About Bounty Program

Xoxoday is platform to Discover & Book amazing Activities, Experiences and Things to do in Bangalore, Delhi, Goa, Kolkata, Chennai, Noida, Gurgaon, Pune, Hyderabad, Mumbai, Mysore, Ooty, Coorg and cities or destinations nearby.

We recognize the importance of security researchers in helping identify bugs and issues as well as reward those who help us create a safer software platform. If you believe you have found any security vulnerability or bug in our applications, we encourage you to let us know as soon as possible. We will investigate the submission and if found valid, take the necessary corrective measures.

We request you to carefully go through the responsible disclosure policy given along with rewards and reporting guidelines, before you report a security issue.

Responsible​ ​Disclosure

Give us reasonable amount time to respond to you before you go public, rather allow us to fully implement the fix before you publicly disclose the vulnerability. it might take a bit of time in order to fix the vulnerability reported by you. We shall make sure to fix the issue earliest possible depending upon the severity.

Guidelines​ ​-​ ​How​ ​to​ ​Report​ ​a​ ​Bug

• Report a separate bug for each issue!
• Figure out the steps to reproduce a bug - If you have precise steps to reproduce — great! you're on your way to reporting a useful bug report.
• If you can reproduce occasionally, but not after following specific steps, you must provide additional information for the bug to be useful.
• If you can't reproduce the problem, there's probably a little use of reporting it, you should be able to provide unique information about its occurrence.
• We hope you would describe the bug using very precisely to help us understand the exact issue. A good summary should quickly and uniquely identify a bug report. It should explain the problem very clearly
  • Good: "Cancelling an alert-dialog crashes page and redirects to 404 Page"
  • Bad: "Software crashes"
  • Good: "Down-arrow scrolling doesn't work in "textarea" styled withoverflow:hidden"
  • Bad: "Browser should work with my web site"
• Intend to use attachments like Screenshots to help our team understand better

Eligibility

• Adhere to our Responsible Disclosure Policy (as mentioned above)
• The bug should be original and should not be reported earlier
• Report a bug that could compromise the integrity of user data, circumvent the privacy protections of user data, or enable access to a system within our infrastructure. Example of such bugs are:
  • Cross-Site Scripting (XSS)
  • Sql Injection/ XXE / RCE
  • Server Side Request Forgery (SSRF)
  • Cross-Site Request Forgery (CSRF/XSRF)
  • Insecure Direct Object References
  • Broken Authentication and Session Management (including OAuth bugs)
  • Remote Code Execution
  • Privilege Escalation
  • Provisioning Errors
  • Business Logical flaws
  • Payment Related Issues
  • Misuse/Unauthorized use of our APIs
  • Improper TLS protection
  • Open Redirection

Reward

• Bounty Rewards are awarded based on the severity, impact, likelihood and complexity of the vulnerability reported. Final rewards are determined at the sole discretion of the Xoxoday Bug Bounty panel
• Only one bounty will be rewarded for every distinct security vulnerability.
• Bug bounty is applicable only for individuals

Exclusions

• Self-XSS
• Executing scripts on sandboxed domains
• CSRF for non-significant actions (logout, etc.)
• Clickjacking attacks without a documented series of clicks that produce a vulnerability
• Spam (including issues related to SPF/DKIM/DMARC)
• Denial-of-service attacks or issues related to rate limiting
• Attacks that require social engineering (phishing)
• Vulnerabilities that require access to passwords, tokens, or the local system (e.g. session fixation)
• Vulnerabilities discovered shortly after their public release
• Cookies Related issues
• SSL misconfiguration issues