Shaadi.com Bug Bounty
Shaadi.com is launching a bug bounty program to foster collaboration amongst security professionals. With this program, we believe we can help protect our members' personal information from malicious activity due to vulnerabilities against our networks, web and mobile applications and set security policies across our organization. We treat the security and safety of our members' personal information with the utmost importance.
For the protection of our members, Shaadi.com does not disclose, discuss or confirm security matters until comprehensively investigating, diagnosing and fixing any known issues.
- Do not intentionally harm the experience or usefulness of the service to others, including degradation of services & denial of service attacks.
- Do not attempt to view, modify, or damage data belonging to others
- Do not disclose the reported vulnerability to anyone else until we've had reasonable time to fix it.
- You must be 18 or older to be eligible to participate in this program/award.
- You must agree and adhere to the Program Rules and Legal terms as stated in this policy.
- You must be the first to report the issue in order to be eligible for bounty*.
- You must be available to supply additional information, as needed by our team, to reproduce and triage the issue.
- Shaadi.com Partners, employees and their friends are not eligible for participation in this program.
Targets Eligible for Reward
Currently, we offer monetary rewards along with certificate of appriciation only for the properties listed below. Subdomains not specifically listed are not included in the Targets Eligible for Reward.
Subdomains not specifically listed are not included in the Targets Eligible for Reward.
If you have found a vulnerability in a Shaadi.com site or app not contained within this list, you can still submit, and Shaadi.com will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved are eligible for certificate of appreciation.
- www.shaadi.com and its all community domains *
- Shaadi.com iOS & Android apps
Many of our sites (including community domains) share a common platform. Because of this, a vulnerability reported on one domain may exist on another domain if the issue exists in the shared platform itself. For example, an issue reported for Shaadi.com may also present in the exact same way on tamilshaadi.com and the issue will be resolved on both sites with the same fix. We ask that you take the time to try to confirm this first, and include the other vulnerable locations in one report rather than submitting multiple reports. In these cases, we treat the issue as one bug and will close out others as duplicates. Rest assured, we do take the existence of a vulnerability present on multiple sites into consideration during reward time.
Please consider the following when reporting issues:
- Many of our sites (including community domains) share a common platform. Because of this, a vulnerability reported on one domain may exist on another domain if the issue exists in the shared platform itself with the same root cause.
- It speeds up the triage process if you include in your one report other locations where the same bug is present.
- When in doubt, please file a single report and write down your thoughts. If we think you found different vulnerabilities, we'll be more than happy to let you file another bug.
- Attacks dependent upon social engineering of Shaadi.com employees or vendors
- Attacks requiring physical access to a user's device
- Attacks requiring physical access to device or MiTM
- CSRF on forms that are available to anonymous users
- CSRF on logout
- Clickjacking, without additional details demonstrating a specific exploit
- Contact information of the member received via any front-end feature working as desired e.g. a type of premium membership may allow free members to access to premium contact details.
- Content spoofing / text injection
- Cookies that lack HTTP Only or Secure settings for non-sensitive data
- Denial of Service attacks
- Descriptive error messages or headers (e.g. Stack Traces, application or server errors, banner grabbing)
- Disclosure of known public files or directories
- Enforcement policies for brute force or account lockout
- Host Header Injectionx
- Hyperlink injection in emails using forms available to any user
- Issues related to active sessions after password changes.
- Mail configuration issues including SPF, DKIM, DMARC settings
- Missing security headers without additional details or a POC demonstrating a specific exploit
- Mixed content issues
- OPTIONS / TRACE HTTP method enabled
- Outdated software / library versions
- Password and account recovery policies
- Presence of autocomplete functionality in form fields
- Publicly accessible login panels
- Rate-limiting issues
- Reports resulting from automated scanning utilities without additional details or a POC demonstrating a specific exploit
- SSL/TLS best practices
- XSS, Self-XSS and issues exploitable only through XSS and Self-XSS
- Use of a known-vulnerable library without a description of an exploit specific to our implementation
- Username enumeration based on login or forgot password pages
- An attacker in a Man-in-the-Middle
Shaadi.com reserves the right to add to and subtract from the Exclusions list depending on evaluated severity of reported vulnerabilities and risk acceptance.
All bounty amounts will be at the discretion of the Shaadi.com Bug Bounty team, which will be evaluated for severity, impact, and quality of the report to determine the bounty level. There could be submissions which we accept the risk and will not fix.
Leaks entire database in one go - High
Bounty of INR 15,000 + Certificate of Appreciation
Leaks contact details one by one through trial and error - Medium
Bounty of INR 10,000 + Certificate of appreciation
Leaks contacts of 'accepted' members without payment - Low
Bounty of INR 5,000 + Certificate of Appreciation
What to include in your report
A well written report will allow us to more quickly and accurately triage your submission. So please include:
- A clear description of the issue, including the impact you believe it has to the user, Shaadi.com, others.
- Specific reproduction steps including the environment used for testing (browsers, devices, tools, configuration) and any accounts used during testing.
- Your recommendations to resolve the issue.
- You can email your report at firstname.lastname@example.org with subject as "Bug Bounty" and your contact deails mentioned in it.
Shaadi.com reserves the right to modify terms and conditions of this program and your participation in the program constitutes acceptance of all terms. Please visit this webs site regularly as we routinely update our program terms and its eligibility, which will be effective upon posting. We reserve the right to cancel this program at any time without any notice any obligation or any liability to anyone.