Bug / Vulnerability Reward Program
Immediately after our launch, To improve our site's security, we are offering rewards to anyone reporting a previously unknown security-relevant bug or design flaw.
What types of bugs qualify?
-
Remote code execution on any of our servers (including SQL injection).
-
Remote code execution on any client browser (e.g., through XSS).
-
Any issue that breaks our security model, allowing unauthorized remote access to or manipulation of user info or data.
-
Any issue that bypasses access control, allowing unauthorized overwriting/destruction of user data.
What types of bugs do not qualify?
-
Any issue requiring active victim participation, such as phishing and social engineering attacks.
-
Any issue resulting from users choosing weak passwords.
-
Any issue requiring a very significant number of server requests to exploit.
-
Any issue requiring a compromised client machine.
-
Any issue requiring an unsupported or outdated client browser.
-
Vulnerabilities in third party-operated services (e.g. resellers).
-
Any overloading/resource exhaustion/denial of service-type of attacks.
-
Anything relying on forged SSL certificates.
-
Any bugs that are unrelated to the integrity, availability and confidentiality of user data.
How much can I earn?
We offer up to NPR 5,000 per bug, depending on its complexity and impact potential.
Who is eligible?
The first finder of the bug. Bugs reported by third parties are typically not considered for a reward.
What is the disclosure policy?
You are free to disclose your finding to the general public after we confirm to you that the issue has been resolved.
Who makes the decision?
The decision whether you qualify and how much you earn is at our discretion, and while we will be fair and generous, you agree to accept our verdict as final.
How do I submit my finding?
Send an e-mail to [email protected].