General rules

• Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

Unauthorized activity

• Physical attacks against Truecaller offices and data centers.
• Any vulnerability obtained through the compromise of a Truecaller employee or contractor, or Truecaller user: if you need to test a vulnerability, create another account; don’t take someone else’s. This type of activity will result in disqualification from the program permanently.
• Any vulnerability found through the use of a botnet, compromised site, or a denial-of-service (DoS) tool (any tool whose purpose is to generate a lot of traffic in order to test for DoS).
• Disrupting or negatively impacting Truecaller users, e.g. accessing or modifying Truecaller users' data or denying users access to Truecaller services.

Moreover, make an effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. In case there is any privacy violation or a vulnerability test that may lead to interruption of Truecaller services, immediately inform us either here or on our security email address.

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Out of scope

We are interested in reports about security-related bugs, vulnerabilities, misconfigurations with security impact (including exposure of secrets). We are not interested in reports about missing best-practice configuration.

We will be closing reports about issues that have already been identified by our internal code scanning as "Duplicate".

Please consider that the lists below are not exhaustive and that they will be updated continuously.

Recurring non-vulnerabilities

• Exposure of Razorpay API key
• Exposure of Google Ads APP_ID
• Exposure of Shopify client id
• Exposure of VITALLY_TOKEN
• Exposure of CLEVERTAP_ID

When submitting a report about the exposure of an alleged secret, you must demonstrate that it not intended to be public and can provide access to sensitive information or actions.

Also consider that even if a service uses a truecaller.com domain, it could be an external service that is not managed by us, i.e. we have not developed it and are not responsible for its code or its vulnerabilities.

Non-impactful vulnerabilities and non-vulnerabilities

• Issues that require unlikely user interaction
• Software version disclosure
• Descriptive error messages (e.g. stack traces, application or server errors)
• Vulnerabilities that only affect users of outdated browsers
• Rate limiting or brute-force issues on non-authentication endpoints
• Missing best practices in TLS configuration (use of phase-out ciphers etc.)
• Missing best-practice DNS records (DANE, CAA, MTA-STS, SPF, DKIM, DMARC, e.g.)
• Missing best-practice HTTP headers (Content-Security-Policy, Referrer-Policy, Strict-Transport-Security, e.g.)
• Missing HttpOnly or Secure flags on cookies, unless it concerns a cookie that stores sensitive information such as an authentication token. SameSite is excluded too.
• Unauthenticated Cache Purge
• Clickjacking or tabnabbing on pages with no sensitive actions
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
• Leaked credentials from leaks services; if credentials are exposed in our infrastructure or are clearly obtained from employee workstations (via info stealers) they are of interest though!
• Exposure of the default dashboard in Jira
• Existence of indexed unsubscription links and search results in Wayback Machine and similar services

Test account

Truecaller can grant you premium access to test certain features of the app.

Please send an email with the following information to start the process.

When signing up using an email address, please use your @wearehackerone.com alias.

Miscellaneous

We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.

Bounty ineligibility

Reports from individuals who we are prohibited by law from paying are ineligible for rewards. Truecaller employees and their family members are not eligible for bounties.

Taxes

You are responsible for paying any taxes associated with rewards.

Swag

All successful submissions will be granted a three-month subscription to Truecaller Premium upon request.