At Gofrugal, keeping customer information safe and secure is our number one priority
GOFRUGAL offers this Vulnerability Reward Program (VRP) to continuously improve the security of our products for ensure our Retail, Restaurant & Distributions customers experience the secure billing & stock managements features.
If you are a bug hunter, security researcher, or a white hat hacker, GOFRUGAL is extending you an opportunity to show your skills in identifying security vulnerabilities on, and get rewarded in return. We will make every effort to get the issues addressed as quickly as possible.
Please ensure you understand the program rules before you report a vulnerability. By participating in this program, you agree to be bound by the below mentioned rules.Submit bug
You will not publicly disclose a bug before it has been fixed and confirmation from our side
You will protect our users' privacy and data. You will not access or modify data without our permission
You will ensure no disruption to our production systems and no destruction of data during security testing
If any privacy violation is inadvertently caused by you while testing, you are liable to disclose it immediately to us
You will abstain from exploiting a security issue you discover for any reason
You will not attempt phishing or security attacks. This might end in suspension of your account.
Due to a high number of submissions, we may take a reasonable time to fix the vulnerability reported by you. You have to allow us time to respond to you
You will not violate any laws or regulations. GOFRIGAL will not be responsible for non-adherence of laws from your end.
We will get back to you preferably within 5 working days.
We will keep you updated about the bug reported and its fixture at our end
We will suitably reward you for your effort as mentioned in the bounty details
If you are a GOFRUGAL customer or a security researcher interested in making our systems safe, you are eligible
If you are a GOFRUGAL employee or are related to an employee (parent, sibling, spouse), you are not eligible for the this program
By participating in GOFRUGAL Bug Bounty Program, you comply to GOFRUGAL's terms and conditions. To qualify for a bounty, you have to meet the following requirements:
Automated tools or scripts ARE STRICTLY PROHIBITED
Any POC submitted to us should have a proper step-by-step guide to reproduce the issue.
Abuse of any vulnerability found shall be liable for legal penalties.
Adherence to GOFRUGAL Disclosure Policy
Reporting of a security vulnerability
You will provide necessary assistance to GOFRUGAL, if required in resolving the security issue
The bounty will be paid after the bug has been fixed.
In the case of duplicate reports, the person who reports them first would get the bounty
Extremely low-risk issues may not qualify for a bounty.
Though we seek to reward similar amount for similar issues, qualifying issues and the amounts paid may change.
Certain types of security issues are excluded. We have listed them under 'out of scope' report
If you disclose a bug/security issue via social media w/o our permission, you will be rendered ineligible for this program
Checkout the following to learn what is included within the SCOPE of this program:
GOFRUGAL's services, Products/apps
Checkout the following to learn what is included within the OUT OF SCOPE of this program:
SQL Injections (Able to access and manipulate sensitive and PII information)
Remote Code Execution (RCE) vulnerabilities
Shell Upload vulnerabilities (Only upload basic backend script that just prints some string, preferably try printing the hostname of the server and stop there)
Vertical Privilege escalation (Gaining admin access)
Bulk user sensitive information leak
Business logic vulnerabilities (Critically impacting GOFRUGAL Brand, User (Customer) data and financial transactions)
Account Takeover (Without user interaction)
IDOR (Able to access and modify sensitive and PII information)
Horizontal privilege escalation
Path traversal (Access to sensitive information)
SQL Injection (For non-sensitive information)
Account Takeover (With user interaction)
IDOR ( (Able to access and modify non-sensitive information)
Reflected/DOM XSS to steal user cookies)
Injection attacks ( Formula injection, Host header injection)
Path Traversal (Access non-sensitive information)
IDOR (Non-sensitive information disclosure)
IDOR references for objects that you have permission to
Duplicate submissions that are being remediated
Rate limiting (Unless which impacts severe threat to data, business loss)
Multiple reports for the same vulnerability type with minor differences (only one will be rewarded)
Clickjacking and issues only exploitable through clickjacking
Only session cookies needed http and secure flags. Apart from these, for other cookies we won’t consider as vulnerability
Social Engineering attacks
Patches released within the last 30 days
Networking issues or industry standards
Descriptive error messages (e.g. Stack Traces, application or server errors)
HTTP 404 codes/pages or other HTTP non-200 codes/pages
Fingerprinting / banner disclosure on common/public services
Disclosure of known public files or directories, (e.g. robots.txt)
Cacheable SSL pages
SSL/TLS, Missing Certificate Authority Authorisation rule best practices
CSRF on forms that are available to anonymous users (e.g. the contact form, sign-up form)
Logout Cross-Site Request Forgery (logout CSRF)
Weak CSRF in the API
Forgot Password page brute force and account lockout not enforced
Lack of Captcha
Sessions not expiring after email change
Presence of application or web browser 'autocomplete' or 'save password' functionality
You are expected to respect all the terms and conditions of GOFRUGAL Bug Bounty Program. Non-adherence or non-compliance will automatically disqualify you. A serious breach may also lead to suspension of your account.
GOFRUGAL's Bug Bounty Program, and its policies, are subject to change or cancellation by us at anytime, without notice. Also, we may amend the terms and/or policies of the program at anytime. In case of any change, a revised version will be posted here.
GOFRUGAL provides monetary rewards to vulnerability reporters at its discretion and the reward may vary based upon metrics including (but not limited to) vulnerability severity, impact, and exploitability.
|Severity||Bounty in INR (Up to)|