Bug Bounty Program

Program scope

All Vantage Circle Assets & Apps

Out-of-Scope Apps

3rd Party Service Provider

All Vantage Circle clients.

Reward Categorisation

Please take note that the use of automated tools or scripts is strictly prohibited. If you submit a Proof of Concept (POC), it should include a detailed, step-by-step guide to reproduce the issue. Any attempt to exploit a vulnerability will be subject to legal consequences.

Please take note that the use of automated tools or scripts is strictly prohibited. If you submit a Proof of Concept (POC), it should include a detailed, step-by-step guide to reproduce the issue. Any attempt to exploit a vulnerability will be subject to legal consequences.

NOTE that the reward for any vulnerability discovered will be determined after a discussion with the stakeholder leadership team.

NOTE that this categorization is not exhaustive, and Vantage Circle reserves the right to update it at any time.

All bounty rewards will be paid based on an internal assessment conducted by the Vantage Circle security team. We have categorized vulnerabilities according to their impact as follows:

Critical

1. SQL Injections (Able to access and manipulate sensitive and PII information)

2. Remote Code Execution (RCE) vulnerabilities

3. Shell Upload vulnerabilities (Only upload basic backend script that just prints some string, preferably try printing the hostname of the server and stop there!)

4. Vertical privilege escalation (Gaining admin access)

5. Bulk user sensitive information leak

6. Business logic vulnerabilities (Critically impacting Vantage Circle Brand)

High

1. Authentication bypass

2. Non-Blind SSRF

3. Account Takeover (Without user interaction)

4. Stored XSS

5. Subdomain Takeover (On active domains)

6. IDOR (Able to access and modify sensitive and PII information)

7. Horizontal privilege escalation

8. Deserialization vulnerabilities

9. Path traversal (Access to sensitive information)

10. Mobile App vulnerability (Doesn’t require root/jailbreak access on the device and having access to sensitive information)

Medium

1. SQL Injection (For non-sensitive information)

2. Account Takeover (With user interaction)

3. Reflected/DOM XSS to steal user cookies

4. Subdomain Takeover ( On non-active domains)

5. Injection attacks ( Formula injection, Host header injection)

6. Mobile App vulnerability (Require root/jailbreak access on the device and having access to sensitive information)

Low

1. Path Traversal (Access non-sensitive information)

2. IDOR (Non-sensitive information disclosure)

3. Mobile App vulnerability (Require root/jailbreak access on the device and having access to non- sensitive information)

4. Mobile App vulnerability (Doesn’t require root/jailbreak access on the device and having access to non-sensitive information)

5. Captcha bypass

Exclusions

General

IDOR references for objects that you have permission to

Duplicate submissions that are being remediated

Known issues

Rate limiting (Unless which impacts severe threat to data, business loss) Multiple reports for the same vulnerability type with minor differences (only one will be rewarded)

Open redirects

Clickjacking and issues only exploitable through clickjacking

Only session cookies needed http and secure flags. Apart from these, for other cookies we won’t consider as vulnerability

Social Engineering attacks

System related

Patches released within the last 30 days

Networking issues or industry standards

Password complexity

Email related

SPF or DMARC records

Gmail “+” and “.” acceptance

Email bombs

Information Leakage

Descriptive error messages (e.g. Stack Traces, application or server errors)

HTTP 404 codes/pages or other HTTP non-200 codes/pages

Fingerprinting / banner disclosure on common/public services

Disclosure of known public files or directories, (e.g. robots.txt)

Cacheable SSL pages

SSL/TLS best practices

CSRF

CSRF on forms that are available to anonymous users (e.g. the contact form, sign-up form)

Logout Cross-Site Request Forgery (logout CSRF)

Weak CSRF in the APIs

Login/Session related

Forgot Password page brute force and account lockout not enforced

Lack of Captcha

Sessions not expiring after email change

Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality

Session Timeouts

Vantage Circle Non-Disclosure Terms (“Terms”)

Definition

In the context of this Security Bug Bounty Responsible Disclosure Program, the term “Confidential Information” refers to all information that the Company discloses or that the Participant acquires in the course of performing their duties under this program. This includes, but is not limited to:

1. Information that a reasonable person would consider confidential or that is inherently confidential, such as technical and non-technical information, intellectual property rights, know-how, designs, techniques, plans, procedures, improvements, technology, methods, object code, source code, databases, or any other information related to the Company’s product, work in progress, or future development of the product.

