Goals
Chingari security responsible disclosure is designed to:
- Reward those who responsibly disclose vulnerabilities on Chingari properties.
- Help make Chingari more secure for its users.
How to Support
Send an email with all the details to security@chingari.io
The email should contain at least the following information:
- Vulnerability type (XSS, SQLI, IDOR, etc.).
- Vulnerable service (Website).
- Details about vulnerability.
- A proof of concept of the vulnerability (logs, screenshots, and video as applicable).
- Impact of the vulnerability.
Bounty Policy
- Please do not publicly disclose the vulnerability until it has been patched.
- We will privately acknowledge each incident reported at security@chingari.io
Patching of the disclosed vulnerability may take some time, depending on the complexity of the vulnerability. We request the security researcher not make the vulnerability public and provide us a reasonable amount of time.
Our Promise
- We will acknowledge each incident reported as soon as we can.
- We will be fast in patching any vulnerabilities reported. We will keep the reporter informed about the progress.
- We will pay a bounty once the vulnerability is patched.
Eligibility
Chingari security vulnerability bounty is designed to :
Scope: Current Scope is only the Chingari web application: https://chingari.io/
- The reported vulnerability should be a bug that compromises the integrity of user data, bypasses privacy protections, or enables unauthorized access. Other types of bugs are not eligible.
- The reporter should be the first to disclose the vulnerability.
Prohibitions
- Do not attempt to gain access to another user’s account or data.
- Do not perform any attack that could harm the reliability/integrity of our services or data.
- Do not publicly disclose a bug before it has been fixed.
- The only test for vulnerabilities on sites you know to be operated by Chingari. – Vulnerabilities on third-party applications are excluded
- Do not impact other users with your testing; this includes testing for vulnerabilities in portals you do not own.
- Automated scanners or automated tools to find vulnerabilities are forbidden and will be blocked.
- Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
- No Distributed denial of service (DDoS/DoS) – we prohibit this activity, and the testing cluster is not scaled for these attacks.
- Do not contact the Chingari call center, helpdesk, or employee for any bug-bounty-related concerns or any vulnerability report.
The following finding types are specifically excluded from the bounty.
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Fingerprinting/banner disclosure on common/public services.
- Disclosure of known public files or directories (e.g., robots.txt).
- Clickjacking and issues are only exploitable through clickjacking.
- CSRF on forms that are available to anonymous users (e.g., login or contact form).
- Logout / Login Cross-Site Request Forgery (logout CSRF).
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
- Lack of Security Speedbump when leaving the site.
- No Captcha / Weak Captcha / Captcha Bypass
- Login or Forgot Password page brute force and account lockout not enforced
- HTTP method enabled
- OPTIONS, PUT,GET,DELETE,INFO
- WebServer Type disclosures
- Social engineering of our service desk, employees, or contractors
- Physical attacks against Chingari’s offices and data centers
- Error messages with non-sensitive data
- Non-application layer Denial of Service or DDoS
- Lack of HTTP Only / SECURE flag for cookies
- Username / email enumeration
- via Login Page error message
- via Forgot Password error message
- Missing HTTP security headers, specifically
(https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.- Strict-Transport-Security
- X-Frame-Options
- X-XSS-Protection
- X-Content-Type-Options
- Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
- Content-Security-Policy-Report-Only
- SPF / DMARC / DKIM Mail and Domain findings
- Email Rate Limiting or Spamming
- DNSSEC Findings
- CSV Issues
- AV Scanning
- SSL Issues, e.g.
- SSL Attacks such as BEAST, BREACH, Renegotiation attack
- SSL Forward secrecy not enabled
- SSL weak/insecure cipher suites
- Cookie Issues
- HTTPONLY
- SECURE
- multiple cookie setting
- Anything to do with JSESSIONID
- Service Rate Limiting
- User or Org enumeration
- Security Image Issues
Terms and conditions
- Do not violate any legal laws. Don’t be evil. Chingari retains the right to pursue legal action if “Responsible Disclosure” is not followed.
- Eligibility & amount given out as bounty is at the sole discretion of Chingari.
- For testing for vulnerabilities, use your own account. Testing should not violate any laws or access data of other users without their explicit approval.
- Chingari retains the right to modify or terminate this program at any time without notice.
Swag:
- Certificate of appreciation