Needl.Ai
External Program
Submit bugs directly to this organization
Needl.Ai
Needl.Ai - Vulnerability Disclosure Program | BugBase /
SwagsThanks Vulnerability Disclosure Program
Needl.Ai https://needl.ai Report Statistics 163 Total Reports Received
18 Assets in Scope
Submit Report
POLICY
SCOPE
ANNOUNCEMENTS
HALL OF FAME
CHANGELOGS
Needl.Ai Last updated on May 18, 2023.
As part of our commitment to security, we invite you to help us identify vulnerabilities in our AI-assisted information hub. By submitting vulnerabilities and exploitation techniques, you have a chance to earn rewards (XOXOday Vouchers) determined by Needl.ai. We value your contributions and take your findings seriously. Please note that Needl.ai retains the right to make final decisions on rewards and may modify or terminate the program as needed. Thank you for joining us in creating a safer platform!
We request that you inform us promptly upon discovering a potential security vulnerability.
Our team will work quickly to resolve the issue. We ask for a reasonable time period to resolve the issue before it is disclosed to the public or any third-party.
We kindly request that you make a sincere effort to avoid violating privacy, damaging data, or disrupting our services in any way.
Please provide detailed reports with clear textual description of the report along with steps to reproduce the vulnerability.
You must include attachments such as screenshots or PoC code as necessary.
Include a clear attack scenario. How will this affect us exactly?
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
Protecting customers is needl's highest priority. We endeavour to address each Vulnerability report in a timely manner. While we are doing that, we require that the Submissions remain confidential and cannot be disclosed to third parties or as part of paper reviews or conference submissions.
You can make available high-level descriptions of your research and non-reversible demonstrations after the Vulnerability is fixed. We require that detailed proof-of-concept exploit code and details that would make attacks easier on customers be withheld for 60 days after the Vulnerability is fixed. needl will notify you when the Vulnerability in your Submission is fixed.
Violations of this section could disqualify you from participating in the program in the future.
Needl may publicly recognize individuals who have submitted vulnerability reports which helped needl to fix any probably vulnerability(ies) in the system. Needl at it is discretion may recognize you on its website unless you explicitly ask us not to include your name.
By participating in the Program, you will follow these rules:
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Only target your own accounts in the process of investigating any bugs/findings. Don't target, attempt to access, or otherwise disrupt the accounts of other users without the express permission of our team.
Don't do anything illegal.
Don't engage in any activity that exploits, harms, or threatens to harm children.
Don't send spam. Spam is unwanted or unsolicited bulk email, postings, contact requests, SMS (text messages), or instant messages.
Don't share inappropriate content or material (involving, for example, nudity, bestiality, pornography, graphic violence, or criminal activity).
Don't engage in activity that is false or misleading.
Don't engage in activity that is harmful to you, the Program, or others (e.g., transmitting viruses, stalking, posting terrorist content, communicating hate speech, or advocating violence against others).
Don't infringe upon the rights of others (e.g., unauthorized sharing of copyrighted material) or engage in activity that violates the privacy of others.
Don't help others break these rules.
We are currently accepting reports for critical vulnerabilities only, such as RCE, subdomain takeover, and similar server-level vulnerabilities in the dev environments ( *.idatagenie.com ). Please refrain from reporting business logic bugs, beta feature access, and other non-critical issues for these subdomains. (Use app.needl.ai , which is our main webapp, to test for business logic bugs, or any other p1-p4 severity issues)
If you violate these Terms, you may be prohibited from participating in the Program in the future.
We offer XOXOday Vouchers as a reward for successful bug reports, which are categorized based on their priority level. The Priority-Reward Bracket is as follows:
Severity | Reward | P1 | 20,000 INR | P2 | 15,000 INR | P3 | 5,000 INR | P4 | 1,000 INR |
Reports falling into the categories listed below are considered out of scope for our VDP program :
Clickjacking on pages with no sensitive actions
Comma Separated Values (CSV) injection without demonstrating vulnerability.
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
Attacks requiring MITM or physical access to a user's device
Any activity that could lead to the disruption of our service (DoS)
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Rate limiting or bruteforce issues on non-authentication endpoints
Service hardening recommendations without a clear security impact. This includes lack of, or weak, Captcha or rate limiting usage. This includes brute forcing that improper rate limiting can allow.
Unrestricted file uploads without a clear impact, beyond resource consumption, DoS, undesirable content, etc.
Self-XSS
Missing security headers
Missing HttpOnly or Secure flags on cookies
Weak password policies
Session Management, such as: session timeout, session hijacking, etc.
Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)
Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.
Previously known vulnerable libraries without a working Proof of Concept.
Public Zero-day vulnerabilities that have had an official patch for less than 1 month
Tabnabbing
Open redirect - unless an additional security impact can be demonstrated
Issues that require unlikely user interaction
Lack of certificate pinning, or HSTS.
