Bug Bounty

Paytm Bug Bounty Program

Bug-bounty

Help us secure Paytm further!

Paytm invites independent security groups or individual researchers to study it across all platforms and help us make it even safer for our customers. Please alert us to any potential security flaw you find. We would suitably reward you for your efforts. If reliability engineering interests you and you would be interested in working with Paytm, do let us know that as well, or drop us a line at devops@paytm.com

  • Guidelines

    All researchers are expected to:

    • Report their finding by writing to us directly at bugbounty@paytm.com without making any information public. We will confirm receipt within 72 working hours of submission.
    • Keep the information about any vulnerability you’ve discovered confidential between Paytm & yourself until we have resolved the problem.
    • Based on the criticality level we might take 1 to 4 weeks to fix the vulnerability. However, all efforts would be made to provide periodic updates to the researcher until issue resolution / conclusion.
    • Disclosure of the vulnerability to public, social media or a third party will result in suspension from Paytm’s Bug Bounty Program.
    • Please make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
    • Perform research only within the following limited scope. If you follow these guidelines when reporting an issue to us, we commit to:
      1. Work with you to understand and resolve the issue quickly
      2. Suitably reward your efforts
      3. Not pursue or support any legal action related to your research
  • Scope

    • Website: www.paytm.com
    • Mobile Apps: (Android, IOS)
    • Mobile Seller Apps: (Android)

    Communication from Paytm

    We ask the security research community to give us an opportunity to correct a vulnerability and should not publicly disclosing it. Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. Please make a good faith effort to protect our users’ privacy and data. We are committed to addressing security issues responsibly and in a timely manner.

    Excluded Submission Types

    Some submission types are excluded because they are dangerous to assess, and/or because they have low security impact to the program owner. This section contains issues that are not accepted under this program, will be immediately marked as invalid, and are not rewardable. However, for the sake of understanding the case better, we would keep a channel of communication with the reporter.

    • Findings from physical testing such as office access (e.g. open doors, tailgaiting).
    • Findings derived primarily from social engineering (e.g. phishing, vishing).
    • Findings from applications or systems not listed in the ‘Targets’ section.
    • Functional, UI and UX bugs and spelling mistakes.
    • Network level Denial of Service (DoS/DDoS) vulnerabilities.
    • All non-security issues are out of scope.

    The following finding types are specifically excluded from the bounty:

    • Descriptive error messages (e.g. Stack Traces, application or server errors).
    • HTTP codes/pages or other HTTP non- codes/pages.
    • Fingerprinting / banner disclosure on common/public services.
    • Disclosure of known public files or directories, (e.g. robots.txt).
    • Clickjacking and issues only exploitable through clickjacking.
    • CSRF in forms that are available to anonymous users (e.g. the contact form).
    • Logout Cross-Site Request Forgery (logout CSRF).
    • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
    • Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
    • Lack of Security Speedbump when leaving the site.
    • Weak Captcha / Captcha Bypass
    • Login or Forgot Password page brute force and account lockout not enforced.
    • OPTIONS HTTP method enabled
    • HTTPS Mixed Content Scripts
    • Self-XSS
    • Username / email enumeration
      1. via Login Page error message
      2. via Forgot Password error message
    • Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
      1. Strict-Transport-Security
      2. X-Frame-Options
      3. X-XSS-Protection
      4. X-Content-Type-Options
      5. Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
      6. Content-Security-Policy-Report-Only
    • SSL Issues, e.g.
      1. SSL Attacks such as BEAST, BREACH, Renegotiation attack
      2. SSL Forward secrecy not enabled
      3. SSL weak / insecure cipher suites

    Out of Scope bugs for Android apps

    • Shared links leaked through the system clipboard.
    • Any URIs leaked because a malicious app has permission to view URIs opened
    • Absence of certificate pinning
    • Sensitive data in URLs/request bodies when protected by TLS
    • User data stored unencrypted on external storage
    • Lack of obfuscation is out of scope
    • oauth &#;app secret&#; hard-coded/recoverable in apk
    • Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope)
    • Any kind of sensitive data stored in app private directory
    • Lack of binary protection control in android app

    Out of Scope bugs for iOS apps

    • Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
    • Absence of certificate pinning
    • Path disclosure in the binary
    • User data stored unencrypted on the file system
    • Lack of obfuscation is out of scope
    • Lack of jailbreak detection is out of scope
    • oauth &#;app secret&#; hard-coded/recoverable in apk
    • Crashes due to malformed URL Schemes
    • Lack of binary protection (anti-debugging) controls
    • Snapshot/Pasteboard leakage
    • Runtime hacking exploits (exploits only possible in a jailbroken environment)

    Rewards

    The monetary rewards for every valid bug would be minimum Indian Rupees 1000.

  • Reporting format

    If you believe you’ve found security vulnerability in one of our products or platforms, please send it to us by emailing at bugbounty@paytm.com.
    Please include the following details in your report:

    • Description of the location and potential impact of the vulnerability
    • A detailed description of the steps required to reproduce the vulnerability – POC scripts, screenshots, and compressed screen captures will all be helpful to us.
Bug-bounty