Program Details

We are committed to keeping our products and services secure and safe for everyone. If you are a Security Researcher or an Expert on security and you believe that you have identified any security-related vulnerability, bug or issue in our Website, Services, Application or Mobile App, then we request you to disclose it responsibly.

We appreciate your time and effort and we will respond to you as quickly as possible. Please provide a detailed description of the vulnerability so that it is easy for us to validate and fix them. We will keep you updated as we work to fix the vulnerability. We believe that those who intend to help Organizations & its Customers by improving Security must be treated with respect & professionalism. With this belief, we have created a Policy, Protocols, Guidelines & Principles for you to follow & adhere to. We request you to adhere to these guidelines & return we assure that your discovery & responsible disclosure will not invite any legal action against you.

Our intent is to be benefitted by those who are concerned about us & to reward such honorable intentions!

Responsible Disclosure Policy

Effective disclosure policy requires mutual trust, respect, and transparency between Security Researchers and our InfoSec Team. Principles & guidelines for responsible investigation & disclosure are important to protect us, our Clients & our Customers. Every Security Researcher or Bounty Hunter should ensure that these principles are adhered to at all times. Failure to adhere to these principles & guidelines will result in ineligibility to be considered for reward & recognition.

We will retain the right to decide when & how a bug or vulnerability will be remediedor fixed.

Principles and Guidelines

• Report any vulnerability as soon as you discover it. Please avoid a public disclosure before it has been fixed. We will confirm acknowledgment within 72 working hours of your submission.
• Keep all information about the bug confidential until we have resolved the problem. Disclosure of bugs or vulnerabilities to any entity or individual other than us must be avoided. Any improper public disclosure or misuse of information will entitle us to take appropriate legal action.
• Threats of any kind will result in immediate ineligibility or exploiting the vulnerability for own, or others benefit, and may result in legal action.
• Appreciate & adhere to our Privacy Policy & protect privacy of our Users. Avoid any privacy violations, degradation of User experience, disruption to production systems, and destruction of data during your security testing. Also ensure that any valid data is not destroyed.
• Never create a copy of data or information that you obtain access to. Taking screenshots as proof of concept or supporting evidence may be permissible, but these Screenshots must be masked & original copies which display private information should be deleted permanently & unretrievably.
• Avoid using test cases or vulnerability testing tools that generate a significant volume of traffic or disrupt our services.
• Refrain from accessing other User s account or data without permission. All your security testing should be restricted to your own account or a Test Account specifically belonging to you.
• Use only Test Accounts to produce vulnerability and do not attempt breaching Live Accounts.
• Submit a bug only if you have exploited a real vulnerability (refer Scope Exclusion below).
• Do not use scanners or automated tools to find vulnerabilities. They're intensive, heavy and digitally noisy. We may be compelled to block such automated tests.
• We also request you not to attempt attacks such as Social Engineering & Phishing. These kinds of bugs are not considered as valid under this program.
• The vulnerability must be original and previously un reported. The first reporter will have the benefit of the reward. Nevertheless, we always intend to appreciate all those who report their discoveries to us. This will be decided on a case to case basis.
• Conduct an investigation using your own Account. Do not target or attempt to access/disrupt data or account of other Users of our application.
• Stop proceeding further if you identify a severe vulnerability which may expose excessive amounts of data.

Eligible Submissions

Bugs which pose significant threat to our product range are the ones eligible for reward & recognition. We retain the right to evaluate & decide on whether a reported Bug or Vulnerability is eligible. The list provided below is not exhaustive. Established standards for application security will be consulted during evaluation of severity of Bugs.

• Cross-Site Request Forgery (CSRF)
• Cross-Site Scripting (XSS)
• Code Execution
• SQL Injection
• Server Side Request Forgery (SSRF)
• Privilege Escalation
• Authentication Bypass
• File Inclusion (Local & Remote)
• Protection Mechanism Bypass
• Leakage of Sensitive Data
• Directory Traversal
• Payment Manipulation
• Open Redirects
• Flawed Authentication Mechanism
• Insecure Administration Portal

Ineligible Submissions

These type of Bugs & Vulnerabilities will not be eligible for reward & recognition. All submissions which are not disclosed responsibly become ineligible automatically. See section on Responsible Disclosure Principles & Guidelines.

• Self-targeted Cross-Site Scripting [XSS].
• Vulnerabilities associated with or caused due to Denial of Service attacks.
• Cross-Site Request Forgery for actions that have a low impact.
• Vulnerabilities related to Brute Force attack.
• Application Stack Trace such as Path Disclosure.
• Indirect vulnerabilities on third-party applications (vulnerability must belong to an application owned & managed by us).
• Social Engineering attack.
• Vulnerabilities that arise due to security action not taken by User (example: unpatched or outdated browser or OS).
• Inadequate proof of concept or evidence to support a claim of bug of vulnerability.
• First individual to report a Bug or Vulnerabilities always gets credit. Any following reporting of same bug or vulnerability is ineligible.
• Issues which cannot be reproduced adequately.
• Issues for which we can reasonably not be required to do anything about.
• Our current & previous Employees, Clients, Vendors, Contractors & Partners.

Things To Consider Before Reporting

• Don't submit theoretical issue without a working Proof of Concept [POC].
• Don't submit one-line reports which are not helpful. They will be ignored and marked as Spam
• Mention steps to reproduce with proof of concept
• Don't report those issue listed as known issues else will be marked as Not Acceptable
• While Reporting, please mention the URL from where you have found the vulnerability. In-Scope Domains includes all URLs from where you have landed to this page.

For any further clarification and queries, email us to safehats@instasafe.com mentioning program name "VulCan" and a brief description of your discovery.

Severity Rating & Reward Structure

Severity of a Bug will be decided by us, but you may choose to assign a severity, which may be based on factors such as CVSS Rating, CWE ID, your assessment of risk, possible amount of security exposure, or exploitability of the vulnerability.

Each classification amounts to a certain Bounty Amount. Typically, we will adhere to these definitions & amounts, but we will objectively evaluate the value of each submission & decide the amount that will be disbursed.

In most cases, you should assume that the minimum payout will be the values given below (assuming that all other criteria & protocols are adhered to).

💰💰Financial Rewards💰💰

In-Scope URLs

The number of in-scope domains for this program are very large, so we are unable to display them here. If you have landed here after clicking a link on a specific website, then assume that it is part of the scope. We will respond appropriately for all in-scope domains & notify you if your submission is for a non-in-scope domain. Please mention the URL name while reporting.

Inscope Domain