byjus

Introduction

Please read and understand this document in its entirety. The document explains the guidelines, scope, exclusions, and the Responsible Vulnerability Disclosure Policy that BYJU'S has created for security researchers to submit vulnerability reports, for the systems in scope as outlined on this page.

BYJU'S recognizes the value external security researchers can bring to the security of BYJU'S systems, and we welcome and seek to acknowledge eligible contributions from security researchers, as outlined below. If you believe you have found a security vulnerability, we encourage you to let us know right away. We will investigate all legitimate reports, acknowledge the reporter and do our best to quickly fix the problem.

Before reporting, though, please review this page, including our responsible disclosure policy, acknowledgement guidelines, scope of the program, and our exclusions.

Responsible Vulnerability Disclosure Policy

For you to participate in the BYJU'S Responsible Vulnerability Disclosure Policy, we require that:

1. You find and report vulnerabilities in the assets listed in scope. Any vulnerabilities reported for assets that are not in scope may not be acknowledged regardless of whether the reported security issue is fixed by BYJU'S or not.

2. You submit the bug report with as many details as possible. The bug report structure expected is outlined in this document.

3. You ensure that any vulnerability research for an account related feature is done using an account that you have created. If using any other account to demonstrate a vulnerability, you will need to obtain explicit written permission from the said account owner which will need to be produced upon request.

4. You make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) unauthorized access to or destruction of data, and interruption or degradation of our services. You must not intentionally violate any applicable laws or regulations, including (but not limited to) laws and regulations prohibiting unauthorized access to data.

5. If you accidentally access another account's data, sales information, order details, customer information or any information that is not created by you in the first place without authorization while investigating an issue, you must immediately stop any testing activity that will result in further access and data leakage and notify BYJU'S immediately with details of all the information that was accessed (including a description of the contents of the information that was accessed). Continuing to test and access data may demonstrate a lack of good faith and disqualify you from being acknowledged as a security bug reporter and may potentially invite additional legal scrutiny.

6. You must be available to provide any additional information when requested regarding a bug submission.

7. You do not exploit or perform any post exploitation activity as part of the testing. The testing must cease as soon as a bug is discovered. Any activity to capture a 'Proof of Concept' video is permitted as long as points 4 and 5 above are adhered to.

8. You give us reasonable time to investigate and mitigate an issue you report before publicly disclosing any information about the report or sharing such information with others. We read all reports within 24 hours of receiving a submission, but the validation and verification may take a little longer. It may take up to 10 business days for us to respond back to you. We request you to maintain issue secrecy and confidentiality while we get back to you.

9. You must follow the reporting structure as outlined below, maintain communication decorum and not reach out to any employee of BYJU'S or third-party vendors regarding updates, submission policies or any other discussions unless a communication is initiated from BYJU'S.

10. You are not employed by BYJU'S or any of its affiliates or an immediate family member of a person employed by BYJU'S or any of its affiliates.

11. You agree that BYJU'S' Security Team will be the sole decision maker for agreeing to whether a submission qualifies as a bug or not and whether the severity is warranted. Often due to the way the infrastructure and applications are set up, a high severity issue may have less impact due to internal security controls which may not be obvious from the outside. BYJU'S Security Team will ensure to calculate the severity based on all these factors to derive the final severity score, which will be binding to the submission.

12. References: Any relevant reference URLs that you think would help us understand the issue better.

Proof of Concept Video Attachment

Proof of Concept Video Attachment: This is mandatory as part of the submission. Bug submissions will not be evaluated without a Video PoC of the bug. You may add a voice overlay to explain what is happening in the video. Please refrain from having irrelevant music, voice or images within the video not directly related to the bug.

Responsible Vulnerability Disclosure Program Scope

An asset or application not explicitly mentioned here is out of scope. All submissions will be evaluated based on whether the submission aligns with the scope requirement as follows.

In-Scope Assets

Only the following assets are in scope:

1. BYJU'S Main website (https://byjus.com/ and https://www.byjus.com/)
2. Blog website (https://blog.byjus.com/)

Out of Scope Assets

The following is a list of assets that are not considered to be in scope for this Responsible Vulnerability Disclosure Program. Finding security issues in the following assets is highly discouraged and any vulnerabilities reported for the assets below may go unacknowledged even though BYJU'S may choose to remediate the security issue.

Please visit this page often to find the latest list of assets in and out of scope of the program.

