Flipkart Bug Bounty Program

Overview

At Flipkart, we take the security of our systems very seriously, and it is our constant endeavour to make our products secure for our customers. However, in the rare case when some security researcher or member of the general public identifies a vulnerability in our systems, and responsibly shares the details of it with us, we appreciate their contribution, work closely with them to address such issues, and ensure that they are rewarded fairly for their contribution.

Instructions for signing up Flipkart accounts

• Researchers having Indian phone number can sign up/login using OTP. Please make a note to not open multiple accounts creating spam.
• Only our Android application supports sign-up via international phone numbers.

Report Eligibility

• Be the first to report a vulnerability.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty. If the root cause is the same and endpoints are different within the same application, it will be treated as a duplicate. Sometimes exceptions are made upon discreteness of Flipkart security team.
• Provide high quality reports with clear and comprehensive reproducible steps. High quality submissions allow our team to better understand the issue and relay the bug to the internal teams to fix it quickly.

Program Rules

• Please do not use any vulnerabilities to cause direct damage to our products or customers.
• Please do not perform password spraying on any real user accounts in any of our applications.
• Please refrain from using automated scanners/tools as some actions could trigger changes or damage our production systems and data.
• Please do not send our employees or users malware as a part of testing. Also, social engineering against employees (phishing, vishing, smishing, etc.) is not acceptable.
• Please do not attempt to sneak into our premises either secretly or by using social engineering.
• Any subsidiaries, parents, affiliates are not in scope unless explicitly mentioned in the in-scope section.
• Outdated software versions are subject to a 30 days blackout period to grant time for internal patching and testing (for instance, issues resulting from a 0day, 1day etc). Rewards will not be given for outdated software versions reported during this period.
• Please keep all communication within the HackerOne program. Please do not directly contact our Customer Support or any Flipkart employee regarding the status of a submission. This will result in automatic disqualification for any reward, regardless of severity.

Scope Rules and Policy

We would advice to stick strictly to the scope defined for this program. Submissions on assets that are not within scope are not entertained however based on Severity and Business impact, may be considered for acceptance on a case by case basis.

Out of scope vulnerabilities

• Mobiles apps of Flipkart and Myntra are OOS for this engagement
• Username Enumeration via signup and account & recovery forms
• Rate-limiting related issues.
• Vulnerabilities regarding SPF/DMARC/DKIM records without verifiable proof of spoofing to a major mail client
• Best practice concerns like cookie is not marked secure and http only, missing HSTS, SSL/TLS configuration, missing security headers.
• Vulnerabilities reported by automated tools and scanners without additional proof of concept
• Vulnerabilities that only affect outdated app versions or browsers - we consider vulnerabilities only in the versions of our applications that are currently in the app store and exploits only in the latest browser versions
• Denial of Service(DoS) and Distributed Denial of Service(DDoS) attacks
• Exploits that need MITM or physical access to the victim's device
• Clickjacking on pages with no sensitive actions.
• Unauthenticated/logout/login CSRF
• Previously known vulnerable libraries without a working Proof of Concept
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Open redirect vulnerabilities are out-of-scope by default, If you chain it with a different vulnerability and make it impactful we would be interested.
• Stack traces, directory listings or path disclosures
• Self XSS
• Social engineering attacks, both against users or Flipkart employees
• CVEs for outdated software with Low or Medium severity impact won't be considered for reward.
• Internal credential leak related reports will not be awarded a bounty. However exceptions can be made in cases where there is direct impact to the organization in accordance with the discreteness of the Flipkart security team.
• Credential leaks from personal repositories/DarkWeb URLs, leaked URL's such as huntr.io, haveibeenpwned.com are not eligible for bounty.
• Credential leaks on the following are strictly OOS:
  • @partner.flipkart.com
  • *.myntrainfo.com
  • However exceptions can be made in cases where there is direct impact to the organization in accordance with the discreteness of the Flipkart security team.
• Employee credential leak related reports will not be awarded a bounty. However exceptions can be made in cases where there is direct impact to the organization in accordance with the discreteness of the Flipkart security team.
• Document exposures are generally out-of-scope and are not eligible for a reward, however it can differ from scenario to scenario depending on our discretion.
• Cloud Bucket Leak - Please note that only leaks pertaining to customer data will be eligible for bounty

Rewards

There are 2 core brands under this program, Flipkart and Myntra, with their own assets and bounty tiers.

Flipkart brand assets (Tier 1)

Myntra brand assets (Tier 2)

We may choose to pay higher rewards for very clever/severe vulnerabilities or lower rewards for vulnerabilities that require significant user interaction/are very difficult to exploit.

Note: While we are offering $3,500 and $2,000 Critical bounty for both tiers of assets, we may choose to pay out a higher amount for good quality, impactful and complex vulnerabilities that we receive in form of Bonus.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Flipkart and our users safe!