If you are a bug hunter, security researcher, or a white hat hacker, Winni is extending you an opportunity to show your skills in identifying security vulnerabilities on Winni.in, and get rewarded in return.
If you think you can find software issues on Winni.in that have the potential to be exploited, we appreciate your help in letting us know as soon as possible. Our team will investigate the security reports and resolve the issue within reasonable time frame. As a token of our appreciation, we offer a monetary bounty for all legitimate security reports based on its severity, complexity, and impact.
Responsible Disclosure Guideline
- You will not publicly disclose a bug before it has been fixed
- You will not violate any laws or regulations. Winni will not be responsible for non-adherence of laws from your end.
- You will protect our users' privacy and data. You will not access or modify data without our permission.
- You will ensure no disruption to our production systems and no destruction of data during security testing.
- If any privacy violation is inadvertently caused by you while testing, you are liable to disclose it immediately to us.
- You will abstain from exploiting a security issue you discover for any reason.
- You will not attempt phishing or security attacks. This might end in suspension of your account.
- Due to a high number of submissions, we may take a reasonable time to fix the vulnerability reported by you. You have to allow us time to respond to you.
- We will get back to you preferably within 7 working days.
- We will keep you updated about the bug reported and its fixture at our end.
- We will suitably reward you for your effort.
- If you are a Winni's employee or are related to an employee (parent, sibling, spouse), you are not eligible for the bounty bug program
- If you are a Winni's customer or a security researcher interested in making our systems safe, you are eligible
Program TermsBy participating in Winni's Bug Bounty Program, you comply to Winni's terms and conditions. To qualify for a bounty, you have to meet the following requirements:
- Adherence to Winni's Disclosure Policy
- Reporting of a security vulnerability
- You will provide necessary assistance to Winni, if required, in resolving the security issue
- The bounty will be paid after the bug has been fixed
- We reserve the right to publish reports without your approval
- In case of duplicate reports, the person who reports it first would get the bounty
- All bounty rewards are permitted by applicable laws
- Winni has the sole discretion to ascertain the risk category. Extremely low-risk issues may not qualify for a bounty.
- Though we seek to reward similar amount for similar issue, qualifying issues and the amounts paid may change
- Certain types of security issues are excluded. We have listed them under 'out of scope reports'
- Bounty will be paid for bugs that were unknown to us.
- If you disclose a bug/security issue via social media, you will be rendered ineligible for this program
- You would refrain from contacting any Winni employee regarding the program
Scope for the Winni's Bug Bounty ProgramThe scope of this program includes the following only:
- Desktop website at https://www.winni.in
- Mobile website at https://www.winni.in
- Our mobile apps - Android Web in-scope vulnerabilities for bug-bounty are :
- Cross-Site Scripting (XSS) (Excluded: Self-XSS, DOM Based XSS, Reflected XSS without any impact or ability to re-use the cookies)
- SQL Injection/ XXE / RCE
- Server Side Request Forgery (SSRF)
- Broken Authentication (including OAuth bugs)
- Broken Session flaws
- Remote Code Execution
- Privilege Escalation
- Provisioning Errors
- Business Logical flaws
- Misuse/Unauthorized use of our APIs
- Improper TLS protection
- Leaking customer's sensitive data related with PCI norm
Not in scope
- Issues related to software/application not under Winni's control
- Cross-Site Request Forgery(CSRF/XSRF)
- Vulnerabilities dependent upon social engineering techniques
- Brute Force protection on login page
- Autocomplete attribute on web forms ( this works as designed)
- Any physical attempts against Winni property or data centres
- Protocols or standards not developed by Winni.
- Minor issues like version disclosures.
- DDOS attacks.
- Cookie attributes not set/Secure flag issues
- Click Jacking
- Java Script Library disclosure
Out of scope for Android app
- Absence of certificate pinning
- Sensitive data stored in app private directory
- User data stored unencrypted on external storage
- Lack of binary protection control in android app
- Shared links leaked through the system clipboard.
- Any URIs leaked because a malicious app has permission to view URIs opened
- Sensitive data in URLs/request bodies when protected by TLS
- Lack of obfuscation
- OAuth, app secret, hard-coded/recoverable in apk
- Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope)
You are expected to respect all the terms and conditions of Winni's Big Bounty Program. Non-adherence or non-compliance will automatically disqualify you. A serious breach may also lead to suspension of your account.
Winni's Bug Bounty Program, and its policies, are subject to change or cancellation by Winni at any time, without notice. Also, we may amend the terms and/or policies of the program at any time. In case of any change, a revised version will be posted here.
- Akshay Thakur