Advertisement
bilasi

Untitled

Sep 14th, 2017
894
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.51 KB | None | 0 0
  1.  
  2.  
  3. flights
  4. hotels
  5. homestays NEW
  6. holidays
  7. bus
  8. rail
  9. cabs NEW
  10. gift cards
  11. more +
  12.  
  13. Flight+Hotel
  14. Deals
  15. Stories
  16. Refer and Earn
  17.  
  18. Info
  19. Thanks
  20. Report Issue
  21.  
  22. Information
  23.  
  24. Would you like to partner with MakeMyTrip (MMT) in creating an awesome and secure online travel booking experience for our customers? And also earn some money doing so !
  25.  
  26. Introducing MMT's Bug Bounty program
  27.  
  28. If you believe you have found a serious security vulnerability on our site www.makemytrip.com or application (Android/iOS), we appreciate your help in letting us know responsibly. We treat all security reports as urgent and commit to investigating & resolving the issue within a reasonable timeframe. As a token of our appreciation, we offer a monetary reward depending on the impact of the issue. Please review this page, especially the responsible disclosure policy and reward guidelines before reporting.
  29.  
  30. Responsible Disclosure:
  31.  
  32. While conducting your research, we ask that
  33.  
  34. You will protect our users' privacy and data in good faith. You will not access or modify other user's data without our permission.
  35. You will ensure that no disruption is caused to the production systems, degradation of user experience and destruction of data during security testing.
  36. If you inadvertently cause a privacy violation or disruption in the absence of any malicious intention (such as accessing account data, service configurations, or other confidential information) while investigating an issue, be sure to disclose this immediately in your communication with us.
  37. You shall refrain from exploiting and/ or proceeding with subsequent testing of a security issue you discover for any reason (including demonstrating additional risk etc).
  38. You allow us a reasonable period of time to investigate and remediate the issue before you share it with others or disclose it publicly.
  39. You do not violate any other applicable laws or regulations.
  40.  
  41. Our commitment:
  42.  
  43. In return, we commit to
  44.  
  45. A human acknowledgement of your report within 5 working days
  46. Working with you to investigate and resolve the issue as quickly as possible
  47. Keeping you informed of the status of the issue reported
  48. Suitably reward your efforts (see reward guidelines below)
  49. Mention on Hall of Fame (we will seek your consent)
  50. Not pursue or support any legal action related to your research/ testing
  51.  
  52. Reporting Format:
  53.  
  54. Report defect using "Report Issue" link available on left hand side and provide all required details
  55.  
  56. Eligibility
  57.  
  58. You are a customer of MMT or a security researcher interested in making our sites and applications safe
  59. If you are employed by MMT or are related to an employee of MMT (spouse, parent or sibling), you are NOT eligible for the bug bounty program
  60.  
  61. Program Terms
  62.  
  63. Monetary bounties for security reports are entirely at MMT's sole discretion, and will be decided based on risk, impact, and other factors. To qualify for a bounty, you need to meet the following requirements:
  64.  
  65. Adhere to our Responsible Disclosure Policy.
  66. Report a security bug: that is, identify a vulnerability in our services or infrastructure which creates a security or privacy risk
  67. Your report must describe a problem involving one the products or services listed under "Bug Bounty Program Scope".
  68. You will render necessary assistance to MakeMyTrip to resolve the issue.
  69. The bounty will be paid only after the issue has been fully resolved by MMT
  70. We reserve the right to publish reports (and accompanying updates) without seeking your approval.
  71. All payments will be made in Indian Currency (INR).
  72. If we pay a bounty, the minimum reward is Rs.5000
  73. In the event of duplicate reports, we award a bounty to the first person to submit an issue (MMT determines duplicates and may not share details on the other reports). A given bounty is only paid to one individual.
  74. We verify that all bounty awards are permitted by applicable laws
  75. Note that extremely low-risk issues may not qualify for a bounty at all. We will have the sole discretion to ascertain the risk category.
  76. We seek to pay similar amounts for similar issues, but qualifying issues & amounts that are paid may change. Past rewards do not guarantee similar results in the future.
  77. We specifically exclude certain types of potential security issues; these are listed under "Ineligible Reports".
  78. A bounty shall only paid for bugs which have been unknown to MakeMyTrip. Already known bugs will not receive a bounty. Note: Reference is our internal bug tracking system.
  79. While we care about vulnerabilities affecting other services we use, we cannot guarantee that our disclosure policies apply to services from other companies. And in this case, you will NOT be eligible for the bounty program.
  80. Disclosure of the issue/ report via other means (like sharing it publicly on social media etc.) will render you ineligible for this program
  81. You refrain from contacting any employee of MMT via any other means/ channels regarding the program
  82.  
  83. Scope for the bug bounty program includes only these sites and apps
  84.  
