Report a Bug

What qualifies as a bug for bounty?

Anything from typos & design issues to security vulnerabilities like Cross-site Request Forgeries (CSRF/XSRF) are considered bugs.

How do I disclose a bug to Instamojo?

Email bugs@instamojo.com with the details of the issue and how to reproduce the issue.

Attributes of a good report

To help us understand the bug faster, your report should provide detailed information about how to reproduce the issue you are seeing.

This may include screenshots, URLs visited, scripts/software used, accounts involved, etc.

Is there a reward/bounty? How much is the amount?

Yes. All bugs are awarded a bounty based on their impact.

The kind and amount of bounty to be given out will be at the discretion of Instamojo.

The reward will be remitted to Indian bank accounts via NEFT. We are not currently able to make international remittances at this time.

Websites under scope

  • www.instamojo.com (excluding www.instamojo.com/blog/)
  • api.instamojo.com

Out-of-scope Vulnerabilities

  • Recently disclosed 0-day vulnerabilities. Please give us ample time before reporting these types of issues, since we need patch our systems (just like everyone else).
  • Missing security headers that are recommended but do not present an immediate security vulnerability.
  • Self-XSS that can not be used to exploit other users (this includes having a user paste JavaScript into the browser console).
  • Weak Password Policy (we're currently aware of that).
  • Lack of rate limits (we're currently aware of that).
Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request