Bug Bounty

Information security & management is a marathon, and we at INDmoney (“we”/ “us”/”Company”) strive to ensure the safety & security of INDmoney customers through state-of-art processes, security frameworks, and regular audits. We also believe that a close partnership with security researchers on the latest trends to understand security threats and vulnerability identification creates a powerful ecosystem of security, making customers secure and confident to use the products and services along with all the impactful features.

Security researchers (“You”/ “Your”) are part of our Tech ecosystem, helping us in tracking down the vulnerabilities that were missed or can be upgraded during the process of software development. If you are a security researcher who has found a vulnerability in any INDmoney product/platform, we encourage you to participate in our Bug Bounty program. We would like to hear, learn and reward you.

Guidelines of the Program

• Testing and identification of the bug should not affect any trading service or day to day operations of the system. Also, you must adhere to all legal and ethical guidelines while discovering and identifying the vulnerabilities.
• Bug Bounty program is a private program and involves a lot of security frameworks to ensure proper management. You must agree to not disclose any vulnerability to the public or other organization. Please take prior consent from INDmoney before disclosing the details outside of BugBounty@indmoney.com.
• You are at least 18 years old; and the first one to report the issue to us.
• The Vulnerability reported should be from the latest stable version.
• You or your relative must not be currently employed or connected with the Company in any manner whatsoever to be eligible to participate in the program.
• The report submitted by you must be your own work, that is, you haven't used any information owned by another person or entity.
• Please ensure not to use open network ports, open services other than public HTTP Endpoints, etc. DoS and DDoS tests while identifying vulnerabilities.
• Do not have access to sensitive data or do not download /use data more than that is necessary in testing your vulnerability. You must not copy; paste; share; transfer; replicate any activity or any information that would lead to data breach and must handle all the data/information with utmost precautions failing which you shall be liable for legal penalties.

Do not make any changes/modification without explicit prior permission of us

How to report the bugs :

Submit the bugs by dropping an email at BugBounty@indmoney.com. with detailed steps required to reproduce the vulnerability (Video & Screenshots).Note: Use Google Drive to share the Long Video POC. Don’t Use YouTube like Public Platforms.

Please share your details such as Name; bank account details & address and PAN, (for tax and compliance purposes), to further receive any bug bounty rewards. The Company may take reasonable time which may extend upto 30 days to assess the report and share the reward with you. All reward payments are also subject to applicable tax deducted as source. Any anonymous report or report with incomplete information will not be eligible to participate in this program.

Based on the severity, we will revert within 2-4 business days, and communicate whether the bug report was accepted/declined and the steps forward including the payment of the reward.

Scope of bug identification :

• indmoney.com and its sub-domains
• Apps: iOS & android
• API: indiawealth.in and its sub-domains
• Cloud infrastructure platform

Reward Policy:

We firmly believe that every effort deserves acknowledgment and recognition. We will reward reports according to the severity of their impact on a case-by-case basis as determined by our team internally. Rewards are granted entirely at the discretion of the Company, i.e. we may reward more for unique, hard-to-find bugs; we may also reward less for bugs with complex prerequisites that have lower risk of exploitation of our platforms or for which the impact or security risk is negligible. In addition to the rewards, you may get a chance to get listed on our esteemed Hall of Fame.

Further, the monetary reward shall be decided on the basis of criticality of the issue on a case to case basis. The Company may choose not to provide any monetary benefit if we feel the bug reported is not critical or you have not followed the guidelines of the program.

Please note that the rewards may be denied in below mentioned scenario:

• If we find out that there has been violation of this policy
• If the bug reported by you impersonate an apparent vulnerability
• If we are unable to identify your identity, ie, your name; address/contact number to enable us to make sure that you are an independent researcher and is in no way related to our employees or have understanding of our dev environment.
• The reward is non-transferable; non-assignable to any third person, in case you are not willing or not able to accept the reward we reserve the right to rescind it.

Current Security Hall of Fame: Click HERE

We look forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

Note :- Bug bounty program is only for reporting security bugs which you may find on INDmoney platform. For reporting any generic/application related issue/s, please reach out to our Customer Service Team .