, fishing).
- Functional, UI and UX bugs and spelling mistakes.
- Refrain from running automated tools.
- Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.
- Issues that require physical access to a victim's computer.
- Network or application level Denial of Service (DoS/DDoS) vulnerabilities.
- Website scraping.
- Bugs requiring exceedingly unlikely user interaction.
- Flaws affecting the users of out-of-date browsers and plugins.
- The following finding types are specifically excluded from the bounty:
- Descriptive error messages (e.g. Stack Traces, application or server errors).
- HTTP codes/pages or other HTTP non- codes/pages.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- CSRF in forms that are available to anonymous users.
- CSRF with minimal security implications (Logout CSRF, etc.).
- Presence of application or web browser 'autocomplete' or 'save password' functionality.
- Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
- Lack of Security Speed Bump when leaving the site.
- Weak Captcha / Captcha Bypass
- Most brute-force issues or issues that can be exploited using brute-force
- Open re-directs
- HTTPS Mixed Content Scripts
- Username / email enumeration
- Publicly accessible login panels
- Reports that state that software is out of date/vulnerable without a proof of concept
- Host header issues without an accompanying proof-of-concept demonstrating the vulnerability
- Stack traces that disclose information
- Best practices concerns
- Internal IP disclosure
- Lack of enforcement of HTTPS via redirection
- Fingerprinting issues (e.g. open ports without an accompanying proof-of-concept demonstrating vulnerability, banner grabbing)
- Sensitive data in URLs/request bodies when protected by SSL/TLS
- Issues reported in microsites with minimal or no user data
- Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger
- Missing security headers that do not present an immediate security vulnerability
- SSL Issues, e.g.
- SSL/TLS scan reports (output from sites such as SSL Labs)
- SSL Attacks such as BEAST, BREACH, Renegotiation attack
- SSL Forward secrecy not enabled
- SSL weak/insecure cipher suites
Out of Scope bugs for Android apps
- Absence of certificate pinning
- Sensitive data stored in the app-private directory
- User data stored unencrypted on external storage
- Lack of binary protection control in android app
- Shared links leaked through the system clipboard.
- Any URIs leaked because a malicious app has permission to view URIs opened
- Sensitive data in URLs/request bodies when protected by TLS
- Lack of obfuscation
- Oauth, app secrets; hard-coded/recoverable in apk
- Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope)
Out of Scope bugs for iOS apps
- Absence of certificate pinning
- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
- Path disclosure in the binary
- User data stored unencrypted on the file system
- Lack of binary protection (anti-debugging) controls
- Lack of obfuscation
- Lack of jailbreak detection
- Runtime hacking exploits (exploits only possible in a jailbroken environment)
- Oauth, app secrets, hard-coded/recoverable in apk
- Snapshot/Pasteboard leakage
- Crashes due to malformed URL Schemes