If you believe that you have found security vulnerability or Bug on any of MobiKwik’s owned Website or Application, we encourage you to let us know straight away. Our Team will investigate all legitimate reports and do our best to quickly fix the problem.
Disclosure Policy
- We will acknowledge your submission only if you are the first person to report a certain vulnerability. Known issues or issues that have already been reported will not be considered as a valid report
- You may not publicly disclose the vulnerability prior to our resolution.
- Any Improper public disclosure/ misuse of information will entitle MobiKwik to take appropriate legal action.
Response Targets
MobiKwik will make the best effort to meet the following response targets for hackers participating in our program:
- First response - 1 business day
- Time to triage - 2 business days
We’ll try to keep you informed about our progress throughout the process.
Program Rules
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service and only interact with accounts you own or with the explicit permission of the account holder.
Please refrain from the following:
- Trying DOS/DDOS attacks
- Automated Scanning
- Using vulnerability testing tools that automatically generate significant traffic
- Accessing private information (use your own accounts)
- Performing actions that may negatively affect MobiKwik users (social engineering, phishing, spam, denial of service)
- Submitting reports from automated tools without verifying them.
- Performing brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.
In Scope
Domain *.mobikwik.com
Android: Play Store MobiKwik owned android applications
iOS: App Store MobiKwik owned iOS applications
Out of Scope Vulnerabilities
- Issues related to software/application not under MobiKwik’s control or owned by some third party
- Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)
- Missing security headers which do not lead directly to a vulnerability
- Clickjacking without an impact
- Text Injection
- Known-vulnerable library (without evidence of exploitability)
- Spam & rate limiting
- SSL/TLS protocol vulnerabilities
- Best practice concerns will be reviewed, but in general, we require evidence of a vulnerability
- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
- The brute force of promo/coupon code
- Social engineering attacks
- Email/Phone number enumeration (user enumeration)
- Any activity that could lead to the disruption of our service (DoS)
- Open Redirection
- Missing Security Headers
Rewards
- Our minimum reward or bounty is ₹1000.
- There is no maximum reward - each bug is awarded a bounty based on its severity, scope and exploit level.
- Critical & High severity valid bug reporters will be listed on MobiKwik’s hall of Fame.
Report Vulnerability at - vdp@mobikwik.com
Thank you for helping keep MobiKwik and our users safe!