Welcome, Security Researcher! 🔍
At ABHIEO Fintech Private Limited, we believe security is a shared responsibility. Our Bug Bounty Program invites ethical hackers, security researchers, and cybersecurity enthusiasts to help us identify and fix vulnerabilities before they can be exploited.
We are committed to protecting our users' financial data and ensuring the integrity of our platform. Your contributions help millions of Indians conduct secure digital transactions every day.
✅ Why Participate?
- Earn Rewards: Monetary rewards from ₹500 to ₹50,000+ based on severity
- Recognition: Featured in our Security Hall of Fame
- Make Impact: Contribute to securing India's digital payment infrastructure
- Learn & Grow: Gain real-world security research experience
- Legal Protection: Safe harbor for responsible disclosure
💰 Reward Structure
Rewards are determined based on the severity, impact, and quality of your report. We follow industry-standard CVSS (Common Vulnerability Scoring System) guidelines.
Critical
₹20,000 - ₹50,000
Remote Code Execution, SQL Injection, Authentication Bypass, Critical Data Breach, Payment Manipulation
High
₹10,000 - ₹20,000
Privilege Escalation, Stored XSS, CSRF on Critical Functions, Sensitive Data Exposure, IDOR
Medium
₹2,500 - ₹10,000
Reflected XSS, CSRF on Non-Critical Functions, Information Disclosure, Rate Limiting Issues
Low
₹500 - ₹2,500
Self XSS, CSRF on Low-Impact Functions, Minor Information Leakage, Security Misconfigurations
💡 Bonus Rewards:
- First Reporter: Be the first to report a valid vulnerability to receive the full reward
- Detailed Reports: Comprehensive reports with detailed PoC, attack scenarios, and mitigation suggestions may receive bonus rewards
- Multiple Vulnerabilities: Report multiple critical issues in a single month to receive bonus recognition
- Hall of Fame: Exceptional contributors will be featured on our Security Hall of Fame page
Reward Criteria
To be eligible for rewards, your report must meet the following criteria:
- Originality: The vulnerability has not been previously reported or is not a known issue
- Reproducibility: Clear, step-by-step instructions that allow our team to reproduce the issue
- Impact: Demonstrated real security impact on ABHIEO systems or user data
- Quality: Well-documented report with proof of concept (screenshots, videos, code)
- Scope Compliance: The vulnerability exists in our in-scope assets
- Responsible Disclosure: You followed our responsible disclosure guidelines
🎯 Program Scope
In-Scope Assets
The following assets are within the scope of our bug bounty program:
📱 Mobile Applications
- ABHIEO Android App (Google Play Store)
- ABHIEO iOS App (Apple App Store)
- All mobile app APIs and endpoints
🌐 Web Platform
- www.abhieo.in (Main website)
- All subdomains (*.abhieo.in)
- Web application APIs
- Payment gateways integration
🔌 API Endpoints
- RESTful APIs
- Authentication & Authorization APIs
- Transaction processing APIs
- User management APIs
💳 Payment Systems
- Payment processing workflows
- Wallet functionality
- Transaction verification systems
- Refund mechanisms
Out-of-Scope
⚠️ The following are NOT in scope:
- Third-party services and platforms (payment gateways, SMS providers, email services)
- Service Provider systems (mobile operators, DTH providers, billers)
- Social media profiles and pages
- Physical security of ABHIEO offices
- Employee email accounts (unless demonstrating a critical vulnerability)
- Staging/development/test environments (unless critical server-level vulnerabilities)
- Issues in archived or deprecated services
Vulnerability Categories
We are particularly interested in the following types of vulnerabilities:
| Category |
Examples |
Typical Severity |
| Authentication & Authorization |
Authentication bypass, Privilege escalation, Session hijacking, Broken access control |
Critical / High |
| Injection Attacks |
SQL Injection, NoSQL Injection, Command Injection, LDAP Injection |
Critical / High |
| Cross-Site Scripting (XSS) |
Stored XSS, Reflected XSS, DOM-based XSS |
High / Medium |
| Data Exposure |
Sensitive data leakage, PII exposure, Payment data exposure, API key leakage |
Critical / High |
| Business Logic Flaws |
Payment bypass, Transaction manipulation, Wallet balance manipulation, Rate abuse |
Critical / High |
| CSRF / IDOR |
Cross-Site Request Forgery, Insecure Direct Object References |
High / Medium |
| Cryptographic Issues |
Weak encryption, Insecure key storage, Certificate validation issues |
High / Medium |
| Security Misconfigurations |
Debug mode enabled, Default credentials, Exposed admin panels |
Medium / Low |
📜 Program Rules & Guidelines
Rules of Engagement
✅ DO:
- Use Your Own Accounts: Only test with accounts you own or have explicit permission to access
