PhonePe VDP
External Program
Submit bugs directly to this organization
PhonePe VDP
External Program
Submit bugs directly to this organization
PhonePe VDP - Vulnerability Disclosure Program | BugBase/
Thanks Vulnerability Disclosure Program
PhonePe VDP https://www.phonepe.com/report-vulnerability Report Statistics 82 Total Reports Received
11 Assets in Scope
Notify Me
POLICY
SCOPE
ANNOUNCEMENTS
HALL OF FAME
CHANGELOGS
PhonePe VDP
At PhonePe, we are committed to ensuring our systems are secure. We always aim to create a safe browsing environment for our customers. If a security researcher or a member of the public finds a security vulnerability in our systems and shares the details responsibly, we value their help. We collaborate with them to fix these issues quickly and publicly acknowledge their assistance if they prefer. PhonePe has the right to verify the reports based on the business impact of the vulnerability. Our priority is to safeguard our users' sensitive information and maintain the trust they place in us. The Security Community’s cooperation plays a vital role in enhancing the security of our platform for everyone.
Public disclosure of the submission details of any identified or alleged security vulnerability without express written authorization from PhonePe will deem the submission noncompliant with this Responsible Disclosure Policy.
Furthermore, to remain compliant, you are prohibited from:
Accessing, downloading, or modifying data residing in an account that does not belong to you
Executing or attempting to execute any “Denial of Service” attack
Posting, transmitting, uploading, linking to, sending, or storing any malicious software
Testing in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, pyramid schemes, or other forms of unsolicited messages
Testing in a manner that would degrade the operation of any PhonePe systems
Testing third-party applications, websites, or services that integrate with or link to PhonePe systems
The Program applies to security vulnerabilities found within PhonePe’s Environment, including, but not limited to, PhonePe’s websites, APIs, and mobile applications. We recognise security researchers who help us keep users safe by reporting vulnerabilities in our services. The recognition for these reports is entirely at PhonePe’s discretion and is determined based on factors such as Severity, Likelihood, and Business Impact of the reported finding.
Typically, in-scope submissions will include high-impact vulnerabilities. However, any vulnerability that could realistically place our customers' security or their data at significant risk is in scope and might be rewarded. Vulnerabilities that directly or indirectly affect the confidentiality or integrity of user data or privacy are prime candidates for a reward. Some characteristics that are considered when "qualifying" vulnerabilities affect the following aspects:
Directly or indirectly affect the confidentiality or integrity of user data or privacy;
Compromise the integrity of the system;
Enable unauthorized access to significant data or resources;
Enable the running of unauthorized code;
Increase privileges or access beyond that which is intended;
Interfere with or bypass security controls or mechanisms;
Are exploitable (i.e. not purely theoretical);
Can be launched remotely; and
Could cause damage to a user's system
To be eligible for the Bug Bounty Program, you MUST meet the following requirements:
Adhere to PhonePe Responsible Disclosure Policy
Your report must describe a security vulnerability involving and/or affecting one of the products or services listed under "Scope".
We expressly exclude certain types of security findings; these are listed under "Program Exclusions”.
If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations, or other confidential information) while investigating a vulnerability, make sure that you disclose this in your report.
In addition, you MUST NOT,
Be in violation of any national, state, or local law or regulation;
Be employed by PhonePe Private Limited or its subsidiaries;
Be an immediate family member of a person employed by PhonePe Private Limited, or its subsidiaries or affiliates.
If you identify a valid security vulnerability in compliance with this Responsible Disclosure Policy, PhonePe commits to:
Working with you to understand and validate the issue
Addressing the risk (if deemed appropriate by PhonePe)
PhonePe Security Team will investigate and respond to all valid reports. Our TAT for a new report is usually 3-5 business days; however, we prioritise investigations based on risk and other factors.
In the event of duplicate reports, we recognize the first person (or submitter) of a qualifying security vulnerability. (PhonePe determines duplicates and may not share details of the other reports.)
Note that the use of PhonePe services, including for the purposes of this program, is subject to PhonePe’s Terms and Policies. We may retain any communications about security vulnerabilities that you report for as long as we deem necessary for program purposes, and we may cancel or modify this program at any time.
