What qualifies as a bug for bounty?
Anything from typos & design issues to security vulnerabilities like Cross-site Request Forgeries (CSRF/XSRF) are considered bugs.
How do I disclose a bug to Instamojo?
Email firstname.lastname@example.org with the details of the issue and how to reproduce the issue.
Attributes of a good report
To help us understand the bug faster, your report should provide detailed information about how to reproduce the issue you are seeing.
This may include screenshots, URLs visited, scripts/software used, accounts involved, etc.
Is there a reward/bounty? How much is the amount?
Yes. All bugs are awarded a bounty based on their impact.
The kind and amount of bounty to be given out will be at the discretion of Instamojo.
The reward will be remitted to Indian bank accounts via NEFT. We are not currently able to make international remittances at this time.
Websites under scope
- www.instamojo.com (excluding www.instamojo.com/blog/)
- Recently disclosed 0-day vulnerabilities. Please give us ample time before reporting these types of issues, since we need patch our systems (just like everyone else).
- Missing security headers that are recommended but do not present an immediate security vulnerability.
- Weak Password Policy (we're currently aware of that).
- Lack of rate limits (we're currently aware of that).