Introduction
Hello Security researchers, bug hunters and White Hat Groups, we are here to announce that Nepalekart has taken the initiative to successfully launch a Bug Bounty program, to honour all the trailblazing external contributions that help us keep our users data and customer’s wallets safe. We are launching Bug Bounty Program for all our owned Web and Mobile Application platforms.
If you believe that you have found security vulnerability or Bug on any of Nepalekart owned Website or Application, we encourage you to let us know straight away. Our Team will investigate all legitimate reports and do our best to quickly fix the problem
Please review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules
Guidelines
Responsible Disclisure Policy
Nepalekart believes effective disclosure requires mutual respect and transparency between researchers and our security team.
1. Security Researchers/Bug Hunters should Respect the Rules, Respect Privacy, Be Patient and Do No Harm.
2. You must be the first researcher to responsibly report vulnerability.
3. You may not publicly disclose the vulnerability prior to our resolution.
4. You need to be little patient and allow us at least 48-72 hours to respond you back and open a ticket.
5. You need to allow us atleast 15 to 20 days depending upon the Severity of issue for resolution of vulnerability also depending upon the criticality we will try to fix immediately with best of our efforts.
6. Any Improper public disclosure/ misuse of information will entitle Nepalekart to take appropriate legal action. ELIGIBILITY
To qualify for a bounty, you should:
1. Adhere to our Responsible Disclosure Policy (as mentioned above)
2. Be the first researcher to responsibly disclose the bug.
3. Use only Test accounts to produce vulnerability and do not attempt on Live accounts.
4. Submit a bug only if you have exploited a real vulnerability (refer Scope Exclusion below)
Note: If you employ automated scanning tools their request rate must not exceed 2 requests per second without prior approval. Failure to do so will be considered as DoS attack and will result in disqualification from the reward program. Results from automated scanning tools must be validated manually before submitting the reports as they commonly have low priority issues/ false positives.
Scope
Nepalekart Web Application - www.nepalekart.com
Nepalekart Mobile Application – Android. (Latest Version)
Researchers should report a bug that could compromise the Confidentiality, Integrity and Availability of our Customer’s Wallet account, User Data. Below are in-scope vulnerabilities.
"Typical" web vulnerabilities (such as OWASP Top-10) are generally considered in-scope. This includes:
1. Cross-Site Scripting (XSS)
2. SQL Injection
3. Cross-Site Request Forgery (CSRF)
4. Broken Authentication (including OAuth bugs)
5. Broken Session flaws
6. Remote Code Execution
7. Privilege Escalation
8. Provisioning Errors
9. Business Logical flaws
10. Misuse/Unauthorized use of our APIs
11. Improper TLS protection
12 Leaking of sensitive customer data (especially anything in the scope of PCI)
SCOPE EXCLUSIONS
Vulnerabilities not in scope:
1. Issues related to software/application not under Nepalekart's control
2. Vulnerabilities dependent upon social engineering techniques
3. Brute Force protection on login page
4. Autocomplete attribute on web forms ( this works as designed)
5. Any physical attempts against Nepalekart property or data centres
6. Protocols or standards not developed by Nepalekart.
7. Minor issues like version disclosures.
8. DDOS attacks.
9. Cookie attributes not set/Secure flag issues
10. Click Jacking
11. Java Script Library disclosures
Rewards
1. There is no maximum reward- each bug is awarded a bounty based on its severity, scope and exploit level.
2. High severity bug reporters will be listed on Nepalekart’s Wall of Fame