Paytm Bug Bounty

Paytm is commited to security. We reward reporters for the responsible
disclosure of in-scope issues and exploitation techniques.

If you discover a bug, we appreciate your cooperation in responsibly investigating
and reporting it to us so that we can address it as soon as possible.

Rewards

Paytm Bug Bounty Program offers bounties for security software bugs which meet the following criteria.

• The bug has a direct security impact and falls under one of our Vulnerability Categories.
• Rewards can only be credited to an UPI Id.
• The minimum reward for eligible bugs is 1000 INR, Bounty amounts are not negotiable.
• 1 valid bug equals 1 reward.
• Multiple reports over time can be eligible for Hall of Fame or a digital certificate.

In situations where a bug does not warrant a bounty, we may issue a digital certificate. Our certification process is multi-leveled:

• Standard
• Bronze
• Silver
• Gold
• Platinum

Our Hall of Fame page recognizes the contributions of reporters who have demonstrated a high level of dedication to our program.
Acceptance requires multiple valid reports and remains at the discretion of our team.

Eligibility

• Be the first to report the issue to us.
• Must pertain to an item explicitly listed under Vulnerability Categories.
• Must contain sufficient information including a proof of concept screenshot, video, or code snippet where needed.
• You agree to participate in testing the effectiveness of the countermeasure applied to your report.
• You agree to keep any communication with Paytm private.

Vulnerability Categories

#	Vulnerability Type		Comment
1.	Cross-Site Request Forgery **		With significant security impact
2.	Cross-Site Scripting **		Self-XSS is out of scope
3.	Open Redirects **		With significant security impact
4.	Cross Origin Resource Sharing **		With significant security impact
5.	SQL injections
6.	Server Side Request Forgery
7.	Privilege Escalation
8.	Local File Inclusion
9.	Remote File Inclusion
10.	Leakage of Sensitive Data
11.	Authentication Bypass
12.	Directory Traversal
13.	Payment Manipulation
14.	Remote Code Execution

Rules

• Don't violate the privacy of other users, destroy data, disrupt our services, etc.
• Don't request updates on an hourly basis. We are handling dozens of reports daily and spam impacts Paytm's Bug Bounty Program efficiency.
• Only target your own accounts in the process of investigating any bugs/findings. Don't target, attempt to access, or otherwise disrupt the accounts of other users without the express permission of our team.
• Don't target our physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDOS) attacks, etc.
• In case you find a severe vulnerability that allows system access, you must not proceed further.
• It is Paytm’s decision to determine when and how bugs should be addressed and fixed.
• Disclosing bugs to a party other than Paytm is forbidden, all bug reports are to remain at the reporter and Paytm’s discretion.
• Threatening of any kind will automatically disqualify you from participating in the program.
• Exploiting or misusing the vulnerability for your own or others' benefit will automatically disqualify the report.
• Bug disclosure communications with Paytm’s Security Team are to remain confidential. Researchers must destroy all artifacts created to document vulnerabilities (POC code, videos, screenshots) after the bug report is closed.
• Staging, dev and QA environments are not eligible for bug bounty unless there is a some server level issues like RCE, SQL Injection etc.
• Subdomain Takover issues will only be considered post 48 hrs of bucket deletion.

Exclusions

• Zero-day vulnerabilities or recently disclosed CVE will not be considered eligible until more than 90 days have passed since patch availability.
• Fingerprinting / banner disclosure on common/public services.
• Disclosure of known public files or directories, (e.g. robots.txt).
• TapJacking/Clickjacking and issues only exploitable through TapJacking/Clickjacking.
• Social engineering of our service desk, employees or contractors.
• Missing HTTP security headers.
• SPF / DMARC / DKIM Mail and Domain findings.
• Email Rate Limiting or Spamming.
• SSL Attacks such as BEAST, BREACH, Renegotiation attack,SSL weak/insecure cipher suites.
• Non-application layer Denial of Service or DDoS.
• Missing Cookie Attributes.
• CSRF on forms that are available to anonymous users (e.g. login or contact form).
• Logout / Login Cross-Site Request Forgery (logout CSRF).
• Presence of application or web browser 'autocomplete' or 'save password' functionality.
• Error messages with non-sensitive data.
• Social Engineering/ Phishing attacks.
• Attacks that require a rooted/jailbroken device.
• Vulnerabilities requiring MITM or physical access to an unlocked device.
• Automated scanner-generated reports.
• Reports related to the disclosure of Exif metadata from uploaded files.
• Open ports without demonstrating any significant impact.
• Content Injection/ Content Spoofing.
• Misconfigured CORS Headers.

---