The Groww Bug Bounty program is to improve the Groww cybersecurity posture through formalized community involvement. No technology is perfect, and Groww believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology.
If you believe you’ve found a security issue in our product or service, we encourage you to notify us.
*Gmail account is required to submit the vulnerability
Subject to the terms below, Groww is offering rewards for the responsible discovery and disclosure of system vulnerabilities.
Groww values the efforts of security researchers and rewards valid security issues. We will reward reports according to the severity of their impact on a case-by-case basis as determined by our bug bounty panel.
- We provide monetary rewards for impactful, unique and exceptional bugs. Based on the awesomeness of the bug, we may reward more also.
- We may reward only with Swags depending on the severity of the vulnerability
- If the vulnerability poses lower risk or seen more of a missing good practice, they will be given Certificate of Appreciation
- Apart from monetary benefits, vulnerability reporters who work with us to resolve security bugs in our products will be honoured on the Hall of Fame page.
Responsible Disclosure Policy
- Let us know as soon as possible upon the discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
- Share the vulnerability details here and include as much information as you can
- Any submission which is rewarded or not, including Duplicates, Out of Scope, and Not Applicable submissions, are not to be disclosed at any level of detail to the public at any time unless guided by Groww following explicit, written permission.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
- Please allow 5 business days for us to respond before sending another email.
- The Groww InfoSec team will try to remediate the reported in-scope vulnerability at the earliest. However, this may take up to a few months.
- You are expected to respect all the Terms and Conditions(See below). Non-adherence or non-compliance will automatically disqualify you and your submission.
Targets Out of Scope
- All the sandbox and staging environments are out scope
- All external services/software which are not managed or controlled by Groww are considered as out of scope / ineligible for recognition.
- Newly acquired company websites/mobile apps are subject to a 12 month blackout period. Issues reported sooner in such websites/mobile apps won't qualify for any reward or recognition.
In-scope vulnerability examples -
Groww Responsible Disclosure program’s focus will be on the higher severity findings, such as:
- Remote Code Execution
- Significant Authentication Bypass
- Significant Authorization Bypass
- Cross Instance Privilege Escalation
- Server Side Request Forgery
- Insecure Direct Object Reference
- SQL injection
- Cross-Site Scripting (excluding self-XSS)
- Cross-Site Request Forgery (CSRF) on critical actions
- Insufficiently Protected Credentials / Credential Exposure
- Insecure/Open Redirect (which allow stealing secrets/tokens)
- (Sub)domain hijacking or DNS Hijacking
- Payment related issues
- Multi Factor Authentication bypass
- Findings that reveal the sensitive data of our customers and staff
Out of Scope vulnerability examples -
Depending on their impact, some of the reported issues may not qualify. Although we review them on a case-by-case basis, here are some of the common low-risk issues that typically do not earn any recognition:
- Missing HTTP security headers, (e.g: X-Frame-Options , X-XSS-Protection etc)
- SSL/TLS issues (e.g. BEAST, BREACH, Weak/insecure cipher suites etc
- Descriptive error messages (e.g. stack traces, application or server errors)
- Spamming (e.g. SMS/Email Bombing)
- HTTP 404 codes/pages or other HTTP non-200 codes/pages
- Fingerprinting/banner disclosure on common/public services
- Disclosure of known public files or directories, (e.g. robots.txt, readme.txt, changes.txt)
- CSRF on forms that are available to anonymous users, (e.g. the contact form)
- Login - Logout cross-site request forgery
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
- Lack of Secure and HTTPOnly cookie flags
- OPTIONS/TRACE HTTP method enabled
- HTTPS Mixed Content Scripts
- Any kind of vulnerabilities that requires installation of software like web browser add-ons, etc in victim's machine
- (Distributed) Denial of Service attacks
- Any kind of mobile vulnerabilities that requires physical device access (e.g. USB debugging), root/jailbroken access or third-party app installation in order to exploit the vulnerability
- SSL Pinning bypass and bypassing root/jailbroken detection
- Reporting usage of known-vulnerable software/known CVE’s without proving the exploitability on Groww’s infrastructure without providing a proper proof of concept
- Bug which Groww is already aware of or those already classified as ineligible
Terms and Conditions
- Please don’t send information to any other channel such as other emails, chat, support, etc. These requests won’t be entertained and might disqualify you from the program
- Do not use scanners or automated tools to find vulnerabilities since they’re noisy. Doing so will invalidate your submission and you will be completely banned from the Program.
- You are obliged to share any extra information if asked for, refusal to do so will result in invalidation of the submission.
- You must be respectful to our existing applications, and in any case you should not run test-cases which might disrupt our services.
- Do not abuse the vulnerabilities by penetrating into the system more than required
- Do not download more data than necessary to demonstrate the vulnerability (alternatively, you can make a directory listing of a system)
- Do not share the access with third parties
- Do not employ attacks on physical security, social engineering, spam, third-party applications, distributed denial of service or other forms
- Do not install malware
- Do not share the vulnerability with others until it has been resolved
- Delete all confidential data after the vulnerability has been resolved
- Do not perform any kind of (Distributed) Denial of Service (D)DoS attacks
Checkout our Hall of Fame page.