Please submit a detailed description of the issue to us, along with the steps to reproduce it. Our team will investigate the security reports and resolve the issue within reasonable time frame.
Responsible Disclosure Guideline
- You will not publicly disclose a bug before it has been fixed
- You will protect our users' privacy and data. You will not access or modify data without our permission.
- You will ensure no disruption to our production systems and no destruction of data during security testing.
- If any privacy violation is inadvertently caused by you while testing, you are liable to disclose it immediately to us.
- You will abstain from exploiting a security issue you discover for any reason.
- You will not attempt phishing or security attacks. This might end in suspension of your account.
- We may take a reasonable time to fix the vulnerability reported by you. You have to allow us time to respond to you.
ScopeThe scope of issues is limited to technical vulnerabilities in the Winni website or mobile apps (android only). Please do not attempt to compromise the safety or privacy of our users (so please use test accounts), or the availability of Winni through DoS attacks or spam. We also request you not to use vulnerability testing tools that generate a significant volume of traffic.
- Remote Code Execution (RCE) - able to execute arbitrary commands on a remote device
- SQL Injection - able to read Personally Identifiable Information (PII) or other sensitive data / full read/write access to a database
- Server-Side Request Forgery (SSRF) - able to pivot to internal application and/or access credentials (not blind)
- Information Disclosure - mass PII leaks including data such as names, phone numbers and addresses
- Access to administration portals without authentication mechanism
- Stored Cross-Site Scripting (XSS) - stored XSS with access to non HttpOnly cookies
- Information Disclosure - leaked credentials
- Subdomain Takeover - on a domain that still sees traffic or would be a convincing candidate for a phishing attack
- Cross-Site Request Forgery (CSRF) - leading to account takeover
- Account Takeover (ATO) - with no or minimal user interaction
- Insecure Direct Object Reference (IDOR) - read or write access to sensitive data or important fields that you do not have permission to
- SQL Injection - able to perform queries with a limited access user
- Broken Authentication (including OAuth bugs) / Authentication Bypass
- Privilege Escalations
- Payment manipulation
- CSRF - able to modify important information (authenticated)
- ATO - required user interaction
- IDOR - write access to modify objects that you do not have permission to
- XSS - reflected/DOM XSS with access to cookies
- Subdomain Takeover - on an unused subdomain
- Broken Session flaws
- Open redirects which allow stealing tokens/secrets
- Directory listings
- XSS - POST based XSS (with CSRF)
- Lack of HTTPS on dynamic pages (judged on a case-by-case basis)
- Server information page (no credentials)
- Misuse/Unauthorized use of our APIs
- Improper TLS protection
RewardsWe will offer rewards to all valid unique security issue submissions which fall under this program terms. We offer reward according to severity of their impact on a case-by-case basis as determined by our security team. In scope section above, we have classified several vulnerabilities based on severity according to us. This will help you give a gross idea about how we classify issues.
- Not all security issues are associated with monetary reward, our security team will have final judgment based on severity of the issue.
- We may credit your Winni wallet for your contribution.
- We may provide swag/goodies for your contribution.
- For all unique valid submissions, we offer to have your name in our Hall of Fame.
- In case of issues which are already reported by someone else. In such cases reward goes to first reporter.
- The reward will be paid after the bug has been fixed, and will be according to Winni's discretion
- Reward will be applicable only for bugs that were unknown to us.
Non-qualifying vulnerabilities / Known Issues
- Issues related to software/application not under Winni's control
- Vulnerabilities dependent upon social engineering techniques
- Brute Force protection on login page
- Autocomplete attribute on web forms ( this works as designed)
- Any physical attempts against Winni property or data centres
- Protocols or standards not developed by Winni.
- Minor issues like version disclosures.
- DDOS attacks.
- Cookie attributes not set/Secure flag issues
- Click Jacking
- Java Script Library disclosure
- Blog - winni.in/celebrate-relations & blog.winni.in & technology.winni.in
- Lack of rate limiting mechanisms
- Captcha related concerns
- Open redirects without a severe impact
- Self-type Cross Site Scripting / Self-XSS
- Application stack traces (path disclosures, etc.)