- Report First: Submit vulnerabilities to us before public disclosure
- Be Professional: Maintain professional and respectful communication
- Provide Details: Include comprehensive reproduction steps, proof of concept, and impact assessment
- Give Us Time: Allow reasonable time for investigation and fix (typically 90 days)
- Keep Confidential: Do not share vulnerability details with third parties
- Follow Laws: Comply with all applicable laws and regulations
❌ DO NOT:
⚠️ Prohibited Activities (Instant Disqualification):
- Access Other Users' Data: Do not access, modify, or delete data belonging to other users
- Perform DoS/DDoS Attacks: Do not perform denial of service attacks or load testing
- Social Engineering: Do not attempt to socially engineer ABHIEO employees, partners, or users
- Physical Testing: Do not attempt physical security testing of offices or data centers
- Spam or Phishing: Do not send unsolicited emails, SMS, or conduct phishing campaigns
- Public Disclosure: Do not publicly disclose vulnerabilities before they are fixed
- Automated Scanning: Do not use automated vulnerability scanners without prior approval
- Data Exfiltration: Do not download or exfiltrate sensitive data beyond what's needed for PoC
- Exploit for Gain: Do not exploit vulnerabilities for personal financial gain or benefit
- Threaten or Blackmail: Any form of extortion will result in legal action
Safe Harbor & Legal Protection
✅ Legal Safe Harbor:
ABHIEO commits to not pursuing legal action against researchers who:
- Act in good faith and follow our program rules
- Report vulnerabilities responsibly and confidentially
- Do not exploit vulnerabilities beyond demonstrating proof of concept
- Do not access or exfiltrate user data beyond minimal PoC requirements
- Make a good faith effort to avoid privacy violations, data destruction, and service disruption
Testing Guidelines
When conducting security research:
- Use Test Accounts: Create dedicated test accounts for your research
- Minimal Impact: Limit testing to the minimum necessary to demonstrate the vulnerability
- No Real Transactions: Do not conduct real financial transactions unless absolutely necessary for PoC (and only with your own accounts)
- Respect Rate Limits: Do not overwhelm our systems with excessive requests
- Clean Up: Delete any test data or accounts you created during testing
- Document Everything: Keep detailed notes and evidence of your testing methodology
📧 How to Submit a Report
Report Submission
Submit your vulnerability report via email to: security@abhieo.in
📋 Required Information:
Your report must include the following to be considered valid:
- Summary: Brief description of the vulnerability
- Severity Assessment: Your assessment of severity (Critical/High/Medium/Low)
- Affected Asset: Specific URL, endpoint, or app version affected
- Vulnerability Type: Category (XSS, SQLi, IDOR, etc.)
- Reproduction Steps: Detailed step-by-step instructions to reproduce
- Be specific and clear
- Include request/response examples if applicable
- Provide screenshots or video demonstration
- Proof of Concept: Working exploit code, cURL commands, or Burp Suite requests
- Impact Analysis: Explain the potential impact on users and business
- Suggested Fix: Optional but appreciated recommendations for remediation
- Your Details: Name, email, ABHIEO account ID (for reward payment)
Report Quality Guidelines
Good Report Example:
✅ High-Quality Report:
Title: SQL Injection in Transaction History API
Summary: The transaction history endpoint is vulnerable to SQL injection via the 'date_from' parameter, allowing unauthorized database access.
Steps to Reproduce:
- Login to ABHIEO account
- Navigate to transaction history
- Intercept API request using Burp Suite
- Modify 'date_from' parameter with: 1' OR '1'='1
- Observe SQL error message revealing database structure
Impact: Attacker can extract sensitive transaction data of all users, including amounts, mobile numbers, and timestamps.
[Attached: Screenshots, Burp Suite requests, video demonstration]
Poor Report Example:
❌ Low-Quality Report:
"There is XSS in your website. Please fix and give me reward."
This report lacks: Specific location, reproduction steps, proof of concept, impact assessment
Response Timeline
You can expect the following response times:
- Initial Acknowledgment: Within 24 hours of submission
- Preliminary Assessment: Within 3-5 business days
- Detailed Review & Validation: Within 7-14 business days
- Bounty Decision: Within 30 days of validation
- Payment Processing: Within 30 days of fix deployment
💡 Status Updates:
We will keep you informed throughout the process via email. You can also reach out for status updates, but please avoid excessive follow-ups within the stated timelines.
