PhonePe’s Responsible Disclosure Policy

PhonePe’s responsible
disclosure policy

At PhonePe, we take the security of our systems seriously, and it is our constant endeavor to make our website a safe place for our customers to browse. However, in the rare case when some security researcher or member of the general public identifies a vulnerability in our systems, and responsibly shares the details of it with us, we appreciate their contribution, work closely with them to address such issues with urgency, and if they want, publicly acknowledge their contribution. PhonePe reserves all the rights to validate the reports to be valid or not on the basis of impact of vulnerability.

To be eligible for recognition, you must

Be the first person to responsibly disclose the bug.

Report a bug that could compromise our users' private data, circumvent the system's protections, or enable access to a system within our infrastructure.

Types of Recognition

  • Hall of Fame

We will be soon launching our private bug bounty program and if you have submitted a valid bug we will send you the invite

Rules of Engagement

You give us reasonable time to investigate and mitigate an issue that you report.

Please refrain from accessing sensitive information (by using a test account and/or system), performing actions that may negatively affect other PhonePe users (denial of service), or sending reports from automated tools.

You do not exploit a security issue that you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.)

Violating any laws or breaching any agreements in order to discover vulnerabilities.

Programme terms

We recognise security researchers who help us to keep users safe by reporting vulnerabilities in our services. Recognition for such reports are entirely at PhonePe’s discretion, based on risk, impact and other factors. For recognition in PhonePe’s Hall of Fame, you first need to meet the following requirements:

  • Adhere to our Responsible Disclosure Policy
  • Report a security bug: identify a vulnerability in our services or infrastructure which creates a security or privacy risk. (Note that PhonePe ultimately determines the risk of an issue, and that many software bugs are not security issues.)
  • Your report must describe a problem involving one of the products or services listed under "Scope".
  • We specifically exclude certain types of potential security issues; these are listed under "Exclusions”.
  • If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations or other confidential information) while investigating an issue, make sure that you disclose this in your report.

In turn, we will follow these guidelines when evaluating reports under our responsible disclosure programme:

  • We investigate and respond to all valid reports. Due to the volume of reports that we receive, however, we prioritise evaluations based on risk and other factors, and it may take some time before you receive a reply.
  • We determine recognition in hall of fame based on a variety of factors, including (but not limited to) impact, ease of exploitation and quality of the report. Note that extremely low-risk issues may not qualify for hall of frame at all.
  • In the event of duplicate reports, we give recognition to the first person to submit an issue. (PhonePe determines duplicates and may not share details on the other reports.)

Note that your use of PhonePe services including for the purposes of this programme, is subject to PhonePe’s Terms and Policies. We may retain any communications about security issues that you report for as long as we deem necessary for programme purposes, and we may cancel or modify this programme at any time.

Scope

phonepe.com

Phonepe Android/iOS app

mercury.phonepe.com

insights.phonepe.com

How to report an issue?

If you happen to have identified a vulnerability on any of our web or mobile app properties, we request you to follow the steps outlined below:

  • Please contact us immediately by sending an email to [email protected] with the necessary details to recreate the vulnerability scenario. This may include screenshots, videos or simple text instructions.
  • If possible, share with us your contact details (email, phone number), so that our security team can reach out to you if further inputs are needed to identify or close the problem.
  • If the identified vulnerability can be used to potentially extract information of our customers or systems, or impair our system’s ability to function normally, then please refrain from actually exploiting such a vulnerability. This is absolutely necessary for us to consider your disclosure a responsible one.
  • While we appreciate the inputs of Whitehat hackers, we may take legal recourse if the identified vulnerabilities are exploited for unlawful gains or getting access to restricted customer or system information or impairing our systems.

Qualifying Vulnerabilities

Any design or implementation issue that is reproducible and substantially affects the security of PhonePe users is likely to be in scope for the program. Common examples include:

  • Injections
  • Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • Remote Code Execution (RCE)
  • Authentication/Authorisation flaws
  • Domain take-over vulnerabilities
  • Able to take-over other PhonePe user accounts (while testing, use your own another test account to validate)
  • Any vulnerability that can affect the PhonePe Brand, user data and financial transactions

Exclusions

The following bugs are unlikely to be eligible:

  • Issues found through automated testing
  • "Scanner output" or scanner-generated reports
  • Publicly-released bugs in internet software within 3 days of their disclosure
  • "Advisory" or "Informational" reports that do not include any PhonePe testing or context
  • Vulnerabilities requiring physical access to the victim's unlocked device
  • Denial of Service attacks
    • - SPF and DKIM issues
    • - Content injection
    • - Hyperlink injection in emails
    • - IDN homograph attacks
    • - RTL Ambiguity
  • Content Spoofing
  • Issues relating to Password Policy
  • Full-Path Disclosure on any property
  • Version number information disclosure
  • Third-party applications on the PhonePe Application directory (identified by the existence of a "Report this app" link on the app's page). Please report issues with these services to the creator of that specific application.
  • Clickjacking on pre-authenticated pages, or the non-existence of X-Frame-Options, or other non-exploitable clickjacking issues
  • CSRF-able actions that do not require authentication (or a session) to exploit

    Reports related to the following security-related headers

    • - Strict Transport Security (HSTS)
    • - XSS mitigation headers (X-Content-Type and X-XSS-Protection)
    • - X-Content-Type-Options
    • - Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario)
  • Bugs that do not represent any security risk
  • Security bugs in third-party applications or services built on the PhonePe API - please report them to the third party that built the application or service
  • Security bugs in software related to an acquisition for a period of 90 days following any public announcement

Acknowledgements

We do not have a bounty/cash reward program for such disclosures, but we express our gratitude for your contribution in different ways. For genuine ethical disclosures, we would be glad to publicly acknowledge your contribution in this section on our website. Of course, this will be done if you want a public acknowledgement.

Hall Of Fame

Phonepe thanks the following People for finding & responsibly disclosing security vulnerabilities in phonepe owned Apps, products or services. We are grateful for their contribution & efforts towards the security of PhonePe.

  1. Dhruv Shekhawat
  2. Saeel N Relekar
  3. Rahul Kumar Sah (CyberBeast)