Groww Bug Bounty Program

Welcome to Groww's Bug Bounty Program! We highly appreciate your efforts in helping us identify and address security vulnerabilities in our platform. Your involvement in this program actively helps in creating a more secure environment for every user on Groww.

Reporting Security Vulnerabilities

If you have discovered a potential security vulnerability, we encourage you to report it to us promptly. We take all reports seriously and will investigate and address any valid findings.

Eligibility for the reward

[1] Bugs should be reported directly to the organization and kept confidential until the issue is fixed, ensuring responsible disclosure.

[2] Only the first hacker to report the issue is eligible for the reward; duplicate submissions of the same bug will not receive any reward.

Rewards

Our security team assesses the severity of reported Vulnerabilities/Issues/Bugs individually to decide the appropriate reward. For exceptionally unique and challenging-to-find vulnerabilities, we may offer higher rewards than the minimum bounty amount. On the other hand, issues with complex requirements and lower risk of impacting our platforms or that align with best practices might receive comparatively lower rewards.

How to Report a Bug

• Visit our bug bounty submission page at https://bugbase.ai/programs/groww and click on Submit Report.

• Fill out the necessary details, including a detailed description of the vulnerability, steps to reproduce it, and any supporting evidence, then submit the issue.

Upon submitting the issue, a confirmation email will be sent to confirm submission and begin the bug triage process. Our security team will review your submission and get back to you if additional information is required.

We aim to provide a timely response and keep you informed about the progress of the investigation.

Targets In Scope

• groww.in
• Groww Android Application
• Groww iOS Application
• Groww Credit Android Application
• Groww Credit iOS Application
• *.groww.in
• Groww Mutual Fund
• Api Trading (APEX)

In-Scope Vulnerability Examples

Our bug bounty program covers security vulnerabilities found on the Groww platform, including but not limited to:

• Remote Code Execution
• Significant Authentication Bypass
• Significant Authorization Bypass
• Cross Instance Privilege Escalation
• Server Side Request Forgery (SSRF)
• Insecure Direct Object Reference (IDOR)
• SQL Injection
• Cross-Site Scripting (XSS) (excluding self-XSS)
• Cross-Site Request Forgery (CSRF) on critical actions
• Insecure/Open Redirect (which allows stealing secrets/tokens)
• (Sub)domain hijacking or DNS Hijacking
• Findings that reveal valid and bulk sensitive data of our customers and staff

Targets Out of Scope

• All sandbox and staging environments
• All external services/software not managed or controlled by Groww
• Newly acquired company websites/mobile apps are subject to a 12-month blackout period.

Out of Scope Domains/Subdomains:

• growwerp.groww.in
• tech.groww.in
• digest.groww.in
• smallcases.groww.in
• smallcases-release.groww.in
• mfastra.in

Out of Scope Vulnerability Examples

• Missing HTTP security headers (e.g., X-Frame-Options, X-XSS-Protection, Opener Policies)
• SSL/TLS issues (e.g., BEAST, BREACH, weak/insecure cipher suites)
• Descriptive error messages (e.g., stack traces, application or server errors)
• Spamming (e.g., SMS/Email Bombing)
• HTTP 404 codes/pages or other HTTP non-200 codes/pages
• Fingerprinting/banner disclosure on public services
• MITM attacks – traffic interception-based attacks are out of scope
• Disclosure of known public files or directories (e.g., robots.txt, readme.txt)
• CSRF on forms available to anonymous users (e.g., the contact form)
• Login-Logout cross-site request forgery
• Presence of application or browser 'autocomplete' or 'save password' functionality
• Lack of Secure and HTTPOnly cookie flags
• OPTIONS/TRACE HTTP method enabled
• HTTPS Mixed Content Scripts
• Vulnerabilities that require installation of software on the victim's device
• (Distributed) Denial of Service attacks
• Vulnerabilities requiring physical device access or root/jailbroken devices
• SSL Pinning bypass and bypassing root/jailbroken detection
• Any language, grammar, technical inaccuracy, or UI/UX issues
• Expired domains, SSL/TLS certificates, or leakage via Certificate Transparency Logs
• Unclaimed social media accounts
• Reports of keys/tokens in JS without proven exploitability
• Use of known-vulnerable libraries or frameworks
• Vulnerabilities affecting outdated/unpatched browsers
• Subdomain takeover issues without valid proof of concept
• Known CVE vulnerabilities without proof of exploitability
• Bugs already classified as ineligible
• Rate limiting or IP-based rate limiting (unless it implies a severe threat)
• Lack of X-User-Campaign header for non-critical API (e.g., login, live data)
• Social Engineering / Phishing attacks

Guidelines and Rules

To ensure a successful bug bounty program, please adhere to the following guidelines:

• Do not violate user privacy, destroy data, or disrupt Groww services.
• Do not disclose or share any reported vulnerabilities before resolution.
• Only target systems and assets within the defined scope.
• Provide clear and detailed reports, including steps to reproduce the vulnerability.
• Respect user privacy and confidentiality.
• Do not perform any attack that could harm the reliability, integrity, and capacity of our services. DDoS/spam attacks are not allowed.

Legal Considerations

While we appreciate your participation, it is essential to respect and comply with all applicable laws and regulations. We will not take any legal action against security researchers who act responsibly and in good faith during their participation in the bug bounty program.

However, any unauthorized actions or attempts to exploit vulnerabilities beyond the defined scope will be handled according to the law.

Note: Submissions are only eligible for validation when submitted through our official bug bounty platform on BugBase. Any submissions via email or alternative communication sources will not be considered.

Note: Bounty payouts for the first month will be made 30 business days after the program goes live.

Happy bug hunting!