PhonePe Consumer mobile app (Android & iOS)
PhonePe For Business mobile app (Android & iOS)
Share.Market mobile app (Android & iOS)
Indus OS App Store
Share.Market web app
Indus OS Developer Dashboard
phonepe.com
support.phonepe.com
business.phonepe.com
api.phonepe.com
The PhonePe Security Team might consider submissions outside the above scope for further processing at its discretion without any commitment to bounty or recognition.
Any design or implementation issue that is reproducible and substantially affects the security of PhonePe customers is likely part of the scope of the program. The Vulnerability Rating Taxonomy is the baseline guide used for classifying technical severity. Common examples include:
Injection vulnerabilities, including SQL and XML injection
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
Server-side or Remote Code Execution (RCE)
Authentication/Authorisation flaws, including IDOR and authentication bypass
Domain take-over vulnerabilities
Account Takeover (while testing, use a test account for PoC)
Directory Traversal
Sensitive Information Disclosure that can affect PhonePe’s customers, merchants, and/or overall PhonePe brand
Significant security misconfiguration with a verifiable/exploitable vulnerability (must be having PoC)
Sensitive/Internal Credentials disclosed by PhonePe or its employees posing a valid/verifiable risk to an in-scope asset (subject to investigation/authenticity of data)
The following categories of vulnerabilities are excluded from recognition in the Program unless otherwise directed by PhonePe:
Findings/Reports generated by automated scanner tools.
Mobile client findings that require a ROOTED device.
Outdated OS versions/App versions related vulnerabilities.
Findings that cannot be utilised to exploit other users/customers of PhonePe - e.g., self-XSS.
Publicly released CVEs and 0-days (zero-day vulnerabilities) within 90 days of their disclosure.
"Advisory" or "Informational" reports that do not include any PhonePe testing or context.
Threat Intel Reports.
Vulnerabilities requiring MITM or physical access to the victim’s unlocked device.
Any form of Denial of Service attacks/exploits.
SPF and DKIM issues.
Content injection.
Hyperlink injection in emails.
IDN homograph attacks.
RTL Ambiguity.
Content Spoofing.
Password Policy related issues in Applications.
Full-Path Disclosure on any property.
Version number information disclosure.
Clickjacking on pre-authenticated pages, the non-existence of X-Frame-Options, or other non-exploitable clickjacking vulnerabilities.
CSRF-able actions that do not require authentication (or a session) to exploit.
Login/logout CSRF.
Reports related to the following security-related headers,
Strict Transport Security (HSTS)
XSS mitigation headers (X-Content-Type and X-XSS-Protection)
X-Content-Type-Options
Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario)
Bugs that do not represent any security risk - e.g. functional bugs, logical bugs, workflow bugs, feature bugs, etc.
Open Redirect vulnerabilities (Phishing).
Security bugs in third-party applications or services built on the PhonePe API: Please report them directly to the company that built the application or service.
Security bugs in software related to an acquisition for 90 days following any public announcement.
Findings related to HTTP TRACE or OPTIONS methods.
Non-sensitive (i.e., non-session) cookies are missing the Secure or HttpOnly flags.
Tap jacking.
Subdomain takeovers without supporting evidence.
Missing best practices in SSL/TLS configuration.
Open ports without an accompanying proof-of-concept demonstrating vulnerability.
PhonePe app does not have control over verifying the CVV of Credit Cards because this verification can only be done by the card issuing bank.
Vulnerabilities requiring a rooted, jailbroken, or otherwise modified device.
Username enumeration on customer-facing systems (i.e. using server responses to determine whether a given account exists).
Vulnerabilities requiring extensive user interaction.
Exposure of non-sensitive data on the device.
Vulnerabilities on third-party libraries without showing specific impact on the target application (e.g. a CVE with no exploit)
All out-of-scope assets and vulnerabilities mentioned above are NOT eligible for recognition/rewards.
Multiple reports of the same bug on different endpoints will be closed as duplicates if they require one fix.
