Bug Bounty Program

We encourage responsible disclosure of security vulnerabilities through this bug bounty program. We deeply value all those in the security community who help us ensure 100% security of all our systems at all times.

At Dukaan, Security is our Top Priority!

If you are a bug hunter, security researcher, or a white hat hacker, Dukaan is extending you an opportunity to show your skills in identifying security vulnerabilities on, and get rewarded/recognized in return.

If you discover a vulnerability, we appreciate your cooperation in responsibly reporting it to us so that we can address it as soon as possible.

We try our best to keep all platforms of Dukaan secure, and make every effort to keep on top of the latest threats by working with our inhouse security team and external security consultants. If you are able to spot any security issues or vulnerabilities, please report here.

We would like to continuously build relationships and work with as many security technology enthusiasts as possible, and fairly reward any such issues spotted as well.

Rewards

Low

$50

Medium

$150

High

$300

Critical

$500

Program rules

  • Don't violate the privacy of other users, destroy data, disrupt our services, etc.
  • Give us a reasonable time to respond to the issue so that Our team will try to triage all reports with priority to the severity, scenario and exploit complexity. We will notify you when the reported vulnerability is remediated, and you may confirm that the solution covers the vulnerability adequately.
  • Only target your own accounts in the process of investigating any bugs/findings. Don't target, attempt to access, or otherwise disrupt the accounts of other users without the express permission of our team.
  • Don't target our physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDOS) attacks, etc.
  • In case you find a severe vulnerability that allows system access, you must not proceed further.
  • It is Dukaan’s decision to determine when and how bugs should be addressed and fixed.
  • Disclosing bugs to a party other than Dukaan is forbidden, all bug reports are to remain at the reporter and Dukaan’s discretion.
  • Threatening of any kind will automatically disqualify you from participating in the program.
  • Exploiting or misusing the vulnerability for your own or others' benefit will automatically disqualify the report.
  • Bug disclosure communications with Dukaan’s Security Team are to remain confidential. Researchers must destroy all artifacts created to document vulnerabilities (POC code, videos, screenshots) after the bug report is closed.

Eligibility

  • Be the first to report the issue to us.
  • Must pertain to an item explicitly listed under Vulnerability Categories.
  • Must contain sufficient information including a proof of concept screenshot, video, or code snippet where needed.
  • You agree to participate in testing the effectiveness of the countermeasure applied to your report.
  • You agree to keep any communication with Dukaan private.

Vulnerability Categories

Vulnerability Type

  • Cross-Site Request Forgery
  • Cross-Site Scripting
  • Open Redirects
  • Cross Origin Resource Sharing
  • SQL injections
  • Server Side Request Forgery
  • Privilege Escalation
  • Local File Inclusion
  • Remote File Inclusion
  • Leakage of Sensitive Data
  • Authentication Bypass
  • Directory Traversal
  • Payment Manipulation
  • Remote Code Execution
  • Information Disclosure
  • Subdomain Takeover
  • Insecure Direct Object Reference (IDOR)

Exclusions

  • Missing any best security practice that is not a vulnerability
  • Self XSS
  • Username or email address enumeration
  • Social engineering and flooding of email
  • HTML injection and CSV injection
  • Any issue where a store staff member or seller side is able to insert javascript (XSS) in the storefront area of their own store
  • Open Redirects without demonstrating additional security impact (such as stealing auth tokens)
  • Clickjacking in unauthenticated pages or in pages with no significant state-changing action
  • Logout or unauthenticated CSRF
  • Missing cookie flags on non-sensitive cookies
  • Missing security headers that do not lead directly to a vulnerability
  • Unvalidated findings from automated tools or scans
  • Access to individual paid features on an ineligible plan (for example, race conditions that lead to bypassing the limit of staff members for your current plan)
  • Attacks that require physical access to a user device
  • Host header attacks without evidence of the ability to target a remote victim
  • Use of a known-vulnerable library (without evidence of exploitability)
  • Low-impact descriptive error pages and information disclosures without any sensitive information
  • Invalid or missing SPF/DKIM/DMARC/BIMI records
  • Password and account policies, such as (but not limited to) reset link expiration or password complexity
  • Phishing risk via unicode/punycode or RTLO issues
  • Testing on third party plugins and subdomains are ineligible for a reward.
  • Missing rate limitations on endpoints (without any security concerns)
  • Presence of EXIF information in file uploads
  • Ability to upload/download executables
  • Lack of mobile binary protection and mobile SSL pinning
  • Reports exploiting the behaviour of vulnerabilities in outdated browsers

In Scope

Domain

*.mydukaan.io

Critical

Eligible for bounty

Android

Playstore

Critical

Eligible for bounty

Critical

Eligible for bounty

Out of Scope

Domain

mydukaan.io/blog
blog.mydukaan.io

Domain

roadmap.mydukaan.io

Got Questions? We Got Answers!

If you have a query or complaint about the Dukaan Bug Bounty Program, please contact us using security@mydukaan.io email address.