- Vulnerabilities that require Man in the Middle (MiTM) attacks
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
- Brute force attacks
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
- Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.
- Vulnerabilities affecting outdated or unpatched browsers / Operating Systems.
- Issues that aren't reproducible.
- Attacks requiring MITM or physical access to a user's device.
- Missing best practices in SSL/TLS configuration.
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Missing best practices in Content Security Policy.
- Missing HttpOnly or Secure flags on cookies
- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
- Weak password policy
- Promo code abuse (e.g. ordering multiple times using the same promo code)
- Abuse of our promotional offers and referral codes Ineligible Reports and False Positives
Out of scope for Android app
- Absence of certificate pinning
- Sensitive data stored in app private directory
- User data stored unencrypted on external storage
- Lack of binary protection control in android app
- Shared links leaked through the system clipboard.
- Any URIs leaked because a malicious app has permission to view URIs opened
- Sensitive data in URLs/request bodies when protected by TLS
- Lack of obfuscation
- OAuth, app secret, hard-coded/recoverable in apk
- Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope)
Out of scope for iOS App
- Absence of certificate pinning
- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
- Path disclosure in the binary
- User data stored unencrypted on the file system
- Lack of binary protection (anti-debugging) controls
- Lack of obfuscation
- Lack of jailbreak detection
- Runtime hacking exploits (exploits only possible in a jailbroken environment)
- oauth app secret hard-coded/recoverable in apk
- Snapshot/Pasteboard leakage
- Crashes due to malformed URL Schemes
Testing using Tools
Don't be evil. Practice safe checks. Please donât use automated scanners/scripts as those tools can be disruptive or cause sites to misbehave leading to suspension of your account.
Program TermsBy participating in Winni's Bug Bounty Program, you comply to Winni's terms and conditions. To qualify for a bounty, you have to meet the following requirements:
- Must pertain to an item explicitly listed under our in-scope vulnerabilities section. Else our security team will take a call as per their judgment.
- Must contain enough information and a proof of concept code or screenshot.
- You will provide necessary assistance to Winni, if required, in resolving the security issue
- We reserve the right to publish reports without your approval
- In case of duplicate reports, the person who reports it first would get the bounty
- Though we seek to reward similar amount for similar issue, qualifying issues and the amounts paid may change
- Certain types of security issues are excluded. We have listed them under 'out of scope reports'.
- If you disclose a bug/security issue via social media, you will be rendered ineligible for this program.
- You would refrain from contacting any Winni employee regarding the program.
- Be the first researcher to responsibly disclose the bug. Duplicate submissions are neither eligible for rewards nor Hall of Fame. Only one reward will be rewarded for every distinct security vulnerability.
- Security Bug bounty is applicable only for individuals.
- Verify the fix for the reported vulnerability to confirm that the issue is completely resolved.
- Respect all the terms and conditions of Winni's Big Bounty Program. Non-adherence or non-compliance will automatically disqualify you. A serious breach may also lead to suspension of your account.
Changes to Program Terms
Winni's Bug Bounty Program, and its policies, are subject to change or cancellation by Winni at any time, without notice. Also, we may amend the terms and/or policies of the program at any time. In case of any change, a revised version will be posted here.
- Rahul Varale - IDOR (Linkedin)
- Sumit Grover - Cross Site Scripting (Twitter)
- Mohamed Ahmed - Cross Site Scripting (Linkedin)
- Evan Ricafort - Cross Site Scripting
- Pratik Vinod Yadav - IDOR (Linkedin)
- Rahad Chowdhury - HTML Injection (Linkedin)
- Shivam Singh (KiNg) - Cross Site Scripting
- Simrah Samdani - XML-RPC Exploit(Linkedin)
- Usama Varikkottil - Cross Site Scripting (Linkedin)