bug bounty program

bug bounty program
bug bounty program
What is Grofers Bug Bounty Responsible Disclosure Program? 

We, at Grofers, work hard to keep our customers secure and make every effort to be on top of the latest threats. We believe that information security is as important as our product offerings and should be handled with utmost attention in order to keep our customers secure

Software security researchers are increasingly engaging with internet companies to hunt down vulnerabilities. If you are a security researcher and have found a valid security vulnerability in our applications (refer scope provided below), please report it to us right away through our Bug Bounty Responsible Disclosure Program

how to report a bug?

If you have identified a vulnerability on any of our in-scope applications, we request you to follow these simple steps to report the vulnerability:

  1. Write to us at bugbounty@grofers.com with all the necessary details which will help us reproduce the vulnerability, including (but not limited to):
    • name of vulnerability
    • description
      • steps to reproduce and proof of concept - screenshots, videos or simple text/document instructions
      • impact
      • Vulnerable HTTP Request and Response (if applicable)
      • remediation
  2. In order for us to reach out to you quickly, please share your contact details with us so that our security team can reach out to you if further inputs are required to identify or close the vulnerability. In case it is a vulnerability in the Grofers Android/iOS app or website, please share the registered phone number you used to discover the vulnerability. Personal contact details include (not limited to):
    • your full name
    • your email address
    • your phone number
    • the phone number associated with your grofers account
    • link to any of your publicly identifiable profile (such as LinkedIn, Github, etc.)

We will reward you if we assess your vulnerability to be critical and if we end up making a change

Participants to the Program shall strictly be bound by Grofers Responsible Disclosure Policy

eligibility

If you have identified a vulnerability on any of our in-scope applications, we request you to follow the steps outlined below:

  1. we only reward the first reporter of a vulnerability
  2. you must report a qualifying vulnerability through the steps identified in “how to report a bug?” section
  3. if you are a grofers employee or are related to an employee (parent, sibling, spouse, relative etc), you are not eligible
  4. if you are our customer or a security researcher interested in making our systems safe, you are eligible
  5. any disclosure of the vulnerability without prior consent from grofers will result in disqualification. You may be ineligible for our program basis it’s impact and severity if found to be minimal or the vulnerability is a false positive
scope for our program
  1. grofers.com domain and all its sub-domains
  2. grofer.io domain and all its sub-domains
  3. our mobile apps – on Android or iOS platforms
  4. cloud infrastructure platform
out of scope
  1. 3rd party applications
  2. DoS and DDoS attacks are STRICTLY PROHIBITED
  3. UI-redressing/clickjacking on non-sensitive endpoints
  4. misconfigured CORS which can’t be used to leak sensitive information
  5. issues that do not affect the latest version of modern browsers
  6. disclosure of information that does not present a significant risk
  7. cross-site Request Forgery with minimal security impact
  8. general best practices concerns
responsible disclosure policy
  1. You shall protect all our Confidential Information (as defined below) from disclosing to any third party, hold the same in trust and strictest confidence, and protect it against disclosure to any person in the same manner and with the same degree of care, but not less than a reasonable degree of care, which you would do to protect your own confidential information
  2. You shall not access, store, modify or reproduce in writing our users data or other Confidential Information. Further, you agree that you shall:
    • not use any such Confidential Information except solely for the purpose of this program
    • not divulge any such Confidential Information to any third party without prior written approval of grofers
    • not copy or reverse engineer any such Confidential Information or use/exploit such Confidential Information for your own benefit or the benefit of another
  3. You shall ensure that no disruption is caused to the production systems, degradation of user experience and destruction of data during security testing either by any automated security scanner, brute forcing, DoS/DDoS attack, or rate limiting issue on non-sensitive endpoints, etc. Please note that through this program the Company does not intend, in any manner, to create any joint venture, partnership or any other relation (unless expressly agreed in writing) with you;
  4. If you inadvertently cause a privacy violation or disruption in the absence of any malicious intention (such as accessing account data, service configurations, or other confidential information) while investigating an issue, be sure to disclose this immediately in your communication with the Company
  5. You shall refrain from exploiting and/or proceeding with subsequent testing of a security issue you discover for any reason (including demonstrating additional risk etc)
  6. You shall allow us a reasonable time to acknowledge your finding/report
  7. You shall not be allowed to disclose the vulnerability in the public channels before it gets fixed. Before publishing any write-up on your finding, you will have to first confirm with the company in writing. We might ask you for a draft of your write-up as well for review before you intend to publish the same on the various public channels
  8. Appropriate legal recourse shall be taken if the identified vulnerabilities are exploited for unlawful gains or getting access to restricted customer or system information or impairing Company’s systems or Program guidelines are not followed or breach of the Confidential Information, also you shall not be eligible for our Program
  9. You shall not independently develop or have developed for itself, products, concepts, systems or techniques that are similar to or compete with the products, concepts, systems or techniques contemplated under the Program. Such development shall be construed as a violation of the obligations of you under this Program
  10. You shall indemnify, defend and hold the Company harmless from and against any losses, costs, expenses, damages of whatsoever nature which may be incurred or suffered by the Company arising out of or as a result of any breach of Program (including negligence) or otherwise of any of your obligations contained herein
  11. All Confidential Information furnished to you by the Company shall remain the exclusive property of the Company and the Company shall have the sole and exclusive ownership of all right, title, and interest in and to the Confidential Information, including ownership of all copyrights, patents and trade secrets pertaining thereto, subject only to the rights and privileges expressly granted by the Company under the terms of this Program
  12. Promptly upon the Company’s request at any time, you shall return / cause to be returned to the Company all the Confidential Information, including all materials or documents, any copies, summaries and notes of the contents thereof (whether in hard or soft copy form) without limitation, all copies of any analyses, compilations, studies or other documents prepared by and/or for company, containing or reflecting any Confidential Information and give written certification accordingly
  13. You understand and acknowledge that any misappropriation or disclosure of any of the Confidential Information in violation of the confidentiality obligations will cause the Company grave and irreparable harm, loss and injury, the amount of which may be difficult to ascertain. You agree that the Company has the right to apply to a court of competent jurisdiction for specific performance and/or an order restraining and enjoining any such further disclosure or breach and for such other relief as the Company shall deem appropriate, without posting or the need to post any bond or other security. Such right of the company to obtain equitable relief in the form of specific performance, temporary restraining order, temporary or permanent injunction or any other equitable remedy which may then be available to it, without the necessity of proving actual damages, shall be in addition to the remedies otherwise available to it at law. You expressly waive the defence that a remedy in damages will be adequate
  14. You understand and acknowledge that any misappropriation or disclosure of any of the Confidential Information in violation of the confidentiality obligations will cause the Company grave and irreparable harm, loss and injury, the amount of which may be difficult to ascertain. You agree that the Company has the right to apply to a court of competent jurisdiction for specific performance and/or an order restraining and enjoining any such further disclosure or breach and for such other relief as the Company shall deem appropriate, without posting or the need to post any bond or other security. Such right of the company to obtain equitable relief in the form of specific performance, temporary restraining order, temporary or permanent injunction or any other equitable remedy which may then be available to it, without the necessity of proving actual damages, shall be in addition to the remedies otherwise available to it at law. You expressly waive the defence that a remedy in damages will be adequate
  15. Nothing contained in this Program shall be construed to obligate the Company to disclose any information to you
  16. This Program shall be fully binding upon you
  17. The failure of the Company to insist upon or enforce strict performance of any of the provisions of this Program or to exercise any rights or remedies under this Program shall not be construed as a waiver or relinquishment to any extent of the company’s rights to assert or rely upon any such provisions, rights or remedies in that or any other instance; rather the same shall remain in full force and effect
  18. This Program shall be governed by, construed and enforced in accordance with the laws of the Republic of India
  19. The courts in Gurugram shall have the exclusive jurisdiction