pratilipi-logo ପ୍ରତିଲିପି
ଓଡିଆ

Vulnerability Disclosure Policy

Update

Thank you for your interest in our vulnerability disclosure program. We have temporarily paused the program to review and improve our processes. We appreciate your patience and understanding, and we will provide an update as soon as possible. Please note that we remain committed to the security of our systems and will continue to work diligently to protect our users

Promise

Pratilipi, one of the India's largest online digital platform believes that maintaining the security, privacy, integrity of our users, systems, networks and products is very important. Therefore, Pratilipi appreciates the work of security researchers in order to improve our security posture. We are committed to creating a safe, transparent environment to report vulnerabilities.

We have developed this policy to both reflect our startup cultural values and to uphold our legal responsibility to good-faith security researchers that are providing us with their expertise.

 

Scope

Any of the Pratilipi's

  • Product (Pratilipi Book, Pratilipi Comic, Pratilipi FM)

  • iOS

  • Android

  • Web

  • Progressive Web App (PWA)

which process, store, transfer or use in one way or personal or sensitive personal information such as authentication data.

Domains

pratilipi.com

english.pratilipi.com

android.pratilipi.com

pratilipicomics.com

prod.pratilipicomics.com

pratilipifm.com

api.pratilipifm.com

 

 

Out of Scope

  • Any third party services/domains/vendors used by Pratilipi.

  • (D)DOS.

  • Automation scripts and tools.

  • Any spelling mistakes.

  • Any UI/UX bugs.

  • Issues that do not affect the latest version of modern browsers or operating systems (android, iOS)

  • Client-side issues that do not affect the latest version of our android or iOS applications

  • General best practice concerns.

  • Same issue under multiple subdomains.

  • Self XSS

  • Open Redirect without proven security impact

  • Bruteforce attacks

  • Man-in-the-Middle attack

  • Clickjacking without proven security impact

  • Disclosed Google API keys

  • Verbose messages/errors without disclosing any sensitive information

  • CORS misconfiguration on non-sensitive endpoints

  • Missing cookie flags

  • Missing security headers

  • Tabnabbing

  • Host Header Injection

  • Cross-domain referer leakage

  • Email spoofing, SPF, DMARC or DKIM

  • Email bombing

  • Version disclosure

  • Unauthenticated/Login/Logout CSRF without proven security impact
  • Issues that require unlikely user interaction

  • Broken link hijacking (eg. Social Media links)

  • Weak SSL/TLS configurations reports

  • Disclosing API keys without any security impact

  • Physical attacks - Attacks which requires physical access to a victim's device

  • Recently disclosed 0-day vulnerabilities in third-party products. Please give us 1 month to patch those 0-day bugs.

  • Reports without proof of exploitation

  • Known issues

 

Rules

  • Remember that you must never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.

  • Do not disclose the security vulnerabilities found on the platform.

  • Do not tamper with the sensitive data of the company or users.

  • Pratilipi employees and their friends/family members are not eligible for rewards.

  • Multiple vulnerabilities having same root cause will be awarded with one bounty only.

 

Legal Actions

We will not pursue civil/legal action or initiate a complaint to law enforcement for accidental, good faith violations of this policy considering there is no damage done to the concerned party. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act.

If legal action is initiated by a third party against you and you have complied with Pratilipi’s VDP, Pratilipi will take steps to make it known that your actions were conducted in compliance with this policy.

Process

Reporting system

Email

Template

Subject of the email

 
<Severity> | <Name of the Vulnerability>

Body of the email

 
Individual Details:
Full Name:
Mobile Number:
Any Publicly Identifiable profile(LinkedIn, Github etc.):
Bug Details:
Name of the Vulnerability:
Areas affected:
Impact:
Severity:
Detailed steps to reproduce:
Remediation:
Suggestions/Solutions:
Attachments:

 

 

 

Preferences & Prioritization

What we would like to see from you:

  1. You must be the first person to responsibly disclose/report an unknown issue.

  2. Multiple issues should be reported separately.

  3. Well-written reports in English will have a higher chance of resolution.

  4. Reports that include proof-of-concept code equip us to better triage.

  5. Reports that include only crash dumps or other automated tool output may receive lower priority.

  6. Reports that include products not on the initial scope list may receive lower priority.

  7. Please include how you found the bug, the impact, and any potential remediation.

What you can expect from us:

  1. A timely response to your email (within 7 business days).

  2. After triage, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it.

  3. An open dialog to discuss issues.

  4. Notification when the vulnerability analysis has completed each stage of our review.

  5. Credit after the vulnerability has been validated and fixed.

  6. Please note that the impact of the vulnerability lies solely with the discretion of Pratilipi.

 

Credit

Bug Bounty

  1. low - $25

  2. medium - $100

  3. high - $250

  4. critical - $500+

 

Hall of Fame

 

Public Disclosure Policy

By default, this program is in "PUBLIC NON DISCLOSURE" mode which means:

"THIS PROGRAM DOES NOT ALLOW PUBLIC DISCLOSURE. ONE SHOULD NOT RELEASE THE INFORMATION ABOUT VULNERABILITIES FOUND IN THIS PROGRAM TO PUBLIC, FAILING WHICH SHALL BE LIABLE FOR LEGAL PENALTIES!"

Version


This document Version 1.5 was created 28th-January-2022. We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. Any updates will be noted below in the version notes.