We’re committed to protecting our community. If you are a security researcher or expert and believe you’ve identified security-related issues with Quicko's website & APIs, we would appreciate you disclosing it to us responsibly.
Our team is committed to addressing all security issues in a responsible and timely manner, and we ask the security community to give us the opportunity to do so without disclosing them publicly. Please submit a detailed description of the issue to us, along with the steps to reproduce it. We trust the security community to make every effort to protect our users’ data and privacy.
Rules of the Program
How to Report a Vulnerability?
Please submit a form by clicking here.
In Scope
Out of Scope
Note:
If you think you have found a bug with critical impact even if it lies outside the scope of the program, please submit a report and we will get back to you!
We determine Vulnerability Severity based on the following factors -
Components | Description |
Attack Vector | How exploitable the vulnerability is. The score increases the more remote an attacker can be in order to exploit the vulnerability. |
Attack Complexity | The conditions beyond the attacker's control must exist in order to exploit the vulnerability. |
Privilege Required | The level of privileges an attacker must possess before successfully exploiting the vulnerability. The severity increases as fewer privileges are required. |
User Interaction | Whether the vulnerability can be exploited solely at the will of the attacker or whether a separate user (or user-initiated process) must participate in some matter. |
Scope | Whether a successful attack impacts a component other than the vulnerable component. |
Confidentiality | The impact of the bug as it relates to confidential information being accessed. |
Integrity | Whether the data can be modified due to the vulnerability. |
Availability | Whether data or functionality can be rendered inaccessible. The impact to the availability of the impacted component. |
Vulnerability Classification:
Severity | Category |
Critical | Remote Code Execution (RCE), Leakage of Sensitive Information |
High | Broken Authentication & Authorization Flow, Privilege Escalation, Server-Side Injection with Critical Impact, File Inclusion, Account Takeover, Insecure Direct Object Reference (IDOR) |
Medium | Cross-Site-Scripting (XSS), Cross-Site Request Forgery (CSRF), Server-Side Request Forgery (SSRF), Broken Access Control |
Non-qualifying Vulnerabilities & Prohibited Actions
Note: Abuse of any vulnerability found shall be liable for legal penalties
Rewards
We will reward reports according to the severity of their impact on a case-by-case basis as determined by our security team.
Critical (P1) vulnerabilities | Rewarded by Cash (Max. INR 5000) + Appreciation Certificate |
High (P2) vulnerabilities | Rewarded by Cash (Max. INR 1000) + Appreciation Certificate |
Medium (P3) vulnerabilities | Rewarded by Appreciation Certifications and HOF |
Low (P4) vulnerabilities | Rewarded by Appreciation Certifications and HOF |
P5 vulnerabilities | Not Eligible |
All the bounty rewards will be paid based on an internal assessment by our security team. Based on the severity, the team will revert within 1-7 days, and communicate whether the bug report was accepted/declined and the steps forward including the payment of the reward.
Do we Recruit?
We are constantly looking for skilled Security professionals! Feel free to consult our Job offers on click here. The IT Security Team will make sure to put a good word for you.