1. Any other subdomain or applications of BYJU'S are out of scope if not mentioned in the In-Scope section, until further notice. This includes *.byjus.com, *.tllms.com and *.example.com

2. All network infrastructure assets of BYJU'S are out of scope. This includes any port scan results and the discovery of non web assets of BYJU'S (see Exclusions and False Positives below for examples)

3. All mobile applications belonging to BYJU'S are out of scope. This includes all published Android and iOS applications, past and present versions.

4. learn.byjus.com

Examples of Valid Vulnerability Submissions

The following is a non-exhaustive list of vulnerabilities that we would consider as valid vulnerability submissions:

• Remote Code execution
• Cross Site Scripting Issues (Reflected, Stored or DOM based)
• SQL Injection vulnerabilities
• BOLA/IDORs allowing access to unauthorized data
• XML injection issues
• Server Side Request Forgeries
• Logic Bugs that result in a security issue
• Authentication, Authorisation or Session Management Issues

The decision of whether a reported submission qualifies to be a Security issue rests with BYJU'S.

Exclusions and False Positives

The following is a non-exhaustive list of submissions we do not consider are security issues to BYJU'S:

1. Spamming, social engineering or phishing attempts

2. Denial of Service attacks

3. Broken Hyperlinks that point to content that is no longer present on the Internet

4. Security issues that can only be reproduced in browsers that are no longer supported by the browser vendor

5. Presence of application or web browser 'autocomplete' or 'save password' functionality

6. Older JavaScript versions in use, unless a Proof of Concept can be shown demonstrating a working exploit

7. Security issues in third-party integrations with BYJU'S assets

8. IDOR references to objects that you already have access to

9. Subdomain takeover bugs that cannot be demonstrated as a valid exploitable security issue. Please refer to https://github.com/EdOverflow/can-i-take-over-xyz to see a list of services that qualify. Additionally, ensure the subdomain is a valid in-scope asset before submitting the issue.

10. Rate limiting or Brute force issues. This includes WordPress xmlrpc.php or WordPress login brute force submissions.

11. Username enumeration bugs where a side channel like time delay is used. We may review a submission for an in-scope application that clearly provides a verbose error message (for example: 'The username is incorrect').

12. Forgot password feature being used to enumerate usernames.

13. User login and Forgot password feature being used to demonstrate account lockout.

14. OTP sending to arbitrary numbers or OTP guessing bugs, if the number of requests that can be made are insignificant without getting blocked.

15. Banner grabbing or server fingerprinting issues (for example: disclosing the server is Apache or nginx)

16. Web server or software version related bugs including the disclosure of the version number itself. We may review this on a case-by-case basis if a working exploit for the software has been published or if the software is being actively exploited in the wild.

17. Disclosure of known public files or directories, (e.g. robots.txt)

18. Clickjacking and issues only exploitable through clickjacking

19. Missing SPF or DMARC records

20. Session timeout related bugs

21. Self XSS issues where the victim is the user planting the attack payload.

22. Flash or Silverlight related security issues.

23. Stack traces, application or server errors that do not reveal a significant amount of internal server or application information.

24. Caching related issues that cannot be used to access resources without authentication.

25. HTTP 404 or other non-200 code pages.

26. Password complexity requirements during registration and login.

27. CSRF issues on Login/Logout functionality, on forms that are available to anonymous users (contact form, registration form etc.)

28. Accessing content from our CDNs (Content Delivery Network), unless the data is meant to be presented after authorization.

29. Exposed Login Panels for software, including WordPress being accessible to the world

30. Directory listings. We may review this as a submission if unauthorized data access is possible.

31. Full path disclosures due to error pages or verbose stack trace information.

32. Open redirects that require a shim or a token to proceed to the final target

33. Email addresses, BYJU'S information in JavaScript or HTML comments.

34. Expired domains, SSL/TLS certificates or exposure of information via SSL/TLS certificate's Subject CN or via Certificate Transparency Logs.

35. Best practice bugs like missing security headers, CSP implementation, HSTS, cache-control headers, SSL/TLS implementations, missing CAPTCHA etc.

36. Security issues arising out of physical access or theft of BYJU'S property or access to the physical location of BYJU'S offices.

37. Any automated scanner reports that are not validated and show an impact on BYJU'S in-scope assets

38. Any other highly speculative bug submission that talks about theoretical damage etc.

---

Policy: https://byjus.com/reporting-issues-on-byjus-website/