1. Airtel will host an invite-only bug bounty event on February 8-9, 2020 in Delhi, India to identify security vulnerabilities.
2. Researchers who identify issues will receive a letter of thanks and monetary rewards ranging from INR 2,000 to INR 35,000 depending on the impact of the vulnerability.
3. Researchers must follow responsible disclosure guidelines which include maintaining privacy and security, coordinating disclosure with Airtel, and keeping vulnerabilities confidential. Violating these terms can result in forfeiture of rewards.
1. Airtel will host an invite-only bug bounty event on February 8-9, 2020 in Delhi, India to identify security vulnerabilities.
2. Researchers who identify issues will receive a letter of thanks and monetary rewards ranging from INR 2,000 to INR 35,000 depending on the impact of the vulnerability.
3. Researchers must follow responsible disclosure guidelines which include maintaining privacy and security, coordinating disclosure with Airtel, and keeping vulnerabilities confidential. Violating these terms can result in forfeiture of rewards.
1. Airtel will host an invite-only bug bounty event on February 8-9, 2020 in Delhi, India to identify security vulnerabilities.
2. Researchers who identify issues will receive a letter of thanks and monetary rewards ranging from INR 2,000 to INR 35,000 depending on the impact of the vulnerability.
3. Researchers must follow responsible disclosure guidelines which include maintaining privacy and security, coordinating disclosure with Airtel, and keeping vulnerabilities confidential. Violating these terms can result in forfeiture of rewards.
1. Airtel will host an invite-only bug bounty event on February 8-9, 2020 in Delhi, India to identify security vulnerabilities.
2. Researchers who identify issues will receive a letter of thanks and monetary rewards ranging from INR 2,000 to INR 35,000 depending on the impact of the vulnerability.
3. Researchers must follow responsible disclosure guidelines which include maintaining privacy and security, coordinating disclosure with Airtel, and keeping vulnerabilities confidential. Violating these terms can result in forfeiture of rewards.
Airtel (“Company”) will be hosting a closed / invite only bug bounty on Saturday 8 th and Sunday 9th Feb 2020 in Delhi NCR
All successful submissions will qualify for one or more of the following: 1. Letter of thanks and recognition; and/ or 2. Monitory reward depending on the impact of the issue. Rewards may range from INR 2,000/- to INR 35,000/-
Responsible Disclosure: While conducting your research, we ask that
1. You will protect our users' privacy and data in good faith. You will not access or modify other user's data without our permission. 2. You will ensure that no disruption is caused to the production systems, degradation of user experience and destruction of data during security testing. 3. If you inadvertently cause a privacy violation or disruption in the absence of any malicious intention (such as accessing account data, service configurations, or other confidential information) while investigating an issue, be sure to disclose this immediately in your communication with us. 4. Once you discover an issue, you shall refrain from exploiting and/or proceeding with subsequent testing for any reason (including demonstrating additional risk etc). 5. Discovered vulnerabilities cannot be disclosed to third parties or as part of paper reviews or conference submissions. Such confidentiality of these terms, and the details of the bug shall be maintained by you in perpetuity. 6. Should you wish to share details of the bug with others or disclose it publically; you will seek our explicit written consent prior to doing so. Airtel will reserve the right to modify the disclosed information if required. 7. You do not violate any other applicable laws or regulations. VIOLATIONS OF THIS SECTION COULD REQUIRE YOU TO RETURN ANY BOUNTIES PAID FOR THAT VULNERABILITY, PAYMENT OF ANY LOSS OR DAMAGES THAT THE COMPANY MAY INCUR AS A RESULT OF YOUR VIOLATION, ALONG WITH INITIATION OF ANY OTHER LEGAL ACTION THAT COMPANY MAY DEEM FIT, AND DISQUALIFY YOU FROM PARTICIPATING IN THE PROGRAM IN THE FUTURE,.
Our commitment: In return, we commit to
1. Working with you to investigate and resolve the issue as quickly as possible 2. Keeping you informed of the status of the issue reported 3. Not pursue or support any legal action related to your research/testing.
Page 1 of 4 Eligibility 1. You are a customer of Airtel or a security researcher interested in making our sites and applications safe. 2. If you are/were employed (full time or partner role) by Airtel or are related to an employee or partner of Airtel (spouse, parent or sibling), you are NOT eligible for the bug bounty program.
3. Airtel has the right to modify/alter the eligibility criteria at any point of time without any prior intimation.
Event Terms Monetary bounties for security reports are entirely at Airtel’s sole discretion, and will be decided based on risk, business impact, and other factors. Airtel has the right to suspend/modify/cancel any of these terms, or this Bug Bounty event at any time prior to 8th February 2020.
