Instamojo Bug Bounty Policy

Eligibility

Reporter eligibility

• You must NOT be an employee of Instamojo within the last 6 months.
• You must NOT be an immediate family member of an Instamojo employee.
• You must be a citizen of India with a valid PAN card (to receive bounty payments).

Report eligibility

• Only the first report for a given vulnerability will be eligible for a bounty reward. NOTE: You will receive a response from us even if the report is a duplicate.
• The report format and details must meet all the requirements mentioned under - report requirements.
• Only security vulnerabilities are considered valid. Report them to bugbounty@instamojo.com.
• Other general bugs or support queries can be reported to support@instamojo.com.
• A report email should only contain a single vulnerability report.

 

Responsible disclosure

• In case you find vulnerabilities that may negatively affect one or many of our merchants, please refrain from exploiting it. Instead report to us immediately.
• We expect you not to disclose the details or existence of the vulnerability until we fix the issue in production.NOTE: Issuing a bounty reward does not necessarily mean that the issue has been fixed in production. Sometimes fixing the issue might take more time.
• Also do not disclose the existence or details of the vulnerability without explicit permission from Instamojo, even after bounty payment or a fix.
• Only use your own Instamojo accounts for testing a vulnerability. The process should not negatively affect any of our merchant accounts.
• Only test for vulnerabilities. Do not engage in activities that lead to destruction, copying and/or exposure of data or resources in our system.
• Do not attempt a DoS or DDoS even if you find a related vulnerability. You may report the same for confirmation instead.

 

Reporting

How to report?

Just send an email to bugbounty@instamojo.com with the contents as mentioned below.

Report requirements

To help us understand the bug faster, your report should provide detailed information about how to reproduce the issue.

• The report vulnerability must be of a domain/app mentioned under in-scope domains and should not be one of out-of-scope vulnerabilities.
• The vulnerability must be reproducible for us to be considered valid.
• Must include either screenshots (if that’s adequate) or a POC video (preferred) depicting the vulnerability and exploitation.
• Must include the security impact of the vulnerability to Instamojo users and the system as you understand it.
• Preferably include the URLs visited, scripts/software used, Instamojo accounts involved, etc.
• Try exploiting the vulnerability as much as possible but as far as it does not violate our responsible disclosure conditions mentioned above.
• Preferably include other relevant details like links to similar HackerOne/OBB reports etc.

Report template

Individual Details:
- Full Name
- Email
- Any Publicly Identifiable profile (LinkedIn, Github, Personal website etc.)

Bug Details:
- Vulnerability
- Instamojo in-scope domain(s) or systems affected

Description and impact of the vulnerability:
- How to reproduce steps with accurate detail (even if u use scripts or tools, attach scripts/snippets if needed)
- Impact of the vulnerability to Instamojo and its users (as you understand it)

Expected response timelines

Acknowledgement - Within 3 working days after submission.

Triage and bug validation - Within 7 working days after acknowledgement.

Bounty transfer - Within 14 working days after validation response.

Bug fix - depends on type and criticality of vulnerability.

 

Scope

In-Scope

Domains

• https://www.instamojo.com/ (excluding https://www.instamojo.com/blog/)
• api.instamojo.com
• manage.instamojo.com
• *.stores.instamojo.com

Mobile apps

• Instamojo android app

Out-of-scope vulnerabilities

• Very recently (60 days) disclosed 0-day vulnerabilities since we need to patch our systems.
• Missing security headers that are recommended but do not present an immediate security vulnerability.
• Best practice suggestions including but not limited to:
  • Password strength (weak password policy)
  • Rate limiting configurations (missing or low rates unless it can potentially affect the system/business)
  • IDOR (non-sensitive information disclosure)
• Using Instamojo server to DDoS some external systems.
• Self-XSS that can not be used to exploit other users (this includes having a user paste JavaScript into the browser console).
• Frontend price manipulation without a successful transaction.
• API response manipulation tricks the UI but does not affect the server state.

 

Bounty reward

All valid bugs are awarded a bounty based on their impact. The exact amount of bounty to be given out will be at the discretion of Instamojo. The reward will be remitted to Indian bank accounts via NEFT. We are not currently able to make international remittances at this time.