We encourage security researchers to share the details of any suspected vulnerabilities with the PhonePe Security Engineering Team by submitting the form under the header “How to Report a Security Vulnerability?”. PhonePe will review the submission to determine if the finding is valid and has not been previously reported. At PhonePe’s discretion, you may be eligible for monetary compensation for your efforts. Employees of PhonePe or PhonePe subsidiaries and vendors currently working with PhonePe are not eligible for financial compensation. If you belong to any of the listed categories, you must specify that in your report. We require security researchers to include detailed information with steps for us to reproduce the vulnerability.
If you have identified a potential security vulnerability based on the above-mentioned “Program Terms and Conditions”, we request you to follow the steps outlined below:
Submit the vulnerability report form with the necessary details to recreate the scenario. This may include screenshots, videos, or simple text instructions.
Share your contact details for direct contact (in case our team needs to reach out to you for critical/urgent clarification).
If the reported finding (vulnerability) can potentially extract information about our customers or systems or impair our system’s ability to function normally, please refrain from exploiting it. We must consider your disclosure a responsible one.
While we appreciate the input of Whitehat hackers, we may pursue legal recourse if the identified vulnerabilities are exploited for unlawful gains, access to restricted customer or system information, or impairment of our systems.
PhonePe Web Apps In Scope
Scope Group Labels Web App
Asset | Type | Last update | Reports Resolved
| Labels | https://business.phonepe.com/ PhonePe Business Web App
| Web | Nov 21, 2024 | 0 (0%) | Production | https://phonepe.com PhonePe Website
| Web | Nov 19, 2024 | 0 (0%) | Production | https://indusappstore.com/ Indus OS Website
| Web | Nov 19, 2024 | 1 (50%) | Production |
PhonePe Android Apps In Scope
Scope Group Labels Android
Asset | Type | Last update | Reports Resolved
| Labels | https://play.google.com/store/apps/details?id=com.phonepe.app&pcampaignid=web_share PhonePe Consumer App
| Android | Jan 11, 2025 | 1 (50%) | Production | https://play.google.com/store/apps/details?id=com.phonepe.stockbroking&pcampaignid=web_share PhonePe Stockbroking App (share.market)
| Android | Jan 11, 2025 | 0 (0%) | Production | https://play.google.com/store/apps/details?id=com.phonepe.app.business&pcampaignid=web_share PhonePe Merchant Business App
| Android | Jan 11, 2025 | 0 (0%) | Production |
PhonePe iOS In Scope
Scope Group Labels iOS
Asset | Type | Last update | Reports Resolved
| Labels | https://apps.apple.com/in/app/phonepe-secure-payments-app/id1170055821 PhonePe Consumer App
| iOS | Jun 18, 2024 | 0 (0%) | Production | https://apps.apple.com/in/app/phonepe-business-merchant-app/id1463742453 PhonePe Merchant Business App
| iOS | Jun 18, 2024 | 0 (0%) | Production | https://apps.apple.com/in/app/share-market-stocks-f-o-ipo/id6444640366 PhonePe Stockbroking App (share.market)
| iOS | Jun 18, 2024 | 0 (0%) | Production |
to the next level Get Started
/San Francisco, CA, USA 77 High Street, Singapore New Delhi, India mailto:[email protected]
/programs [/companies](For Companies) [/hackers](For Researchers) [/partners](Partner with Us) [/apollo](BugBase Apollo) [/startups](BugBase for Startups)
[/register-company](Setup your Bug Bounty Program) /integrations /login [/register](Sign Up) /faq /blog
[/privacy](Privacy Policy) [/terms](Terms of Service) [/customer-terms](Customer Terms) [/bounty-hunter-terms](Bounty Hunter Terms)
https://www.instagram.com/bugbase.ai/https://twitter.com/BugBasehttps://www.youtube.com/channel/UCn7PV48or37LZhYIaAdQUGwhttps://www.linkedin.com/company/bugbase/mailto:[email protected] [https://forms.gle/AzWXogrQbVdWRRxXA](Give us your Feedback!)https://www.iafcertsearch.org/certification/gnKcsnl1fgm6LXS8bYM92mFf
This website uses cookies to improve user experience by tracking your activity. We do not collect any personal information through these tracking cookies. By choosing the options below you consent to use of cookies in accordance to your preference and our [/privacy](privacy policy.)Accept all cookiesAccept necessary cookies only