Sathisung.com is launching a bug bounty program to foster collaboration among security professionals. With this program, we believe we can help protect our members' personal information from malicious activity due to vulnerabilities against our networks, web and mobile applications and set security policies across our organization. We treat the security and safety of our members' personal information with the utmost importance.
For the protection of our members, Sathisung.com does not disclose, discuss or confirm security matters until comprehensively investigating, diagnosing and fixing any known issues.
Program Rules
§ Do not intentionally harm the experience or usefulness of the service to others, including degradation of services & denial of service attacks.
§ Do not access or modify our data or our users' data, without explicit permission. Only interact with your own accounts.
§ Do not disclose the reported vulnerability to anyone else until we've had reasonable time to fix it.
Bounty Eligibility
§ You must be 18 or older to be eligible to participate in this program/award.
§ You must agree and adhere to the Program Rules and Legal terms as stated in this policy.
§ You must be the first to report the issue in order to be eligible for bounty*.
§ You must be available to supply additional information, as needed by our team, to reproduce and triage the issue.
§ Sathisung.com Partners, employees and their friends are not eligible for participation in this program.
Exclusions
§ Attacks dependent upon social engineering
§ Attacks requiring physical access to a user's device
§ Attacks requiring physical access to device or MiTM
§ An attacker in a Man-in-the-Middle
§ CSRF (Cross Site Request Forgery)
§ XSS (Cross Site Scripting)
§ Host Header Injection
§ Content spoofing / text injection
§ Hyperlink injection in emails using forms available to any user
§ Denial of Service attacks
§ Clickjacking, without additional details demonstrating a specific exploit
§ Contact information of the member received via any front-end feature working as desired e.g. a type of premium membership may allow free members to access to premium contact details.
§ Disclosure of known public files or directories
§ Enforcement policies for brute force or account lockout
§ Password and account recovery policies
§ Issues related to active sessions after password changes.
§ Mail configuration issues including SPF, DKIM, DMARC settings
§ Mixed content issues
§ HTTP method enabled
§ Outdated software / library versions
§ Presence of autocomplete functionality in form fields
§ Publicly accessible login panels
§ Rate-limiting issues / insufficient Anti-Automation
§ Descriptive error messages or headers (e.g. Stack Traces, application or server errors, banner grabbing)
§ Cookies that lack HTTP Only or Secure settings for non-sensitive data
§ Missing security headers without additional details or a POC demonstrating a specific exploit
SSL/TLS best practices
§ Use of a known-vulnerable library without a description of an exploit specific to our implementation
§ Username enumeration based on login or forgot password pages
§ Reports from automated tools or scans
Shaadi.com reserves the right to add to and subtract from the Exclusions list depending on evaluated severity of reported vulnerabilities and risk acceptance.
Rewards
All bounty amounts will be at the discretion of the Sathisung.com Bug Bounty team, which will be evaluated for severity, impact, and quality of the report to determine the bounty level. There could be submissions which we accept the risk and will not fix.
Leaks entire database in one go - High
Bounty of INR 15,000 + Certificate of Appreciation
Leaks contact details one by one through trial and error - Medium
Bounty of INR 10,000 + Certificate of appreciation
Leaks contacts of 'accepted' members without payment - Low
Bounty of INR 5,000 + Certificate of Appreciation
What to include in your report
A well written report will allow us to more quickly and accurately triage your submission. So please include:
§ A clear description of the issue, including the impact you believe it has to the user, Shaadi.com, others.
§ Specific reproduction steps including the environment used for testing (browsers, devices, tools, configuration) and any accounts used during testing.
§ Your recommendations to resolve the issue.
§ You can email your report at help@Sathisung.com with subject as "Bug Bounty" and your contact deails mentioned in it.
Legal
Sathisung.com reserves the right to modify terms and conditions of this program and your participation in the program constitutes acceptance of all terms. Please visit this webs site regularly as we routinely update our program terms and its eligibility, which will be effective upon posting. We reserve the right to cancel this program at any time without any notice any obligation or any liability to anyone.
