At Gofrugal, keeping customer information safe and secure is our number one priority

GOFRUGAL offers this Vulnerability Reward Program (VRP) to continuously improve the security of our products for ensure our Retail, Restaurant & Distributions customers experience the secure billing & stock managements features.

If you are a bug hunter, security researcher, or a white hat hacker, GOFRUGAL is extending you an opportunity to show your skills in identifying security vulnerabilities on, and get rewarded in return. We will make every effort to get the issues addressed as quickly as possible.

Please ensure you understand the program rules before you report a vulnerability. By participating in this program, you agree to be bound by the below mentioned rules.

Submit bug

Responsible Disclosure Guideline

You will not publicly disclose a bug before it has been fixed and confirmation from our side

You will protect our users' privacy and data. You will not access or modify data without our permission

You will ensure no disruption to our production systems and no destruction of data during security testing

If any privacy violation is inadvertently caused by you while testing, you are liable to disclose it immediately to us

You will abstain from exploiting a security issue you discover for any reason

You will not attempt phishing or security attacks. This might end in suspension of your account.

Due to a high number of submissions, we may take a reasonable time to fix the vulnerability reported by you. You have to allow us time to respond to you

You will not violate any laws or regulations. GOFRUGAL will not be responsible for non-adherence of laws from your end.

Our Responsibility

We will get back to you preferably within 5 working days.

We will keep you updated about the bug reported and its fixture at our end

We will suitably reward you for your effort as mentioned in the bounty details


If you are a GOFRUGAL customer or a security researcher interested in making our systems safe, you are eligible

If you are a GOFRUGAL employee or are related to an employee (parent, sibling, spouse), you are not eligible for the this program

Program Terms

By participating in GOFRUGAL Bug Bounty Program, you comply to GOFRUGAL's terms and conditions. To qualify for a bounty, you have to meet the following requirements:

Automated tools or scripts ARE STRICTLY PROHIBITED

Any POC submitted to us should have a proper step-by-step guide to reproduce the issue.

Abuse of any vulnerability found shall be liable for legal penalties.

Adherence to GOFRUGAL Disclosure Policy

Reporting of a security vulnerability

You will provide necessary assistance to GOFRUGAL, if required in resolving the security issue

The bounty will be paid after the bug has been fixed.

In the case of duplicate reports, the person who reports them first would get the bounty

Extremely low-risk issues may not qualify for a bounty.

Though we seek to reward similar amount for similar issues, qualifying issues and the amounts paid may change.

Certain types of security issues are excluded. We have listed them under 'out of scope' report

If you disclose a bug/security issue via social media w/o our permission, you will be rendered ineligible for this program

Scope & Exclusions

Checkout the following to learn what is included within the SCOPE of this program:

GOFRUGAL's services, Products/apps

Checkout the following to learn what is included within the OUT OF SCOPE of this program:

Reward Categorisation


SQL Injections (Able to access and manipulate sensitive and PII information)

Remote Code Execution (RCE) vulnerabilities

Shell Upload vulnerabilities (Only upload basic backend script that just prints some string, preferably try printing the hostname of the server and stop there)

Vertical Privilege escalation (Gaining admin access)

Bulk user sensitive information leak

Business logic vulnerabilities (Critically impacting GOFRUGAL Brand, User (Customer) data and financial transactions)


Authentication bypass

Non-Blind SSRF

Account Takeover (Without user interaction)

Stored XSS

IDOR (Able to access and modify sensitive and PII information)

Horizontal privilege escalation

Deserialization vulnerabilities

Path traversal (Access to sensitive information)


SQL Injection (For non-sensitive information)

Account Takeover (With user interaction)

IDOR ( (Able to access and modify non-sensitive information)

Reflected/DOM XSS to steal user cookies)

Injection attacks ( Formula injection, Host header injection)


Path Traversal (Access non-sensitive information)

IDOR (Non-sensitive information disclosure)

Captcha bypass




IDOR references for objects that you have permission to

Duplicate submissions that are being remediated

Use of a known-vulnerable library (without evidence of exploitability)

Rate limiting (Unless which impacts severe threat to data, business loss)

Multiple reports for the same vulnerability type with minor differences (only one will be rewarded)

Clickjacking and issues only exploitable through clickjacking

Only session cookies needed http and secure flags. Apart from these, for other cookies we won’t consider as vulnerability

Social Engineering attacks

Missing any best security practice that is not a vulnerability

Self XSS

Username or email address enumeration

Email/SMS bombing

XSS vulnerabilities on sandbox or user-content domains

Unvalidated or open redirects or tab-nabbing

Missing security headers that do not lead directly to a vulnerability

Unvalidated findings from automated tools or scans

"Back" button that keeps working after logout

HTML/CSV injection

Issues that do not affect the latest version of modern browsers or platforms

Attacks that require physical access to a user's device

Non-critical issues in or other product blogs

Phishing risk via Unicode/Punycode or RTLO issues

0-day vulnerabilities in any third parties we use within 10 days of their disclosure

Any other issues determined to be of low or negligible security impact

Usage of known vulnerable components without actual working exploit

System related

Patches released within the last 30 days

Networking issues or industry standards

Password and account policies, such as (but not limited to) reset link expiration or password complexity

Information Leakage

Descriptive error messages (e.g. Stack Traces, application or server errors)

HTTP 404 codes/pages or other HTTP non-200 codes/pages

Fingerprinting / banner disclosure on common/public services

Disclosure of known public files or directories, (e.g. robots.txt)

Cacheable SSL pages

SSL/TLS best practices

Presence of EXIF information in file uploads

Invalid or missing SPF/DKIM/DMARC/BIMI records


CSRF on forms that are available to anonymous users (e.g. the contact form, sign-up form)

Logout Cross-Site Request Forgery (logout CSRF)

Weak CSRF in the API

Login/Session related

Forgot Password page brute force and account lockout not enforced

Lack of Captcha

Sessions not expiring after email change

Presence of application or web browser 'autocomplete' or 'save password' functionality

Session Timeouts

Breach of our program's terms

You are expected to respect all the terms and conditions of GOFRUGAL Bug Bounty Program. Non-adherence or non-compliance will automatically disqualify you. A serious breach may also lead to suspension of your account.

Changes to Program Terms

GOFRUGAL's Bug Bounty Program, and its policies, are subject to change or cancellation by us at anytime, without notice. Also, we may amend the terms and/or policies of the program at anytime. In case of any change, a revised version will be posted here.

Bounty Details

GOFRUGAL provides monetary rewards to vulnerability reporters at its discretion and the reward may vary based upon metrics including (but not limited to) vulnerability severity, impact, and exploitability.

SeverityBounty in INR (Up to)
LowINR 2000
MediumINR 5000
HighINR 10000
CriticalINR 20000