Secure Paytm Reward Program
Help us to secure Paytm further!
Paytm invites independent security groups or individual researchers to study it across all platforms and help us make it even safer for our customers. Please alert us to any potential security flaw you find. We would suitably reward you for your efforts. Though we welcome reporting of non-security issues, please note that only genuine security issues are eligible for rewards and we may not be able to respond to non-security issues. Send detailed description at firstname.lastname@example.org.
All researchers are expected to:
- Report their finding by writing to us directly at email@example.com without making any information public. We will confirm receipt within 72 working hours of submission.
- Keep the information about any vulnerability you’ve discovered confidential between Paytm & yourself until we have resolved the problem.
- Based on the criticality level we might take 2 days to 2 weeks to fix the vulnerability.
- Disclosure of the vulnerability to public, social media or a third party will result in suspension from Paytm’s Bug Bounty and Secure Paytm Reward Program.
- Please make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
- Perform research only within the following limited scope. If you follow these guidelines when reporting an issue to us, we commit to:
- Work with you to understand and resolve the issue quickly
- Suitably reward your efforts
- Not pursue or support any legal action related to your research
- Website: www.paytm.com
- Mobile Apps: (Android, IOS)
- Mobile Seller Apps: (Android)
Out-of-Scope Properties: Any subdomain which is not connected to paytm.com, Android and iOS mobile Apps directly.
Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Common examples include:
- Cross-site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Server-Side Request Forgery (SSRF)
- SQL Injection
- Server-Side Remote Code Execution (RCE)
- XML External Entity Attacks (XXE)
- Access Control Issues (Insecure Direct Object Reference Issues, Privilege Escalation, etc)
- Exposed Administrative Panels that don’t require login credentials
- Directory Traversal Issues
- Local File Disclosure (LFD) and Remote File Inclusion (RFI)
- Payments Manipulation
- Flaw in 3rd party integrations to make free orders from Paytm merchants
- Server-side code execution bugs
- Open-Redirects. 99% of open redirects have low security impact. For the rare cases where the impact is higher, e.g., stealing oauth tokens, we do still want to hear about them.
- Reports that state that software is out of date/vulnerable without a ‘Proof of Concept’.
- Host header issues without an accompanying POC demonstrating vulnerability.
- XSS issues that affect only outdated browsers.
- Stack traces that disclose information.
- Clickjacking and issues only exploitable through clickjacking.
- CSV injection. Please see this article: https://goo.gl/bamS8l
- Best practices concerns.
- Highly speculative reports about theoretical damage. Be concrete.
- Self-XSS that can not be used to exploit other users.
- Vulnerabilities as reported by automated tools without additional analysis as to how they’re an issue.
- Reports from automated web vulnerability scanners (Acunetix, Burp Suite, Vega, etc.) that have not been validated.
- Denial of Service Attacks.
- Brute Force Attacks
- Reflected File Download (RFD).
- Physical or social engineering attempts (this includes phishing attacks against Paytm employees).
- Content injection issues.
- Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)
- Missing autocomplete attributes.
- Missing cookie flags on non-security-sensitive cookies.
- Issues that require physical access to a victim’s computer.
- Missing security headers that do not present an immediate security vulnerability.
- Fraud Issues.
- Recommendations about security enhancement.
- SSL/TLS scan reports (this means output from sites such as SSL Labs).
- Banner grabbing issues (figuring out what web server we use, etc.).
- Open ports without an accompanying POC demonstrating vulnerability.
- Recently disclosed 0day vulnerabilities. We need time to patch our systems just like everyone else – please give us two weeks before reporting these types of issues.
- Entering the Paytm offices, throwing crisps everywhere, unleashing a bunch of hungry raccoons, and hijacking an abandoned terminal on an unlocked workstation while staff are distracted.
Non-Qualifying Vulnerabilities (Mobile Apps)
- Shared links leaked through the system clipboard.
- Any URIs leaked because a malicious app has permission to view URIs opened
- Absence of certificate pinning
- Sensitive data in URLs/request bodies when protected by TLS
- User data stored unencrypted on external storage and private directory.
- Lack of obfuscation is out of scope
- oauth “app secret” hard-coded/recoverable in apk
- Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes
- Lack of binary protection control in android app
- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
- Path disclosure in the binary
- Snapshot/Pasteboard leakage
- Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)
Communication from Paytm
We ask the security research community to give us an opportunity to correct a vulnerability and should not publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. Please make a good faith effort to protect our users’ privacy and data. We are committed to addressing security issues responsibly and in a timely manner.
The monetary rewards for every valid security bug would be based on criticality of the issue. However, minimum monetary reward is 1000 Indian Rupees.
If you believe you’ve found security vulnerability in one of our products or platforms, please send it to us by emailing at firstname.lastname@example.org. Please include the following details in your report:
- Description of the location and potential impact of the vulnerability
- A detailed description of the steps required to reproduce the vulnerability – POC scripts, screenshots, and compressed screen captures will all be helpful to us
• Please avoid privacy violations, and do not destroy data/hinder our regular services.
• The vulnerability/bug must be original and previously un-reported. The first reporter will have benefit of the program.
• Employees of Paytm are not eligible for Secure Paytm Reward Program.
• We reserve the right to change the rules or cancel this program at any time.
• Consideration for other bugs with serious security implications will be on case-to-case basis.