August 28, 2017 6 min to read
The Via Bug Bounty Program
Category : Via News
The Via Bug bounty program is designed to encourage security research in Via software and to reward those who help us create the safest platform to transact on. We encourage you to let us know as soon as possible, any potential security flaw you find. We will investigate the submission and if found valid, take the necessary corrective measures.
To show our appreciation for our security researchers, we will suitably reward you for your efforts in finding out all valid security vulnerabilities based on the severity, impact and complexity of the vulnerability.
You are requested to review the scheme guidelines mentioned below before you report a security issue.
All researchers are expected to:
- Report their finding by writing to us directly at firstname.lastname@example.org without making any public disclosure. We will confirm receipt within 72 working hours of submission
- Keep the information about any vulnerability you’ve discovered confidential between us until we have resolved the problem
- Share the security issue in detail. At times, we might ask for more information
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing. You are requested not to run test-cases which might disrupt our services
- Perform research only within the scope as mentioned above. We also request you not to attempt attacks such as social engineering, phishing. These kind of bugs will not be considered as valid ones, and if caught, might result in suspension of your account
- Vulnerabilities made public before the fix are not eligible for bounty reward
- We will get back to you on the bug reported within 72 hrs of receiving the email
- We will work with you to understand and resolve the issue quickly
- We will keep you updated as we work to fix the bug you have submitted
- Bounty reward will be paid only once the vulnerability has been fixed
- Recognize & acknowledge your contribution on our Security with a certificate from us
- Not pursue or support any legal action related to your research
If you believe you’ve found any vulnerability in one of our products or platforms, please send it to us by emailing at email@example.com
Please include the following details in your report:
- Description of the vulnerability and potential impact
- A detailed and documented description of the steps required to reproduce the vulnerability – proof of concept, screenshots/video will be helpful to us.
Out of Scope Properties: Any domain/subdomain which is not connected to flightraja pvt ltd, Android and iOS mobile Apps directly.
Qualifying Vulnerabilities: Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Common examples include:
- Cross-site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Server-Side Request Forgery (SSRF)
- SQL Injection
- Server-Side Remote Code Execution (RCE)
- XML External Entity Attacks (XXE)
- Access Control Issues (Insecure Direct Object Reference Issues, Privilege Escalation, etc)
- Exposed Administrative Panels that don’t require login credentials
- Directory Traversal Issues
- Local File Disclosure (LFD) and Remote File Inclusion (RFI)
- Payments Manipulation
- Flaw in 3rd party integrations to make free orders
- Server-side code execution bugs
Non-Qualifying Vulnerabilities: Open-Redirects. 99% of open redirects have low security impact. For the rare cases where the impact is higher (stealing oauth tokens) but we do still want to hear about them.
- Reports that state that software is out of date/vulnerable without a ‘Proof of Concept’
- Host header issues without an accompanying POC demonstrating vulnerability
- XSS issues that affect only outdated browsers
- Stack traces that disclose information
- Clickjacking and issues only exploitable through clickjacking
- CSV injection (https://goo.gl/bamS8l)
- Best practices concerns
- Highly speculative reports about theoretical damage. Be concrete
- Self-XSS that can not be used to exploit other users
- Vulnerabilities as reported by automated tools without additional analysis
- Reports from automated web vulnerability scanners (Acunetix, Burp Suite, Vega, etc.)
- Denial of Service Attacks
- Brute Force Attacks
- Reflected File Download (RFD)
- Social engineering attempts (phishing attacks against employees)
- Content injection issues
- Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF)
- Missing autocomplete attributes
- Missing cookie flags on non-security-sensitive cookies
- Issues that require physical access to a victim’s computer
- Missing security headers that do not present an immediate security vulnerability
- Fraud Issues
- Recommendations about security enhancement
- SSL/TLS scan reports (this means output from sites such as SSL Labs)
- Banner grabbing issues (figuring out what web server we use, etc.)
- Open ports without an accompanying POC demonstrating vulnerability
- Recently disclosed 0day vulnerabilities. We need time to patch our systems just like everyone else – please give us two weeks before reporting these types of issues.
Non-Qualifying Vulnerabilities (Mobile Apps):
- Shared links leaked through the system clipboard
- Any URIs leaked because a malicious app has permission to view URIs opened
- Absence of certificate pinning
- Sensitive data in URLs/request bodies when protected by TLS
- User data stored unencrypted on external storage and private directory.
- Lack of obfuscation is out of scope
- oauth “app secret” hard-coded/recoverable in apk
- Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive and due to malformed URL Schemes
- Lack of binary protection control in android app
- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
- Path disclosure in the binary
- Snapshot/Pasteboard leakage
- Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)
To qualify for a bounty, you should:
- Adhere to our guidelines (as mentioned above)
- Be the first researcher to responsibly disclose the bug. The vulnerability/bug must be original and previously unreported. The first reporter will have benefit of the program.
- Report a bug that could compromise the integrity of user data, circumvent the privacy protections of user data, or enable access to a system within our infrastructure.
- Avoid privacy violations, and do not destroy data/hinder our regular services.
- Employees of Flight Raja Travels Pvt. Ltd. (via.com), their close relatives (parents, siblings, children or spouse), via.com business partners, agencies, alliances and their employees are not eligible for Via Bug Bounty Program.
- Consideration for other bugs with serious security implications will be on case-to-case basis.
- Bounties are awarded based on the severity, impact, complexity and the awesomeness of the vulnerability reported and it is at the discretion of the Via Bug Bounty panel.
- The bounty will be informed at the time the bug is reported.
- Only one bounty will be rewarded for every distinct security vulnerability.
- Bug bounty is applicable only for individuals.
- An official letter from via.com will be issued certifying the contribution. The letter will be generic, without mention of the vulnerability.
Terms and Conditions
By participating, you agree to comply with via.com’s Terms and Conditions which are as follow:
- Abide by all the applicable laws of the land. via.com would not be responsible for any non-adherence to the laws of the land on your part
- You should make all effort to avoid Privacy violations, destruction of data, interruption & degradation of our service during your research. In case of any breach, via reserves the right to take legal action
- Eligibility for rewards and determination of the recipients and amount of reward is left up to the discretion of Via Bug Bounty Panel
- Via reserves the right to discontinue the Bug Bounty Program at any time without notice
- You may only exploit, investigate, or target vulnerabilities against your own account. Testing should not violate any law, or disrupt or compromise any data or access data that does not belong to you
- All payments will be made in Indian Currency (INR)
- The Via Bug Bounty Program, including its policies, is subject to change or cancellation by via at any time, without notice
- As such, Via may amend these Program Terms and/or its policies at any time by posting a revised version on our website.
- By continuing to participate in the Via Bug Bounty Program after via posts any such changes, you accept the Program Terms, as modified
- In the event you breach any of these Program Terms or the terms and conditions of the Via Bug Bounty Program, Via may immediately terminate your participation in the Bug Bounty Program and disqualify you from receiving any bounty payments.
- Disputes if any would be governed by the Laws of India and the courts in bangalore would have the exclusive jurisdiction.