Upstox Bug Bounty Program

Found a bug on our platform? Report it and get rewarded.

Driven by tech, but led by people Upstox believes in maintaining the highest levels of security at all times. And to do that we need your help. Scrutinize, search and send us reports on any bugs you find on our app or web platform, and together lets bug it out!

Submit vulnerability *

*Gmail account is required to submit the vulnerability

Bug Severity Levels

Critical

  • Pre-authentication reflected or DOM XSS (Cross-site scripting)
  • Any stored XSS that is generally accessibly by users
  • Command injection (blind command injection should pay more)
  • Deserialization attacks
  • Forced browsing attackers that supply credentials, including session tokens of logged in users
  • SQL injection (2nd order SQLi and command execution through SQLi should pay more)
  • Forced browsing leading directly to customer data
  • Account takeover vulnerabilities (e.g. an attacker can take control of a user’s account through a logic flaw or inappropriate session handling)

High

  • Post-authentication reflected or DOM XSS
  • CSRF vulnerabilities that involve purchases, sales, or funds transfers
  • OTP bypass
  • Logic flaws allowing manipulation of data
  • Directory browsing enabled for forced browsing leading to bulk sensitive data download
  • Session fixation
  • Logic flaws resulting in potential privilege escalation

Medium

  • Most CSRF vulnerabilities (those not listed explicitly in the high category)
  • Directory browsing enabled for forced browsing leading to isolated data download
  • Logic flaws not resulting in privilege escalation, but resulting in data integrity issues

Low

  • Account enumeration where rate limiting is not enforced
  • Clickjacking possibility, aka X-Frame-Options (you might consider this not in scope)
  • Logic flaws that do not result in privilege escalation or data integrity issues

Informational

  • Directory browsing enabled, no critical files available
  • Any display of information not critical to business
  • Internal asset enumeration/disclosure (e.g. internal path names, IP addresses, etc)

Not in Scope

  • Content Security Policy (CSP) not deployed/implemented
  • HttpOnly flag not set on cookies
  • Outdated software for which public exploits do not exist
  • Outdated software that cannot be exploited in the current configuration
  • Lack of SPF or DKIM records
  • Missing HTTP security headers that do not directly lead to exploitable conditions

Rules of Disclosure

  1. The security researcher knows his responsibility and adheres to all of the ethical guidelines.
  2. The security researcher reporting the bug or members of any external organization who were/are part of the supporting development teams, and their relatives are not allowed to participate in the Bug Bounty Program.
  3. The security researcher may report any security breaches and vulnerabilities found in the system or network.
  4. The security researcher should keep their discoveries confidential at all times and not to disclose the vulerability to the public or other organizations.
  5. The security researcher shall not copy, paste, share, transfer, replicate or any such activity that would lead to data breach and shall maintain utmost precaution in handling the data shared by the Upstox and shall at all times adhere to data security policy of the Upstox.
  6. The security researcher shall at all times act in the professional manner including but not limited to testing activities and shall not be associated with malicious hackers or in malicious activities.
  7. Testing and identification of the bug should not affect any commercial/trading service at Upstox. Also you must not break any laws to discover and identify the vulnerabilities.
  8. The use of social engineering techniques on our customers or staff are not accepted.
  9. The security researcher shall always maintain data protection of all the Customers of the Upstox.
  10. The monetary reward and severity will be decided based on the criticality of the issue on a case-to-case basis.
  11. Vulnerabilities reported should be from the latest stable version.
  12. The bug must be new and not previously reported. The Upstox Security team will send a reply to you within couple of woking days if your submitted vulnerability has been previously reported.
  13. We may choose not to provide any monetary benefit if we feel the vulnerability is not critical and/or the submission doesn’t follow any of the guidelines provided by Upstox.
  14. The program may be amended, or discontinued, without notice, at any time.
  15. The bug should not be a random occurrence (i.e. can be reproduced easily). It must be remotely exploitable by us in a standard configuration.