Shaadi.com Bug Bounty
Shaadi.com is launching a bug bounty program to foster collaboration among security professionals. With this program, we believe we can help protect our members' personal information from malicious activity due to vulnerabilities against our networks, web and mobile applications and set security policies across our organization. We treat the security and safety of our members' personal information with the utmost importance.
For the protection of our members, Shaadi.com does not disclose, discuss or confirm security matters until comprehensively investigating, diagnosing and fixing any known issues.
- Do not intentionally harm the experience or usefulness of the service to others, including degradation of services & denial of service attacks.
- Do not access or modify our data or our users' data, without explicit permission. Only interact with your own accounts.
- Do not disclose the reported vulnerability to anyone else until we've had reasonable time to fix it.
- You must be 18 or older to be eligible to participate in this program/award.
- You must agree and adhere to the Program Rules and Legal terms as stated in this policy.
- You must be the first to report the issue in order to be eligible for bounty*.
- You must be available to supply additional information, as needed by our team, to reproduce and triage the issue.
- Shaadi.com Partners, employees and their friends are not eligible for participation in this program.
Targets Eligible for Reward
Currently, we offer monetary rewards along with certificate of appriciation only for the properties listed below. Subdomains not specifically listed are not included in the Targets Eligible for Reward.
Subdomains not specifically listed are not included in the Targets Eligible for Reward.
If you have found a vulnerability in a Shaadi.com site or app not contained within this list, you can still submit, and Shaadi.com will triage the report. These types of reports will not result in a monetary reward but valid reports that are resolved are eligible for certificate of appreciation.
- www.shaadi.com and its all community domains *
- Shaadi.com iOS & Android apps
Many of our sites (including community domains) share a common platform. Because of this, a vulnerability reported on one domain may exist on another domain if the issue exists in the shared platform itself. For example, an issue reported for Shaadi.com may also present in the exact same way on tamilshaadi.com and the issue will be resolved on both sites with the same fix. We ask that you take the time to try to confirm this first, and include the other vulnerable locations in one report rather than submitting multiple reports. In these cases, we treat the issue as one bug and will close out others as duplicates. Rest assured, we do take the existence of a vulnerability present on multiple sites into consideration during reward time.
Please consider the following when reporting issues:
- Many of our sites (including community domains) share a common platform. Because of this, a vulnerability reported on one domain may exist on another domain if the issue exists in the shared platform itself with the same root cause.
- It speeds up the triage process if you include in your one report other locations where the same bug is present.
- When in doubt, please file a single report and write down your thoughts. If we think you found different vulnerabilities, we'll be more than happy to let you file another bug.
- Attacks dependent upon social engineering
- Attacks requiring physical access to a user's device
- Attacks requiring physical access to device or MiTM
- An attacker in a Man-in-the-Middle
- CSRF (Cross Site Request Forgery)
- XSS (Cross Site Scripting)
- Host Header Injection
- Content spoofing / text injection
- Hyperlink injection in emails using forms available to any user
- Denial of Service attacks
- Clickjacking, without additional details demonstrating a specific exploit
- Contact information of the member received via any front-end feature working as desired e.g. a type of premium membership may allow free members to access to premium contact details.
- Disclosure of known public files or directories
- Enforcement policies for brute force or account lockout
- Password and account recovery policies
- Issues related to active sessions after password changes.
- Mail configuration issues including SPF, DKIM, DMARC settings
- Mixed content issues
- HTTP method enabled
- Outdated software / library versions
- Presence of autocomplete functionality in form fields
- Publicly accessible login panels
- Rate-limiting issues / insufficient Anti-Automation
- Descriptive error messages or headers (e.g. Stack Traces, application or server errors, banner grabbing)
- Cookies that lack HTTP Only or Secure settings for non-sensitive data
- Missing security headers without additional details or a POC demonstrating a specific exploit
SSL/TLS best practices
- Use of a known-vulnerable library without a description of an exploit specific to our implementation
- Username enumeration based on login or forgot password pages
- Reports from automated tools or scans
Shaadi.com reserves the right to add to and subtract from the Exclusions list depending on evaluated severity of reported vulnerabilities and risk acceptance.
All bounty amounts will be at the discretion of the Shaadi.com Bug Bounty team, which will be evaluated for severity, impact, and quality of the report to determine the bounty level. There could be submissions which we accept the risk and will not fix.
Leaks entire database in one go - High
Bounty of INR 15,000 + Certificate of Appreciation
Leaks contact details one by one through trial and error - Medium
Bounty of INR 10,000 + Certificate of appreciation
Leaks contacts of 'accepted' members without payment - Low
Bounty of INR 5,000 + Certificate of Appreciation
What to include in your report
A well written report will allow us to more quickly and accurately triage your submission. So please include:
- A clear description of the issue, including the impact you believe it has to the user, Shaadi.com, others.
- Specific reproduction steps including the environment used for testing (browsers, devices, tools, configuration) and any accounts used during testing.
- Your recommendations to resolve the issue.
- You can email your report at firstname.lastname@example.org with subject as "Bug Bounty" and your contact deails mentioned in it.
Shaadi.com reserves the right to modify terms and conditions of this program and your participation in the program constitutes acceptance of all terms. Please visit this webs site regularly as we routinely update our program terms and its eligibility, which will be effective upon posting. We reserve the right to cancel this program at any time without any notice any obligation or any liability to anyone.