We’re committed to protecting our community. If you are a security researcher or expert and believe you’ve identified security-related issues with Quicko’s website, we would appreciate you disclosing it to us responsibly.


Our team is committed to addressing all security issues in a responsible and timely manner, and we ask the security community to give us the opportunity to do so before disclosing them publicly. Please submit a detailed description of the issue to us, along with the steps to reproduce it. We trust the security community to make every effort to protect our users’ data and privacy.


 


Rules of the Program



  • Do not violate the privacy of other users, destroy data, disrupt our services, etc.

  • High-quality submissions allow our team to better understand the issue and relay the bug to the internal team to fix. The best reports provide enough actionable information to verify and validate the issue without any follow-up clarifying questions.

  • We only reward the first reporter of a vulnerability. Public disclosure of the vulnerability prior to resolution will result in disqualification from the program. You must report a qualifying vulnerability through the steps mentioned in the ‘How to report a vulnerability?’ section to be eligible for a reward.

  • Check the scope section before you begin writing your report to ensure the issue you are reporting is in scope for the program.

  • In case you find a severe vulnerability that allows system access, you must not proceed further.

  • It is Quicko’s decision to determine when and how bugs should be addressed and fixed.

  • Disclosing bugs to a party other than Quicko is forbidden, all bug reports are to remain at the reporter and Quicko’s discretion.

  • Bug disclosure communications with Quicko’s Security Team are to remain confidential. Researchers must destroy all artifacts created to document vulnerabilities (POC code, videos, screenshots) after the bug report is closed.


 


How to Report a Vulnerability?


Please submit a form by clicking here.


Note: Please clearly write in the above form fields


          Subject: Vulnerability Report | <Vulnerability Name>


          Description : <Vulnerability Description>


 


In Scope                                                   



  • quicko.com   

  • accounts.quicko.com

  • api.quicko.com

  • it.quicko.com

  • tools.quicko.com

  • trader.quicko.com

  • clique.quicko.com

  • dashboard.zerodha.quicko.com

  • form16.quicko.com

  • oauth.quicko.com

  • plans.quicko.com

  • sandbox.co.in

  • dashboard.sandbox.co.in

  • accounts.sandbox.co.in


Out of Scope



  • *.quicko.com

  • *.sandbox.co.in

  • Any services hosted by third-party providers are excluded from the scope.

  • Anything else not explicitly mentioned in ‘In Scope Targets’ above.


Note: Anything that is not defined under In Scope or Out of Scope Targets and you think it's critical then please submit a Report and we will get back to you.


 


We determine Vulnerability Severity based on the following factors -









































ComponentsDescription
Attack VectorHow exploitable the vulnerability is. The score increases the more remote an attacker can be in order to exploit the vulnerability.

Attack Complexity


The conditions beyond the attacker's control that must exist in order to exploit the vulnerability.
Privilege RequiredThe level of privileges an attacker must possess before successfully exploiting the vulnerability. The severity increases as fewer privileges are required.
User InteractionWhether the vulnerability can be exploited solely at the will of the attacker or whether a separate user (or user-initiated process) must participate in some matter.
ScopeWhether a successful attack impacts a component other than the vulnerable component.
ConfidentialityThe impact of the bug as it relates to confidential information being accessed.
IntegrityWhether the data can be modified due to the vulnerability.
AvailabilityWhether data or functionality can be rendered inaccessible. The impact to the availability of the impacted component.

  


Classification of Vulnerabilities -       





























































SeverityCategory
CriticalRemote Code Execution (RCE)
CriticalLeakage of Sensitive Data
HighBroken Authentication & Authorization Flow
HighPrivilege Escalation (Vertical & Horizontal Privilege Escalation)
HighServer-Side Injection with Critical Impact
HighFile Inclusion
HighAccount Takeover - Without user Interaction
HighInsecure Direct Object Reference (IDOR) - Able to access and modify sensitive and PII information
MediumCross-Site-Scripting (XSS) - Self-XSS is out of scope
MediumCross-Site Request Forgery (CSRF) - With significant security impact
MediumServer-Side Request Forgery (SSRF)
MediumBroken Access Control
LowMisconfigured DNS

 


Non-qualifying Vulnerabilities & Prohibited Actions




  • Automated tools or scripts are STRICTLY PROHIBITED and any reports generated by automated scan tools are not acceptable.




  • DoS & DDoS, Spamming, Social Engineering (including phishing), Any Physical Attempts or requiring MITM, Any brute-force techniques (e.g. repeatedly entering passwords) in order to gain access to the system.




  • Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other user's data.




  • Do not reveal the problem to third parties.




  • The publicly available information and/or browser instructions.



  • Missing any best security practice that is not a vulnerability.

  • Mail Server Misconfiguration - Invalid or missing SPF/DKIM/DMARC records.

  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.

  • Promo code enumeration, abuse of our promotional offers and referral codes.

  • Missing Secure or HTTPOnly Cookie Flag / Insecure SSL / Certificate Error / Mixed Content (HTTPS Sourcing HTTP).

  • Rate Limiting based issues.

  • Lack of Security Headers.

  • Clickjacking

  • Session Expiration/Invalidation Related Issues.

  • Username/Email Enumeration.

  • Logout or unauthenticated CSRF.

  • Lack of Password Confirmation.

  • EXIF Geolocation Data Not Stripped From Uploaded Images.

  • Issues that don't affect the latest version of modern browsers or platforms.

  • Use of a known-vulnerable library (without evidence of exploitability).

  • Any other issues determined to be of negligible security impact.

  • 0-day vulnerabilities in any third parties we use within 10 days of their disclosure.

  • Known Vulnerability Report.

    Note: Abuse of any vulnerability found shall be liable for legal penalties.




                                                                                                        Rewards 


We will reward reports according to the severity of their impact on a case-by-case basis as determined by our security team.



  • Critical (P1) vulnerabilities    - Rewarded by Cash (Max. INR 5000) + Appreciation Certificate

  • High (P2) vulnerabilities       - Rewarded by Cash (Max. INR 1000) + Appreciation Certificate

  • Medium (P3) vulnerabilities - Rewarded by Appreciation Certifications and HOF

  • Low (P4) vulnerabilities        - Rewarded by Appreciation Certifications and HOF

  • P5 vulnerabilities                  - Not Eligible


All the bounty rewards will be paid based on an internal assessment by our security team. Based on the severity, the team will revert within 1-7 days, and communicate whether the bug report was accepted/declined and the steps forward including the payment of the reward.


 


Do we Recruit?


We are constantly looking for skilled Security professionals! Feel free to consult our Job offers on click here. The IT Security Team will make sure to put a good word for you.