2. Marketing strategies, plans, financial information, projections, operations, sales estimates, shareholding patterns, business plans, and performance results relating to the past, present, or future business of the Company, plans for products or services, and customer or supplier lists.

3. The content, technical documents, and all information related to the Company’s product, as defined in the terms of this Agreement.

4. Any other information that may be communicated to the Participant.

It is the responsibility of the Participant to treat all Confidential Information as strictly confidential and to not disclose or use it for any purpose other than in connection with the Bug Bounty Program. Any unauthorized disclosure or use of Confidential Information may result in legal action.

Obligation of Confidentiality

The Participant agrees to maintain confidentiality of all Confidential Information obtained in connection with this Security Bug Bounty Responsible Disclosure Program. The following terms and conditions shall govern the Participant’s treatment of Confidential Information:

1. The Terms do not create a joint venture or partnership between the Parties.

2. The Participant shall not disclose, publish, or disseminate any Confidential Information for a period of 5 (five) years.

3. The Participant shall use Confidential Information only in connection with the Purpose and for no other purpose.

4. The Participant shall not copy or reproduce any Confidential Information. Any copies or reproductions already made shall belong to the Company.

5. The Participant shall not develop, independently or with others, any products, concepts, systems or techniques similar to or competitive with those contemplated by the Confidential Information or the Purpose.

6. The Participant shall indemnify, defend and hold the Company harmless from any losses, costs, expenses, or damages arising from the Participant’s breach of any obligation or agreement contained herein.

7. The Company shall remain the exclusive owner of all Confidential Information furnished to the Participant, including all copyrights, patents, and trade secrets.

8. Upon the Company’s request, the Participant shall promptly return all Confidential Information and certify in writing that all Confidential Information has been returned.

Remedies

The Participant understands and acknowledges that any disclosure or misappropriation of any of the Confidential Information in violation of the confidentiality obligations will cause the Company grave and irreparable harm, loss and injury, the amount of which may be difficult to ascertain. The Participant agrees that the Company have the right to apply to a court of competent jurisdiction for specific performance and/ or an order restraining and enjoining any such further disclosure or breach and for such other relief as the Company shall deem appropriate, without posting or the need to post any bond or other security. Such right of the Company to obtain equitable relief in the form of specific performance, temporary restraining order, temporary or permanent injunction or any other equitable remedy which may then be available to it, without the necessity of proving actual damages, shall be in addition to the remedies otherwise available to it at law. The Participant expressly waives the defense that a remedy in damages will be adequate.

No Warranties

Nothing contained in the Terms mentioned hereinabove shall be construed to obligate the company to disclose any information to the Participant.

Miscellaneous

1. Any notice or communication to be given under to the Participant shall be given if delivered in writing to the intended Participant on the email id provided by the Participant at the time of registration.

2. These Terms shall be fully binding upon the Participant.

3. The Participant shall not make any assignment of these Terms or any interest therein.

4. The Participant shall not develop, independently or with others, any products, concepts, systems or techniques similar to or competitive with those contemplated by the Confidential Information or the Purpose.

5. The failure of the Company to insist upon or enforce strict performance of any of the Terms mentioned hereinabove or to exercise any rights or remedies mentioned hereinabove, shall not be construed as a waiver or relinquishment to any extent of the Company’s rights to assert or rely upon any such provisions, rights or remedies in that or any other instance; rather the same shall remain in full force and effect.

6. These Terms shall be governed by, construed and enforced in accordance with the laws of the Republic of India.

7. The courts in Guwahati, Assam shall have the exclusive jurisdiction.