To qualify for a bounty, you need to meet the following requirements:
1. Adhere to our Responsible Disclosure Policy.
2. Report a security bug: that is, identify a vulnerability in our services or infrastructure which creates a security or privacy risk 3. Your report must describe a problem involving one the products or which are a part of the bug bounty scope. 4. You will render necessary assistance to Airtel to resolve the issue. 5. The bounty will be paid only after the issue has been fully resolved by Airtel 6. We reserve the right to publish reports (and accompanying updates) without seeking your approval. 7. All payments will be made in Indian Currency (INR). 8. If we pay a bounty, the maximum reward is Rs. 35,000/- 9. In the event of duplicate reports, we award a bounty to the first person to submit an issue (Airtel determines duplicates and may not share details on the other reports). A given bounty is only paid to one individual. 10. We verify that all bounty awards are permitted by applicable laws. 11. Note that extremely low-risk issues may not qualify for a bounty at all. We will have the sole discretion to ascertain the risk category. 12. We seek to pay similar amounts for similar issues, but qualifying issues & amounts that are paid may change. Past rewards do not guarantee similar results in the future. 13. We specifically exclude certain types of potential security issues; these are listed under "Ineligible Reports" that have no impact on business. Such exclusions are entirely at Airtel’s discretion at all times. 14. A bounty shall only be paid for bugs which have been unknown to Airtel. Already known bugs will not receive a bounty. Note: Reference is our internal bug tracking system. 15. While we care about vulnerabilities affecting other services we use, we cannot guarantee that our disclosure policies apply to services from other companies. And in this case, you will NOT be eligible for the bounty program. 16. Disclosure of the issue / report via other means (like sharing it publicly on social media etc.), or violation of our disclosure requirements at any stage will render you ineligible for this program 17. You refrain from contacting any employee of Airtel via any other means / channels regarding the program.
Scope for the bug bounty program:
Scope of this event will be shared on 8th Feb 2020 to shortlisted candidates.
Breach of program terms & guidelines
We expect you to respect all the terms and conditions of the program & responsible disclosure as stated above. Any breach will automatically disqualify you from the bug bounty program and serious breaches of the guidelines might result in legal action.
Page 2 of 4 Unqualified Reports and False Positives (Indicative List) Some submission types are excluded because they are dangerous to assess, and/or because they have low impact to us. This section contains issues that are not accepted under this program, will be immediately marked as invalid, and are not rewardable.
1. Security issues in third-party services that integrate with Airtel. These are not managed by Airtel and do not qualify under our guidelines for security testing. 2. Findings from physical testing such as office access (e.g. open doors, tailgating). 3. Findings derived primarily from social engineering (e.g. phishing, vishing). 4. Functional, UI and UX bugs and spelling mistakes. 5. Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue. 6. Issues that require physical access to a victim's computer. 7. Network or application level Denial of Service (DoS/DDoS) vulnerabilities. 8. Website scraping. 9. Bugs requiring exceedingly unlikely user interaction. 10. Flaws affecting the users of out-of-date browsers and plugins.
The following finding types are specifically excluded from the bounty:
1. Descriptive error messages (e.g. Stack Traces, application or server errors).
2. HTTP codes/pages or other HTTP non- codes/pages. 3. Disclosure of known public files or directories, (e.g. robots.txt). 4. Clickjacking and issues only exploitable through clickjacking. 5. CSRF in forms that are available to anonymous users. 6. CSRF with minimal security implications (Logout CSRF, etc.). 7. Presence of application or web browser 'autocomplete' or 'save password' functionality. 8. Lack of Secure/HTTPOnly flags on non-sensitive Cookies. 9. Weak Captcha / Captcha Bypass 10. Most brute-force issues or issues that can be exploited using brute-force 11. Open re-directs 12. HTTPS Mixed Content Scripts 13. Self-XSS 14. Username / email enumeration 15. Publicly accessible login panels 16. Reports that state that software is out of date/vulnerable without a proof of concept 17. Host header issues without an accompanying proof-of-concept demonstrating vulnerability 18. Stack traces that disclose technical information but do not result in compromise of information. 19. Best practices concerns 20. Internal IP disclosure 21. Lack of enforcement of HTTPS via redirection 22. Fingerprinting issues (e.g. open ports without an accompanying proof-of-concept demonstrating vulnerability, banner grabbing) 23. Sensitive data in URLs/request bodies when protected by SSL/TLS 24. Issues reported in microsites with minimal or no user data 25. Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger 26. Missing security headers that do not present an immediate security vulnerability 27. SSL Issues, e.g. a. SSL/TLS scan reports (output from sites such as SSL Labs) b. SSL Attacks such as BEAST, BREACH, Renegotiation attack c. SSL Forward secrecy not enabled
Page 3 of 4 d. SSL weak / insecure cipher suites
Out of Scope bugs for Android apps
1. Absence of certificate pinning 2. Sensitive data stored in app private directory 3. User data stored unencrypted on external storage 4. Lack of binary protection control in android app 5. Shared links leaked through the system clipboard. 6. Any URIs leaked because a malicious app has permission to view URIs opened 7. Sensitive data in URLs/request bodies when protected by TLS 8. Lack of obfuscation 9. oauth/app secret/hard-coded/recoverable credentials in app 10. Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope)
Out of Scope bugs for iOS apps
1. Absence of certificate pinning 2. Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries 3. Path disclosure in the binary 4. User data stored unencrypted on the file system 5. Lack of binary protection (anti-debugging) controls 6. Lack of obfuscation 7. Lack of jailbreak detection 8. Runtime hacking exploits (exploits only possible in a jailbroken environment) 9. oauth/app secret/hard-coded/recoverable credentials in app 10. Snapshot/Pasteboard leakage 11. Crashes due to malformed URL Schemes
I, ………………………………………………………………………………………., acknowledge that I have read,
understood & accept above terms & conditions before participating in Airtel’s private Bug Bounty Event, and agree to bound by the terms and conditions as outlined therein.