  85. www.makemytrip.com
  86. Our mobile sites - on Android and iOS
  87. Our mobile apps - on Android or iOS
  88.  
  89. Breach of program terms & guidelines
  90.  
  91. We expect you to respect all the terms and conditions of the program & responsible disclosure as stated above. Any breach will automatically disqualify you from the bug bounty program and serious breaches of the guidelines might result in suspension of your account and/or legal action.
  92. Changes to Program Terms
  93.  
  94. The Bug Bounty Program, including its policies, are subject to change or cancellation by MMT at any time, without notice. As such, we may amend these Program Terms and/or its policies at any time by posting a revised version here.
  95. Ineligible Reports and False Positives
  96.  
  97. Some submission types are excluded because they are dangerous to assess, and/or because they have low impact to us. This section contains issues that are not accepted under this program, will be immediately marked as invalid, and are not rewardable.
  98.  
  99. Security issues in third-party services that integrate with MMT. These are not managed by MMT and do not qualify under our guidelines for security testing.
  100. Findings from physical testing such as office access (e.g. open doors, tailgating).
  101. Findings derived primarily from social engineering (e.g. phishing, vishing).
  102. Functional, UI and UX bugs and spelling mistakes.
  103. Refrain from running automated tools.
  104. Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.
  105. Issues that require physical access to a victim's computer.
  106. Network or application level Denial of Service (DoS/DDoS) vulnerabilities.
  107. Website scraping.
  108. Bugs requiring exceedingly unlikely user interaction.
  109. Flaws affecting the users of out-of-date browsers and plugins.
  110. The following finding types are specifically excluded from the bounty:
  111. Descriptive error messages (e.g. Stack Traces, application or server errors).
  112. HTTP codes/pages or other HTTP non- codes/pages.
  113. Disclosure of known public files or directories, (e.g. robots.txt).
  114. Clickjacking and issues only exploitable through clickjacking.
  115. CSRF in forms that are available to anonymous users.
  116. CSRF with minimal security implications (Logout CSRF, etc.).
  117. Presence of application or web browser 'autocomplete' or 'save password' functionality.
  118. Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
  119. Lack of Security Speed Bump when leaving the site.
  120. Weak Captcha / Captcha Bypass
  121. Most brute-force issues or issues that can be exploited using brute-force
  122. Open re-directs
  123. HTTPS Mixed Content Scripts
  124. Self-XSS
  125. Username / email enumeration
  126. Publicly accessible login panels
  127. Reports that state that software is out of date/vulnerable without a proof of concept
  128. Host header issues without an accompanying proof-of-concept demonstrating vulnerability
  129. Stack traces that disclose information
  130. Best practices concerns
  131. Internal IP disclosure
  132. Lack of enforcement of HTTPS via redirection
  133. Fingerprinting issues (e.g. open ports without an accompanying proof-of-concept demonstrating vulnerability, banner grabbing)
  134. Sensitive data in URLs/request bodies when protected by SSL/TLS
  135. Issues reported in microsites with minimal or no user data
  136. Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger
  137. Missing security headers that do not present an immediate security vulnerability
  138. SSL Issues, e.g.
  139. SSL/TLS scan reports (output from sites such as SSL Labs)
  140. SSL Attacks such as BEAST, BREACH, Renegotiation attack
  141. SSL Forward secrecy not enabled
  142. SSL weak / insecure cipher suites
  143.  
  144. Out of Scope bugs for Android apps
  145.  
  146. Absence of certificate pinning
  147. Sensitive data stored in app private directory
  148. User data stored unencrypted on external storage
  149. Lack of binary protection control in android app
  150. Shared links leaked through the system clipboard.
  151. Any URIs leaked because a malicious app has permission to view URIs opened
  152. Sensitive data in URLs/request bodies when protected by TLS
  153. Lack of obfuscation
  154. oauth &#;app secret&#; hard-coded/recoverable in apk
  155. Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope)
  156.  
  157. Out of Scope bugs for iOS apps
  158.  
  159. Absence of certificate pinning
  160. Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
  161. Path disclosure in the binary
  162. User data stored unencrypted on the file system
  163. Lack of binary protection (anti-debugging) controls
  164. Lack of obfuscation
  165. Lack of jailbreak detection
  166. Runtime hacking exploits (exploits only possible in a jailbroken environment)
  167. oauth &#;app secret&#; hard-coded/recoverable in apk
  168. Snapshot/Pasteboard leakage
  169. Crashes due to malformed URL Schemes
  170.  
  171. Follow us
  172.  
  173. Facebook
  174. Twitter
  175. Google+
  176.  
  177. Country
  178.  
  179. India
  180. USA
  181. UAE
  182.  
  183. Have you tried our mobile app?
  184.  
  185. © makemytrip pvt. ltd.
  186.  
  187. estd. 2000. crafted in india
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement