OZiva Responsible Disclosure Program
What is OZiva Bug Bounty Responsible Disclosure Program?
We, at OZiva, work hard to keep our customers secure and make every effort to be on top of the latest threats. We believe that information security is as important as our product offerings and should be handled with utmost attention.
The program is active from 1st August 2022.
Security researchers are increasingly engaging with internet companies to hunt down vulnerabilities. If you are a security researcher and have found a valid security vulnerability in our applications (refer scope provided below), please report it to us right away through our Bug Bounty Responsible Disclosure Program.
How to report a bug?
If you have identified a vulnerability on any of our in-scope applications, we request you to follow these simple steps to report the vulnerability:
Write to us at email@example.com with all the necessary details which will help us reproduce the vulnerability, including (but not limited to):
- Name of vulnerability
- Steps to reproduce and proof of concept - screenshots, videos or simple text/document instructions
- Vulnerable HTTP Request and Response (if applicable)
In order for us to reach out to you quickly, please share your contact details with us so that our security team can reach out to you if further inputs are required to identify or close the vulnerability. In case it is a vulnerability in the OZiva Android/iOS app or website, please share the registered phone number you used to discover the vulnerability. Personal contact details include (not limited to):
- Your full name
- Your email address
- Your phone number
- The phone number associated with your OZiva account
- Link to any of your publicly identifiable profile (such as LinkedIn, Github, etc.)
We will reward you if we assess your vulnerability to be critical and if we end up making a critical change in our workflow.
Participants to the Program shall strictly be bound by the Responsible Disclosure Policy.
Only vulnerabilities rated critical and high are eligible for the Security Hall of Fame!
OZiva may at its sole discretion rate vulnerabilities as critical, high, medium and low.
If you have identified a vulnerability on any of our in-scope applications, we request you to follow the steps outlined below:
- You must report a qualifying vulnerability through the steps identified in “how to report a bug?” section.
- If you are a OZiva employee or are related to an employee (parent, sibling, spouse, relative etc), you are not eligible.
- If you are our customer or a security researcher interested in making our systems safe, you are eligible.
- Any disclosure of the vulnerability without prior consent from OZiva will result in disqualification. You may be ineligible for our program basis it’s impact and severity if found to be minimal or the vulnerability is a false positive.
Scope for our program
Please do not attempt to compromise the safety or privacy of our users (so please use test accounts), or the availability of OZiva through DoS attacks or spam.
mobile application : com.oziva_app
Out of scopeRate-limiting issues or brute-forcing issues on non-sensitive endpoints
- 3rd party applications
- Any activity that could lead to the disruption of our service
- Software version disclosure, banner identification issues
- DoS and DDoS attacks are STRICTLY PROHIBITED
- UI-redressing/clickjacking on non-sensitive endpoints
- Misconfigured CORS which can’t be used to leak sensitive information
- Issues that do not affect the latest version of modern browsers
- Disclosure of information that does not present a significant risk
- Cross-site Request Forgery with minimal security impact
- General best practices concerns
- Attacks requiring physical access to a user’s device
- Missing email best practices & SSL/TLS misconfiguration
- Missing httpOnly or secure-only flags on cookies
- Public 0day vulnerabilities that have had an official patch for less than 1 month will be awarded on case by case basis
- Email/Username enumeration
- Self XSS
- Open redirect unless an additional security implication can be demonstrated.
Responsible Disclosure Policy
You shall protect all our Confidential Information (as defined below) from disclosing to any third party, hold the same in trust and strictest confidence, and protect it against disclosure to any person in the same manner and with the same degree of care, but not less than a reasonable degree of care, which you would do to protect your own confidential information
You shall not access, store, modify or reproduce in writing our users data or other Confidential Information.
Further, you agree that you shall:
- Not use any such Confidential Information except solely for the purpose of this program.
- Not divulge any such Confidential Information to any third party without prior written approval of OZiva
- Not copy or reverse engineer any such Confidential Information or use/exploit such Confidential Information for your own benefit or the benefit of another.
You shall ensure that no disruption is caused to the production systems, degradation of user experience and destruction of data during security testing either by any automated security scanner, brute forcing, DoS/DDoS attack, or rate limiting issue on non-sensitive endpoints, etc. Please note that through this program the Company does not intend, in any manner, to create any joint venture, partnership or any other relation (unless expressly agreed in writing) with you.
If you inadvertently cause a privacy violation or disruption in the absence of any malicious intention (such as accessing account data, service configurations, or other confidential information) while investigating an issue, be sure to disclose this immediately in your communication with the Company
You shall refrain from exploiting and/or proceeding with subsequent testing of a security issue you discover for any reason (including demonstrating additional risk etc).
You shall allow us a reasonable time to acknowledge your finding/report
You shall not be allowed to disclose the vulnerability in the public channels before it gets fixed. Before publishing any write-up on your finding, you will have to first confirm with the company in writing. We might ask you for a draft of your write-up as well for review before you intend to publish the same on the various public channels.
Appropriate legal recourse shall be taken if the identified vulnerabilities are exploited for unlawful gains or getting access to restricted customer or system information or impairing Company’s systems or Program guidelines are not followed or breach of the Confidential Information, also you shall not be eligible for our Program.
You shall not independently develop or have developed for itself, products, concepts, systems or techniques that are similar to or compete with the products, concepts, systems or techniques contemplated under the Program. Such development shall be construed as a violation of the obligations of you under this Program.
You shall indemnify, defend and hold the Company harmless from and against any losses, costs, expenses, damages of whatsoever nature which may be incurred or suffered by the Company arising out of or as a result of any breach of Program (including negligence) or otherwise of any of your obligations contained herein.
All Confidential Information furnished to you by the Company shall remain the exclusive property of the Company and the Company shall have the sole and exclusive ownership of all right, title, and interest in and to the Confidential Information, including ownership of all copyrights, patents and trade secrets pertaining thereto, subject only to the rights and privileges expressly granted by the Company under the terms of this Program.
Promptly upon the Company’s request at any time, you shall return / cause to be returned to the Company all the Confidential Information, including all materials or documents, any copies, summaries and notes of the contents thereof (whether in hard or soft copy form) without limitation, all copies of any analyses, compilations, studies or other documents prepared by and/or for company, containing or reflecting any Confidential Information and give written certification accordingly.
You understand and acknowledge that any misappropriation or disclosure of any of the Confidential Information in violation of the confidentiality obligations will cause the Company grave and irreparable harm, loss and injury, the amount of which may be difficult to ascertain. You agree that the Company has the right to apply to a court of competent jurisdiction for specific performance and/or an order restraining and enjoining any such further disclosure or breach and for such other relief as the Company shall deem appropriate, without posting or the need to post any bond or other security. Such right of the company to obtain equitable relief in the form of specific performance, temporary restraining order, temporary or permanent injunction or any other equitable remedy which may then be available to it, without the necessity of proving actual damages, shall be in addition to the remedies otherwise available to it at law. You expressly waive the defense that a remedy in damages will be adequate.
You understand and acknowledge that any misappropriation or disclosure of any of the Confidential Information in violation of the confidentiality obligations will cause the Company grave and irreparable harm, loss and injury, the amount of which may be difficult to ascertain. You agree that the Company has the right to apply to a court of competent jurisdiction for specific performance and/or an order restraining and enjoining any such further disclosure or breach and for such other relief as the Company shall deem appropriate, without posting or the need to post any bond or other security. Such right of the company to obtain equitable relief in the form of specific performance, temporary restraining order, temporary or permanent injunction or any other equitable remedy which may then be available to it, without the necessity of proving actual damages, shall be in addition to the remedies otherwise available to it at law. You expressly waive the defence that a remedy in damages will be adequate.
Nothing contained in this Program shall be construed to obligate the Company. to disclose any information to you.
This Program shall be fully binding upon you.
The failure of the Company to insist upon or enforce strict performance of any of the provisions of this Program or to exercise any rights or remedies under this Program shall not be construed as a waiver or relinquishment to any extent of the company’s rights to assert or rely upon any such provisions, rights or remedies in that or any other instance; rather the same shall remain in full force and effect.
This Program shall be governed by, construed and enforced in accordance with the laws of the Republic of India.
The courts in Mumbai & India shall have the exclusive jurisdiction.
Hall of Fame
OZiva is proud to showcase the following researchers for their valuable contributions to making our products more secure for everyone.
Shiva Kumar M V (https://www.linkedin.com/in/shivakumar-m-v/)
Mohd. Farzaan (https://www.linkedin.com/in/mohd-farzaan-aqil-59141b237)
Khan Mohd Shamim (https://www.linkedin.com/in/khan-shamim-5ba935212/)
Pratik Vinod Yadav firstname.lastname@example.org (https://twitter.com/PratikY9967)
Vedant Tiwari, AIIT-Lucknow (https://mobile.twitter.com/Keepdebugging)
Vikas Maurya (https://www.linkedin.com/in/vikas0vks)
Anindya Ghoshal (https://www.youtube.com/@techghoshal)
Arjun Kumawat (https://www.linkedin.com/in/arjun-kumawat-bb3683183)