bug bounty security

Grofers Responsible Disclosure
Bug Bounty Program


We, at Grofers India Private Limited (“Company”), work hard to keep our applications and user data secure and make every effort to be on top of the latest threats. We believe that information security is as important as any other part of an enterprise and should be considered the utmost priority. So to strengthen the same, we have introduced our Bug Bounty Responsible Disclosure Program (“Program”).

If you have found a valid security vulnerability in our applications (refer scope provided below), you can report it to us and we will appreciate you for your contribution by expressing our gratitude in different ways.

How to report an issue?

If you have identified a vulnerability on any of our web properties, we request you to follow the steps outlined below:

  1. Please contact us by sending an email to responsible-disclosure@grofers.com with all the necessary details which will help us to reproduce the vulnerability scenario. This may include screenshots, videos or simple text/document instructions.
  2. In order for us to reach out to you quickly, you can also share your contact number with us so that our security team can reach out to you if further inputs are required to identify or close the vulnerability.
  3. After validating your findings, we will evaluate it on certain parameters like it’s impact and criticality, basis which you will be rewarded.

Responsible Disclosure Guidelines

You shall protect all our Confidential Information (as defined below) from disclosing to third party and shall hold the same in trust and strictest confidence and protect it against disclosure to any person in the same manner and with the same degree of care, but not less than a reasonable degree of care, which you would do to protect your own confidential information .

Read More

Eligibility

If you have identified a vulnerability on any of our web properties, we request you to follow the steps outlined below:

  1. If you are the Company’s employee or are related to an employee (parent, sibling, spouse, relative etc), you are not eligible for the Program.
  2. If you are Company’s customer or a security researcher interested in making our systems safe, you are eligible for the Program.
  3. You may be ineligible for our Program basis it’s impact and severity if found to be minimal or false positive.

Scope for our Program

  1. grofers.com domain and sub-domains
  2. Our mobile apps – on Android or iOS platforms
  3. Any critical vulnerability apart from the above mentioned scope in domains/services related to Grofers

Out of Scope

  1. UI-Redressing/Clickjacking on non-sensitive endpoints
  2. Misconfigured CORS which can’t be used to leak sensitive information
  3. Those that resolve to third-party services
  4. Issues that do not affect the latest version of modern browsers
  5. Issues that require unlikely user interaction
  6. Disclosure of information that does not present a significant risk
  7. Cross-site Request Forgery with minimal security impact
  8. General best practice concerns