At Indian Cyber Troops ,security is core to our values, and we value the input of external security researchers acting in good faith to help us maintain a high standard for the security privacy of our users and systems. This policy sets out our definition of good faith in the context of finding and reporting security vulnerabilities, as well as what you can expect from us in return for your effort, skill, and dedication.
We require that all security researchers to:
Act in good faith to avoid privacy violations, degradation of our services, disruption to production systems, and destruction of data during security testing (including denial of service);
Perform research only within the scope set out below;
Be clear and succinct, a short proof-of-concept link is invaluable;
Only interact with your own accounts or test accounts for security research purposes. Do not access or modify our data or our users’ data, without the explicit permission of the owner; and
Keep information about any vulnerabilities you’ve discovered confidential between us until we’ve had 15 days to resolve the issue.
If you follow these guidelines when reporting an issue to us, we commit to:
Not pursue or support any legal action related to your research;
Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 hours of submission);
Recognize your contribution on our Leader board, if you are the first to report the issue and we make a code or configuration change based on the issue.
Email us your finding at : email@example.com
Or You Can Message Us On Instagram: Indian Cyber Troops Instagram
When working with us according to this policy, you can expect us to:
Work with you to understand and validate your report, including a timely initial response to the submission;
Work to remediate discovered vulnerabilities in a timely manner; and
**Recognize your contribution to improving our security if you are the first to report a unique vulnerability, and your report triggers a code or configuration change.**
The vulnerabilities listed here are explicitly eligible for our security program. Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Common examples include:
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
Authentication or Authorization Flaws
Server-Side Request Forgery (SSRF)
Server-Side Template Injection (SSTI)
SQL injection (SQLI)
XML External Entity (XXE)
Remote Code Execution (RCE)
Local or Remote File Inclusions And Many More (Hidden)
While this list represents our primary focus for security research, we are interested in reports for all of our software and dependencies especially if it impacts reasonably sensitive user data. This can include any open source libraries, software, or third-party components. At our discretion, we will issue rewards for reports not included in the In-Scope Vulnerabilities list.
The following are considered out of scope for our security program and will not be rewarded:
Policies on presence/absence of SPF/DMARC records.
WordPress related bugs, XMLRPC, CORS etc.
Password, email and account policies, such as email id verification, reset link expiration, and password complexity.
Login and Logout Cross-Site Request Forgery until impact is demonstrated.
Rate Limiting Issues.
Attacks requiring physical access to a user’s device.
Vulnerabilities that require a potential victim to install non-standard software or otherwise take active steps to make themselves be susceptible.
Social engineering of our employees or clients.
Any physical attempts against our property or data centers.
Missing cookie flags on non-sensitive cookies.
Any access to data where the targeted user needs to be operating a rooted mobile device.
Missing security headers which do not lead directly to a vulnerability.
Host header Injection until impact is demonstrated
Reports from automated tools or scans that haven’t been manually validated.
Presence of banner or version information unless correlated with a vulnerable version with a working proof of concept.
UI and UX bugs and spelling mistakes.