Inadequate root prevention/detection in APK
Lack of obfuscation or binary protection (anti-debugging) controls
Any exploit that requires tricking the user into installing a malicious app
Vulnerabilities requiring extensive user interaction
Exposure of non-sensitive data on the device
Storage of sensitive data in the in-app private directory
Transmission of sensitive data through unsecured HTTP with TLS protection
Discovery of hardcoded keys in mobile applications without a feasible attack scenario.
Exploits using tools such as Frida
Any kind of vulnerabilities that requires physical device access (e.g. USB debugging), root/jailbroken access or third-party app installation in order to exploit the vulnerability
URI leaks caused by malicious apps with permission to view opened URIs or Snapshot/Pasteboard leakage
Crashes due to malformed Intents sent to exported activities, services, or broadcast receivers (exploiting these for sensitive data leakage is within scope)
Inadequate binary protection control in APK
Vulnerabilities reported in modified APK through unofficial systems.
if you strongly believe any of our infrastructure, outside of this program/scope, has some must addressable critical vulnerabilities, we are open to receiving reports on the same.
We will consider them for rewards, even if they are out of scope but still turn out to be something critical for our business, on a case by case basis.
Main WebApp In Scope
Asset | Type | Last update | Reports Resolved
| Labels | https://app.needl.ai app.needl.ai
| Web | Jan 2, 2025 | 8 (88.88%) | Production | https://api.needl.ai api.needl.ai
| API | May 10, 2023 | 0 (0%) | Production | https://play.google.com/store/apps/details?id=com.needl.ai.needl Android App - Needl.Ai
| Android | May 10, 2023 | 0 (0%) | Production | https://apps.apple.com/gb/app/needl-ai/id1667440792 IOS app - Needl.Ai
| iOS | May 10, 2023 | 0 (0%) | Production | https://auth.needl.ai auth.needl.ai
| Web | May 10, 2023 | 0 (0%) | ProductionAuthentication | https://pricing.needl.ai pricing.needl.ai
| API | May 10, 2023 | 0 (0%) | Production | https://app.needl.ai/admin app.needl.ai/admin
| Web | Jun 9, 2025 | 0 (0%) | Production | https://app.needl.ai/admin/api app.needl.ai/admin/api
| API | Jun 9, 2025 | 0 (0%) | Production | https://app.needl.ai/flagr app.needl.ai/flagr
| Web | Jun 9, 2025 | 0 (0%) | ProductionDevOps | https://app.needl.ai/k8s app.needl.ai/k8s
| API | Jun 9, 2025 | 0 (0%) | ProductionDevOps |
Marketing Sites In Scope
Asset | Type | Last update | Reports Resolved
| Labels | https://needl.ai needl.ai
| Web | Jan 1, 2025 | 1 (11.11%) | ProductionMarketing | https://needl.ai/help needl.ai/help
| Web | Jun 9, 2025 | 0 (0%) | Production |
Dev Envs In Scope
Asset | Type | Last update | Reports Resolved
| Labels |
No data
|
Miscellaneous In Scope
Asset | Type | Last update | Reports Resolved
| Labels | https://imgproxy.needl.ai imgproxy.needl.ai
| API | May 10, 2023 | 0 (0%) | Production | https://app.needl.ai/grafana app.needl.ai/grafana
| Web | Jun 9, 2025 | 0 (0%) | ProductionDevOps | https://app.needl.ai/mixpanel app.needl.ai/mixpanel
| API | Jun 9, 2025 | 0 (0%) | Production |
to the next level Get Started
/San Francisco, CA, USA 77 High Street, Singapore New Delhi, India mailto:[email protected]
/programs [/companies](For Companies) [/hackers](For Researchers) [/partners](Partner with Us) [/apollo](BugBase Apollo) [/startups](BugBase for Startups)
[/register-company](Setup your Bug Bounty Program) /integrations /login [/register](Sign Up) /faq /blog
[/privacy](Privacy Policy) [/terms](Terms of Service) [/customer-terms](Customer Terms) [/bounty-hunter-terms](Bounty Hunter Terms)
https://www.instagram.com/bugbase.ai/https://twitter.com/BugBasehttps://www.youtube.com/channel/UCn7PV48or37LZhYIaAdQUGwhttps://www.linkedin.com/company/bugbase/mailto:[email protected] [https://forms.gle/AzWXogrQbVdWRRxXA](Give us your Feedback!)https://www.iafcertsearch.org/certification/gnKcsnl1fgm6LXS8bYM92mFf
This website uses cookies to improve user experience by tracking your activity. We do not collect any personal information through these tracking cookies. By choosing the options below you consent to use of cookies in accordance to your preference and our [/privacy](privacy policy.)Accept all cookiesAccept necessary cookies only