Chingari security responsible disclosure is an ethical method to report system vulnerabilities in our system, which allows us sufficient time to identify and apply the appropriate countermeasures before these vulnerabilities might become public.By following this method, the sender helps us to identify and resolve system flaws, thus providing a valuable and efficient contribution to increase the security of our services and customer’s data and avoiding damage or disruption to our systems.
How Responsible Disclosure Works in Chingari
Should customers, researchers, or experts identify one or more vulnerabilities in any of the following environments:
Please do not publicly disclose the vulnerability until it has been patched.
We will privately acknowledge each incident reported at security@chingari.io.
Scope: All Chingari & Gari applications, domains, and subdomains are in-scope:
All Chingari portals and API’s (*.chingari.io, *.gari.network, *.gariverse.io)
Mobile applications bearing the Chingari logo and published in official stores
Gari Smart Contract
Gari Tokens, wallet, and more.
The reported vulnerability should be a bug that compromises the integrity of user data, bypasses privacy protections, or enables unauthorized access. The reporter should be the first to disclose the vulnerability.Patching of the disclosed vulnerability may take some time, depending on the complexity of the vulnerability. We request the security researcher not make the vulnerability public and provide us a reasonable amount of time.
How to report a vulnerability responsibly
Send an email with all the details to security@chingari.ioThe email should contain at least the following information:
Vulnerability type (XSS, SQLI, IDOR, SSRF, etc.).
Vulnerable service (Website).
Details about vulnerability.
A proof of concept of the vulnerability (logs, screenshots, and video, as applicable).
Impact of the vulnerability.
Prohibitions
Do not attempt to gain access to another user’s account or data.
Do not perform any attack that could harm the reliability/integrity of our services or data.
Do not publicly disclose a bug before it has been fixed.
The only test for vulnerabilities on sites you know to be operated by Chingari. – Vulnerabilities on third-party applications are excluded
Do not impact other users with your testing; this includes testing for vulnerabilities in portals you do not own.
Automated scanners or automated tools to find vulnerabilities are forbidden and will be blocked.
Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
No Distributed Denial of Service (DDoS/DoS) – we prohibit this activity, and the testing cluster is not scaled for these attacks.
Do not contact the Chingari call center, helpdesk, or employee for any vulnerability-related concerns or any vulnerability report.
The following finding types are expressly excluded from the responsible disclosure.
HTTP 404 codes/pages or other HTTP non-200 codes/pages.
Fingerprinting/banner disclosure on common/public services.
Disclosure of known public files or directories (e.g., robots.txt).
Clickjacking and issues are only exploitable through clickjacking.
CSRF on forms that are available to anonymous users (e.g., login or contact form).
Logout / Login Cross-Site Request Forgery (logout CSRF) or with minimal security impact.
Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
Lack of Security Speedbump when leaving the site.
No Captcha / Weak Captcha / Captcha Bypass
Login or Forgot Password page brute force and account lockout not enforced
HTTP method enabled
OPTIONS, PUT, GET, DELETE, INFO
WebServer Type disclosures
Social engineering of our service desk, employees, or contractors
Physical attacks against Chingari’s offices and data centers
Error messages with non-sensitive data
Non-application layer Denial of Service or DDoS
Lack of HTTP Only / SECURE flag for cookies
Username/email enumeration
via Login Page error message
via Forgot Password error message
Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
SPF / DMARC / DKIM Mail and Domain findings, No TXT record or a missing CAA record
Email Rate Limiting or Spamming
DNSSEC Findings
CSV Issues
AV Scanning
SSL Issues, e.g.
SSL Attacks such as BEAST, BREACH, Renegotiation attack
SSL Forward secrecy is not enabled
SSL weak/insecure cipher suites
Cookie Issues
HTTPONLY
SECURE
multiple cookie setting
Anything to do with JSESSIONID
Service Rate Limiting
User or Org enumeration
Security Image Issues
Host header injection
Reports of outdated versions of software without proof of a working exploit
Absence of security best practices or hardening measures. While these are important, they are beyond the scope of a CVD process. For example:
php/wp-json from a WordPress website
Absence of rate limiting measures
Vulnerabilities that only affect users of outdated or unpatched browsers and platforms
Issues requiring unlikely user activity
If your report relates to a vulnerability that has already been reported by someone else, we will act only on the earlier report.
Terms and conditions
Do not violate any legal laws. Don’t be evil. Chingari retains the right to pursue legal action if “Responsible Disclosure” is not followed.
For testing for vulnerabilities, use your own account. Testing should not violate any laws or access the data of other users without their explicit approval.
Chingari retains the right to modify or terminate this program at any time without notice.
Hall of fame
We would like to thank all persons who made a responsible disclosure to us and recognize their valuable contribution to increasing the security of our products and services for our customer’s benefit by featuring those contributors in oursecurity hall of fame.Note: As of now, we are not giving any monetary rewards.
