Goals

Chingari security responsible disclosure is designed to:

  1. Reward those who responsibly disclose vulnerabilities on Chingari properties.
  2. Help make Chingari more secure for its users.

 

How to Support

Send an email with all the details to security@chingari.io
The email should contain at least the following information:

  1. Vulnerability type (XSS, SQLI, IDOR, etc.).
  2. Vulnerable service (Website).
  3. Details about vulnerability.
  4. A proof of concept of the vulnerability (logs, screenshots, and video as applicable).
  5. Impact of the vulnerability.

 

Bounty Policy

  1. Please do not publicly disclose the vulnerability until it has been patched.
  2. We will privately acknowledge each incident reported at security@chingari.io

Patching of the disclosed vulnerability may take some time, depending on the complexity of the vulnerability. We request the security researcher not make the vulnerability public and provide us a reasonable amount of time.

 

Our Promise

  1. We will acknowledge each incident reported as soon as we can.
  2. We will be fast in patching any vulnerabilities reported. We will keep the reporter informed about the progress.
  3. We will pay a bounty once the vulnerability is patched.

 

Eligibility

Chingari security vulnerability bounty is designed to :
Scope: Current Scope is only the Chingari web application: https://chingari.io/

  1. The reported vulnerability should be a bug that compromises the integrity of user data, bypasses privacy protections, or enables unauthorized access. Other types of bugs are not eligible.
  2. The reporter should be the first to disclose the vulnerability.

 

Prohibitions

  1. Do not attempt to gain access to another user’s account or data.
  2. Do not perform any attack that could harm the reliability/integrity of our services or data.
  3. Do not publicly disclose a bug before it has been fixed.
  4. The only test for vulnerabilities on sites you know to be operated by Chingari. – Vulnerabilities on third-party applications are excluded
  5. Do not impact other users with your testing; this includes testing for vulnerabilities in portals you do not own.
  6. Automated scanners or automated tools to find vulnerabilities are forbidden and will be blocked.
  7. Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
  8. No Distributed denial of service (DDoS/DoS) – we prohibit this activity, and the testing cluster is not scaled for these attacks.
  9. Do not contact the Chingari call center, helpdesk, or employee for any bug-bounty-related concerns or any vulnerability report.

The following finding types are specifically excluded from the bounty.

  1. HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  2. Fingerprinting/banner disclosure on common/public services.
  3. Disclosure of known public files or directories (e.g., robots.txt).
  4. Clickjacking and issues are only exploitable through clickjacking.
  5. CSRF on forms that are available to anonymous users (e.g., login or contact form).
  6. Logout / Login Cross-Site Request Forgery (logout CSRF).
  7. Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  8. Lack of Security Speedbump when leaving the site.
  9. No Captcha / Weak Captcha / Captcha Bypass
  10. Login or Forgot Password page brute force and account lockout not enforced
  11. HTTP method enabled
    • OPTIONS, PUT,GET,DELETE,INFO
  12. WebServer Type disclosures
  13. Social engineering of our service desk, employees, or contractors
  14. Physical attacks against Chingari’s offices and data centers
  15. Error messages with non-sensitive data
  16. Non-application layer Denial of Service or DDoS
  17. Lack of HTTP Only / SECURE flag for cookies
  18. Username / email enumeration
    • via Login Page error message
    • via Forgot Password error message
  19. Missing HTTP security headers, specifically
    (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.

    • Strict-Transport-Security
    • X-Frame-Options
    • X-XSS-Protection
    • X-Content-Type-Options
    • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
    • Content-Security-Policy-Report-Only
  20. SPF / DMARC / DKIM Mail and Domain findings
  21. Email Rate Limiting or Spamming
  22. DNSSEC Findings
  23. CSV Issues
  24. AV Scanning
  25. SSL Issues, e.g.
    • SSL Attacks such as BEAST, BREACH, Renegotiation attack
    • SSL Forward secrecy not enabled
    • SSL weak/insecure cipher suites
  26. Cookie Issues
    • HTTPONLY
    • SECURE
    • multiple cookie setting
    • Anything to do with JSESSIONID
  27. Service Rate Limiting
  28. User or Org enumeration
  29. Security Image Issues

 

Terms and conditions

  1. Do not violate any legal laws. Don’t be evil. Chingari retains the right to pursue legal action if “Responsible Disclosure” is not followed.
  2. Eligibility & amount given out as bounty is at the sole discretion of Chingari.
  3. For testing for vulnerabilities, use your own account. Testing should not violate any laws or access data of other users without their explicit approval.
  4. Chingari retains the right to modify or terminate this program at any time without notice.

 

Swag:

  • Certificate of appreciation