At Gofrugal, keeping customer information safe and secure is our number one priority
GOFRUGAL offers this Vulnerability Reward Program (VRP) to continuously improve the security of our products for ensure our Retail, Restaurant & Distributions customers experience the secure billing & stock managements features.
If you are a bug hunter, security researcher, or a white hat hacker, GOFRUGAL is extending you an opportunity to show your skills in identifying security vulnerabilities on, and get rewarded in return. We will make every effort to get the issues addressed as quickly as possible.
Please ensure you understand the program rules before you report a vulnerability. By participating in this program, you agree to be bound by the below mentioned rules.
Submit bugResponsible Disclosure Guideline
You will not publicly disclose a bug before it has been fixed and confirmation from our side
You will protect our users' privacy and data. You will not access or modify data without our permission
You will ensure no disruption to our production systems and no destruction of data during security testing
If any privacy violation is inadvertently caused by you while testing, you are liable to disclose it immediately to us
You will abstain from exploiting a security issue you discover for any reason
You will not attempt phishing or security attacks. This might end in suspension of your account.
Due to a high number of submissions, we may take a reasonable time to fix the vulnerability reported by you. You have to allow us time to respond to you
You will not violate any laws or regulations. GOFRIGAL will not be responsible for non-adherence of laws from your end.
Our Responsibility
We will get back to you preferably within 5 working days.
We will keep you updated about the bug reported and its fixture at our end
We will suitably reward you for your effort as mentioned in the bounty details
Eligibility
If you are a GOFRUGAL customer or a security researcher interested in making our systems safe, you are eligible
If you are a GOFRUGAL employee or are related to an employee (parent, sibling, spouse), you are not eligible for the this program
Program Terms
By participating in GOFRUGAL Bug Bounty Program, you comply to GOFRUGAL's terms and conditions. To qualify for a bounty, you have to meet the following requirements:
Automated tools or scripts ARE STRICTLY PROHIBITED
Any POC submitted to us should have a proper step-by-step guide to reproduce the issue.
Abuse of any vulnerability found shall be liable for legal penalties.
Adherence to GOFRUGAL Disclosure Policy
Reporting of a security vulnerability
You will provide necessary assistance to GOFRUGAL, if required in resolving the security issue
The bounty will be paid after the bug has been fixed.
In the case of duplicate reports, the person who reports them first would get the bounty
Extremely low-risk issues may not qualify for a bounty.
Though we seek to reward similar amount for similar issues, qualifying issues and the amounts paid may change.
Certain types of security issues are excluded. We have listed them under 'out of scope' report
If you disclose a bug/security issue via social media w/o our permission, you will be rendered ineligible for this program
Scope & Exclusions
Checkout the following to learn what is included within the SCOPE of this program:
GOFRUGAL's services, Products/apps
Checkout the following to learn what is included within the OUT OF SCOPE of this program:
Reward Categorisation
Critical
SQL Injections (Able to access and manipulate sensitive and PII information)
Remote Code Execution (RCE) vulnerabilities
Shell Upload vulnerabilities (Only upload basic backend script that just prints some string, preferably try printing the hostname of the server and stop there)
Vertical Privilege escalation (Gaining admin access)
Bulk user sensitive information leak
Business logic vulnerabilities (Critically impacting GOFRUGAL Brand, User (Customer) data and financial transactions)
High
Authentication bypass
Non-Blind SSRF
Account Takeover (Without user interaction)
Stored XSS
IDOR (Able to access and modify sensitive and PII information)
Horizontal privilege escalation
Deserialization vulnerabilities
Path traversal (Access to sensitive information)
Medium
SQL Injection (For non-sensitive information)
Account Takeover (With user interaction)
IDOR ( (Able to access and modify non-sensitive information)
Reflected/DOM XSS to steal user cookies)
Injection attacks ( Formula injection, Host header injection)
Low
Path Traversal (Access non-sensitive information)
IDOR (Non-sensitive information disclosure)
Captcha bypass
Exclusions
General
DoS and DDoS testing ARE STRICTLY PROHIBITED
IDOR references for objects that you have permission to
Duplicate submissions that are being remediated
Use of a known-vulnerable library (without evidence of exploitability)
Rate limiting (Unless which impacts severe threat to data, business loss)
Multiple reports for the same vulnerability type with minor differences (only one will be rewarded)
Clickjacking and issues only exploitable through clickjacking
Only session cookies needed http and secure flags. Apart from these, for other cookies we won’t consider as vulnerability
Social Engineering attacks
Missing any best security practice that is not a vulnerability
Self XSS
Username or email address enumeration
Email/SMS bombing
XSS vulnerabilities on sandbox or user-content domains
Unvalidated or open redirects or tab-nabbing
Missing security headers that do not lead directly to a vulnerability
Unvalidated findings from automated tools or scans
"Back" button that keeps working after logout
HTML/CSV injection
Issues that do not affect the latest version of modern browsers or platforms
Attacks that require physical access to a user's device
Non-critical issues in blog.gofrugal.com or other product blogs
Phishing risk via Unicode/Punycode or RTLO issues
0-day vulnerabilities in any third parties we use within 10 days of their disclosure
Any other issues determined to be of low or negligible security impact
Usage of known vulnerable components without actual working exploit
System related
Patches released within the last 30 days
Networking issues or industry standards
Password and account policies, such as (but not limited to) reset link expiration or password complexity
Information Leakage
Descriptive error messages (e.g. Stack Traces, application or server errors)
HTTP 404 codes/pages or other HTTP non-200 codes/pages
Fingerprinting / banner disclosure on common/public services
Disclosure of known public files or directories, (e.g. robots.txt)
Cacheable SSL pages
SSL/TLS best practices
Presence of EXIF information in file uploads
Invalid or missing SPF/DKIM/DMARC/BIMI records
CSRF
CSRF on forms that are available to anonymous users (e.g. the contact form, sign-up form)
Logout Cross-Site Request Forgery (logout CSRF)
Weak CSRF in the API
Login/Session related
Forgot Password page brute force and account lockout not enforced
Lack of Captcha
Sessions not expiring after email change
Presence of application or web browser 'autocomplete' or 'save password' functionality
Session Timeouts
Breach of our program's terms
You are expected to respect all the terms and conditions of GOFRUGAL Bug Bounty Program. Non-adherence or non-compliance will automatically disqualify you. A serious breach may also lead to suspension of your account.
Changes to Program Terms
GOFRUGAL's Bug Bounty Program, and its policies, are subject to change or cancellation by us at anytime, without notice. Also, we may amend the terms and/or policies of the program at anytime. In case of any change, a revised version will be posted here.
Bounty Details
GOFRUGAL provides monetary rewards to vulnerability reporters at its discretion and the reward may vary based upon metrics including (but not limited to) vulnerability severity, impact, and exploitability.
| Severity | Bounty in INR (Up to) |
|---|---|
| Low | INR 2000 |
| Medium | INR 5000 |
| High | INR 10000 |
| Critical | INR 20000 |