Bounce Bug Bounty Program

The ‘Bounce Bug Bounty Program’ has been designed to encourage researchers to help Bounce discover vulnerabilities across our platforms. We appreciate the external contributions from the researcher community that help us make our platforms safer. Through the Bug Bounty Program, we look at recognizing and rewarding all valid contributions subject to the severity of the vulnerability reported.

Issues and vulnerabilities covered on different platforms of Bounce: Android App, iOS App. Refer to the Rewards section for type of vulnerabilities covered in the Bug Bounty program.

  • Issues detected on Staging/Sandbox environment
  • Issues that are related to partner applications/services
  • Denial of service attacks
  • Cross-Site Request Forgery(CSRF/XSRF)
  • Brute Force protection on login page
  • Autocomplete attribute on web forms
  • Minor issues like version disclosures.
  • Cookie attributes not set/Secure flag issues
  • Java Script/PHP/Workpress Library disclosure
  • X Click Jacking

Researchers should submit their findings that cover eligible vulnerabilities to: Only emails sent to this email address will be considered valid for the Bug Bounty Program.

  1. Kindly ensure that you go through the Bug Bounty Agreement . By submitting a report or otherwise disclosing a vulnerability to us, it will be assumed that you have read and accepted the same.
  2. The submission must contain all relevant items/evidence like (but not limited to) the following to support your case:
    • Detailed description of the security vulnerability (type, URL, potential impact, etc.)
    • Relevant Screenshots, to depict the flow (if required)
    • Video evidence (if required)

While the monetary reward will be decided on the basis of the criticality and severity of the issue on a case-to-case basis, the following table outlines the indicative amount that each category will be eligible for:

Type of Vulnerability Reward
Sensitive Data Leaks, SQL Injections, Security issue in Payment Up to Rs. 25K, depending on severity
Bike Vulnerabilities/Hacks, App Side Issues that can cause potential security problems Up to Rs. 15K, depending on severity
API tweaks that can control Bounce trips Up to Rs. 10K, depending on severity
App functionality issues Up to Rs. 5K or Bounce Cash, depending on severity
For minor issues Rs.500 to Rs. 1000 or Bounce Cash, depending on severity

Certain exceptional contributors who help in identifying and fixing a bug that is categorized as “high-vulnerability” by us may also find a place in the ‘Hall of Fame’ listed on the website.

Contributors who report bugs with low severity that are not covered here may receive Bounce goodies.

Bounce will have the sole right to decide the Reward to be awarded under the Bounce Bug Bounty Program, and such amount may vary upon Bounce’s sole discretion.

The rules of disclosure are as below:
  1. Employees of Bounce and their relatives, members of any external organisation who were/are part of the supporting development teams and their relatives are not allowed to partake in the Bug Bounty Program
  2. You must identify vulnerabilities in the applications created by Bounce and not on any underlying OS or supporting software
  3. The vulnerabilities identified should be in the latest stable version
  4. The bug must be new and not previously reported. Bounce Security team will send a reply to you within 2 working days if your submitted vulnerability has been previously reported
  5. You must not break any laws to discover and identify the vulnerabilities
  6. The decision to reward is solely at the discretion of Bounce and Bounce may choose not to provide any monetary benefit if we feel the vulnerability is not critical and/or the submission doesn’t follow any of the guidelines provided by Bounce
  7. The bug should not be a random occurrence (i.e. can be reproduced easily). It must be remotely exploitable in a standard configuration
  8. Your testing and identification of the bug should not affect any services of Bounce or any other commercial service
  9. The vulnerability thus identified should have been shared only with Bounce. Disclosure to the public or media or any third party is strictly not allowed. In the absence of this confidentiality, the contributor will not be eligible for any reward. Rewards will be transferred only when the patch for the vulnerability is in place.
  10. The program may be amended, or discontinued, without notice, at any time