Bug Bounty Program

Rewards

Program rules

• Don't violate the privacy of other users, destroy data, disrupt our services, etc.
• Give us a reasonable time to respond to the issue so that Our team will try to triage all reports with priority to the severity, scenario and exploit complexity. We will notify you when the reported vulnerability is remediated, and you may confirm that the solution covers the vulnerability adequately.
• Only target your own accounts in the process of investigating any bugs/findings. Don't target, attempt to access, or otherwise disrupt the accounts of other users without the express permission of our team.
• Don't target our physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDOS) attacks, etc.
• In case you find a severe vulnerability that allows system access, you must not proceed further.
• It is Dukaan’s decision to determine when and how bugs should be addressed and fixed.
• Disclosing bugs to a party other than Dukaan is forbidden, all bug reports are to remain at the reporter and Dukaan’s discretion.
• Threatening of any kind will automatically disqualify you from participating in the program.
• Exploiting or misusing the vulnerability for your own or others' benefit will automatically disqualify the report.
• Bug disclosure communications with Dukaan’s Security Team are to remain confidential. Researchers must destroy all artifacts created to document vulnerabilities (POC code, videos, screenshots) after the bug report is closed.

Eligibility

• Be the first to report the issue to us.
• Must pertain to an item explicitly listed under Vulnerability Categories.
• Must contain sufficient information including a proof of concept screenshot, video, or code snippet where needed.
• You agree to participate in testing the effectiveness of the countermeasure applied to your report.
• You agree to keep any communication with Dukaan private.

Vulnerability Categories

Vulnerability Type

• Cross-Site Request Forgery
• Cross-Site Scripting
• Open Redirects
• Cross Origin Resource Sharing
• SQL injections
• Server Side Request Forgery
• Privilege Escalation
• Local File Inclusion
• Remote File Inclusion
• Leakage of Sensitive Data
• Authentication Bypass
• Directory Traversal
• Payment Manipulation
• Remote Code Execution
• Information Disclosure
• Subdomain Takeover
• Insecure Direct Object Reference (IDOR)

Exclusions

• Missing any best security practice that is not a vulnerability
• Self XSS
• Username or email address enumeration
• Social engineering and flooding of email
• HTML injection and CSV injection
• Any issue where a store staff member or seller side is able to insert javascript (XSS) in the storefront area of their own store
• Open Redirects without demonstrating additional security impact (such as stealing auth tokens)
• Clickjacking in unauthenticated pages or in pages with no significant state-changing action
• Logout or unauthenticated CSRF
• Missing cookie flags on non-sensitive cookies
• Missing security headers that do not lead directly to a vulnerability
• Unvalidated findings from automated tools or scans
• Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)
• Attacks that require physical access to a user device
• Host header attacks without evidence of the ability to target a remote victim
• Use of a known-vulnerable library (without evidence of exploitability)
• Low-impact descriptive error pages and information disclosures without any sensitive information
• Invalid or missing SPF/DKIM/DMARC/BIMI records
• Password and account policies, such as (but not limited to) reset link expiration or password complexity
• Phishing risk via unicode/punycode or RTLO issues
• Testing on third party plugins and subdomains are ineligible for a reward.
• Missing rate limitations on endpoints (without any security concerns)
• Presence of EXIF information in file uploads
• Ability to upload/download executables
• Lack of mobile binary protection and mobile SSL pinning
• Reports exploiting the behaviour of vulnerabilities in outdated browsers

In Scope

Out of Scope

Got Questions? We Got Answers!

If you have a query or complaint about the Dukaan Bug Bounty Program, please contact us using security@mydukaan.io email address.

Hall of Fame

On behalf of over five million dukandars, we would like to thank the following people for making a responsible disclosure to us:

2023

• Ayush Sahu
• Arfat Khan

2022

• Rutuparn Satpute
• Gia Bui Dai
• Nitish Parmar
• Mohamed Althaf
• Ashik SN
• Devashish Soni
• Vishwas Reddy
• Sachin kalkumbe
• Hariharan
• Ritik Kumar
• Zeb0x01
• Veluturi Srikar
• Patel Shrey
• Mohammad Yunus
• Devender Rao
• Quydox3
• Prathamesh S
• Alexis Fernández
• Magesh Baskaran
• Alfido Osdie
• Shivam Shrivastav
• Manikesh Singh
• Pranshu Shakya

2021

• Sandeep Srinivasan
• Praveen prajith
• Yeshwanth
• Meljith Pereira
• Vineet Bhati
• Zeb0x01