Find The Bug And Get Rewarded

All researchers are expected to:

1. Report the finding(s) by writing to us directly on [email protected]. You will receive a confirmation from us within 72 working hours.
2. Keep the vulnerability confidential and shall report it only to us. Any form of public disclosure of the vulnerability would lead to suspension from the bug bounty program.
3. Please make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
4. Perform research only within the following limited scope. If you follow these guidelines when reporting an issue to us, we commit to:
   1. Working with you to understand and resolve the issue quickly.
   2. Suitably reward your efforts.
   3. Not pursue or support any legal action related to your research.

1. Website: https://bitdroplet.com
2. Mobile Apps: (Android, iOS)

1. Any subdomain not connected to https://bitdroplet.com, Android and iOS mobile apps directly.

Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Any security vulnerability related to the following would be considered under the program:

1. Cross-site Scripting (XSS)
2. Cross-Site Request Forgery (CSRF)
3. Server-Side Request Forgery (SSRF) SQL Injection
4. Server-Side Remote Code Execution (RCE) XML
5. External Entity Attacks (XXE) Access Control
6. Issues (Insecure Direct Object Reference Issues,
7. Privilege Escalation, etc) Exposed
8. Administrative Panels that don't require login
9. credentials Directory Traversal Issues Local
10. File Disclosure (LFD) and Remote File Inclusion
11. (RFI) Payments Manipulation Flaw in 3rd party
12. integrations to make free orders from Droplet
13. merchants Server-side code execution bugs

Vulnerabilities related to following would not be considered under the program:

1. Open-Redirects. 99% of open redirects have low security impact. For the rare cases where the impact is higher, e.g., stealing OAuth tokens. We still do want to hear about them.
2. Reports stating that the software is out of date/vulnerable without a 'Proof of Concept'.
3. Host header issues without an accompanying POC demonstrating vulnerability.
4. XSS issues that affect only outdated browsers.
5. Stack traces that disclose information.
6. Clickjacking and issues only exploitable through clickjacking.
7. CSV injection. Please see this article: https://goo.gl/bamS8l
8. Best practices concerns.
9. Highly speculative reports about theoretical damage. Be concrete.
10. Self-XSS that can not be used to exploit other users.
11. Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.
12. Reports from automated web vulnerability scanners (Acunetix, Burp Suite, Vega, etc.) that have not been
validated.
13. Denial of Service Attacks.
14. Brute Force Attacks
15. Reflected File Download (RFD).
16. Physical or social engineering attempts (this includes phishing attacks against Droplet employees).
17. Content injection issues.
18. Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)
19. Missing autocomplete attributes.
20. Missing cookie flags on non-security-sensitive cookies.
21. Issues that require physical access to a victim's computer.
22. Missing security headers that do not present an immediate security vulnerability.
23. Fraud Issues.
24. Recommendations about security enhancement.
25. SSL/TLS scan reports (this means output from sites such as SSL Labs).
26. Banner grabbing issues (figuring out what web server we use, etc.).
27. Open ports without an accompanying POC demonstrating vulnerability.
28. Recently disclosed vulnerabilities. We need time to patch our systems just like everyone else – please give us two weeks before reporting these types of issues.
29. Entering the Droplet offices and hijacking an abandoned terminal on an unlocked workstation while staff are distracted.

We ask the security research community to provide us with an opportunity to rectify a vulnerability. Please submit a detailed description of the issue and the steps you think that may be required to reproduce what you have observed. Please make a good effort to protect our users' privacy and data. We are committed to addressing security issues responsibly and timely.

The monetary rewards for every valid security bug would be based on criticality of the issue and can only be credited to your Droplet wallet in the form of cryptocurrencies . However, the minimum monetary reward is 1000 INR.