🚫 Non-Qualifying Vulnerabilities
The following issues are considered out of scope and will not be eligible for rewards:
Common Non-Qualifying Issues
- SPF/DKIM/DMARC Records: Missing or misconfigured email authentication records
- SSL/TLS Issues: Missing security headers, weak cipher suites (unless demonstrating actual exploit)
- Clickjacking: On pages without sensitive actions
- Self XSS: XSS that requires social engineering or user interaction to exploit themselves
- Logout CSRF: Cross-site request forgery on logout functionality
- Open Redirects: Unless chained with other vulnerabilities
- Content Spoofing: Without demonstrable security impact
- Rate Limiting: On non-critical functionality (unless leading to account takeover or DoS)
- Descriptive Error Messages: Stack traces, path disclosure (unless revealing sensitive data)
- Version Disclosure: Software version information exposure
- Theoretical Vulnerabilities: Without proof of concept or exploitability
- Social Engineering: Including phishing, vishing, or physical attacks
- UI/UX Issues: Spelling errors, formatting issues, missing translations
- Public Information: Information available through official channels (company info, public APIs)
- Outdated Browsers: Issues only affecting outdated or unsupported browsers
- Best Practice Violations: Without demonstrable security impact
⚠️ Important Note:
Submissions of out-of-scope vulnerabilities may affect your standing in the program. Repeated submissions of invalid reports may result in program suspension. Please review the scope carefully before submitting.
🤝 Responsible Disclosure Policy
Our Commitment to You
- Acknowledgment: We will acknowledge receipt of your report within 24 hours
- Communication: We will keep you informed of our progress throughout the investigation and remediation process
- Credit: We will publicly acknowledge your contribution (with your permission) after the fix is deployed
- Fair Compensation: We will provide fair and timely rewards for valid vulnerabilities
- No Legal Action: We will not pursue legal action against researchers who follow our responsible disclosure guidelines
What We Ask From You
- Private Disclosure: Report vulnerabilities privately to security@abhieo.in
- Give Us Time: Allow reasonable time for remediation (typically 90 days) before public disclosure
- Coordinated Disclosure: Work with us on the disclosure timeline if you plan to publish your findings
- Confidentiality: Do not share details with third parties without our consent
- Destroy PoC Materials: Delete all proof of concept code, videos, and artifacts after the issue is resolved
Disclosure Timeline
- Day 0: Vulnerability reported to ABHIEO
- Day 1: ABHIEO acknowledges report
- Day 7-14: ABHIEO validates and assesses severity
- Day 30-90: ABHIEO develops and deploys fix
- After Fix: Public disclosure coordinated with researcher (optional)
✅ Hall of Fame:
Researchers who responsibly disclose valid vulnerabilities will be recognized in our Security Hall of Fame (coming soon). Top contributors may receive:
- Digital certificate of appreciation
- Featured recognition on our security page
- LinkedIn endorsement from ABHIEO Security Team
- Invitation to exclusive security researcher events
❓ Frequently Asked Questions
Q: Who can participate?
A: Anyone aged 18 or above can participate. Researchers from all countries are welcome, though payment methods may vary by jurisdiction.
Q: Do I need to be an ABHIEO user?
A: Yes, you should create an ABHIEO account for testing purposes and for receiving rewards. Rewards are credited to your ABHIEO wallet.
Q: How are rewards paid?
A: Rewards are credited to your ABHIEO wallet after KYC verification. You can use the balance for transactions or request withdrawal (subject to wallet policies).
Q: What if my report is a duplicate?
A: Only the first reporter of a vulnerability is eligible for a reward. Duplicate reports will be acknowledged but not rewarded.
Q: Can I test on production?
A: Yes, but you must minimize impact and use only your own test accounts. Do not conduct tests that could disrupt service for other users.
Q: What if I find something not in scope?
A: You can still report it to help us improve security, but it may not be eligible for a monetary reward. We appreciate all security feedback.
Q: Can I use automated scanners?
A: Automated scanners are not permitted without prior approval. Please contact us before using any automated tools.
Q: What if ABHIEO doesn't fix my reported issue?
A: We aim to fix all valid security issues. If we decide not to fix something, we'll explain our reasoning. You're still eligible for a reward for valid reports.
Q: Can I discuss my findings publicly?
A: Not until the vulnerability is fixed and we've agreed on a disclosure timeline. Premature disclosure will disqualify you from rewards and may result in legal action.
Q: Is there a maximum reward limit?
A: While we've set typical ranges, exceptional vulnerabilities with critical impact may receive rewards exceeding ₹50,000. Contact us for discussion.
📞 Contact Information
Security Team Contact
Primary Contact: security@abhieo.in
PGP Key: Available upon request for encrypted communication
Program Inquiries
For general questions about the bug bounty program:
Email: bugbounty@abhieo.in
Company Information
ABHIEO Fintech Private Limited
1/22, 2nd Floor, Asaf Ali Road
New Delhi, Delhi - 110002, India
⚠️ Important:
Do NOT send vulnerability reports to general customer support channels. Always use security@abhieo.in for security disclosures to ensure proper handling and faster response.