In an endeavor to keep user data and customer wallet safe, and to provide a secure booking experience to the customers, Yatra is introducing its Bug Bounty Program
If you are a bug hunter, security researcher, or a white hat hacker, Yatra is extending you an opportunity to show your skills in identifying security vulnerabilities on yatra.com, and get rewarded in return.
If you think you can find software issues on yatra.com that have the potential to be exploited, we appreciate your help in letting us know as soon as possible. Our team will investigate the security reports and resolve the issue within reasonable time frame. As a token of our appreciation, we offer a monetary bounty for all legitimate security reports based on its severity, complexity, and impact.
Responsible Disclosure Guideline
- You will not publicly disclose a bug before it has been fixed
- You will not violate any laws or regulations. Yatra will not be responsible for non-adherence of laws from your end.
- You will protect our users' privacy and data. You will not access or modify data without our permission
- You will ensure no disruption to our production systems and no destruction of data during security testing
- If any privacy violation is inadvertently caused by you while testing, you are liable to disclose it immediately to us
- You will abstain from exploiting a security issue you discover for any reason
- You will not attempt phishing or security attacks. This might end in suspension of your account.
- Due to a high number of submissions, we may take a reasonable time to fix the vulnerability reported by you. You have to allow us time to respond to you.
- We will get back to you preferably within 5 working days.
- We will keep you updated about the bug reported and its fixture at our end
- We will suitably reward you for your effort
- If you are a Yatra employee or are related to an employee (parent, sibling, spouse), you are not eligible for the bounty bug program
- If you are a Yatra customer or a security researcher interested in making our systems safe, you are eligible
By participating in Yatra's Bug Bounty Program, you comply to Yatra's terms and conditions. To qualify for a bounty, you have to meet the following requirements:
- Adherence to Yatra's Disclosure Policy
- Reporting of a security vulnerability
- You will provide necessary assistance to Yatra, if required, in resolving the security issue
- The bounty will be paid after the bug has been fixed
- We reserve the right to publish reports without your approval
- In case of duplicate reports, the person who reports it first would get the bounty
- All bounty rewards are permitted by applicable laws
- Yatra has the sole discretion to ascertain the risk category. Extremely low-risk issues may not qualify for a bounty.
- Though we seek to reward similar amount for similar issue, qualifying issues and the amounts paid may change
- Certain types of security issues are excluded. We have listed them under 'out of scope reports'
- Bounty will be paid for bugs that were unknown to Yatra.com. You may refer our internal bugs tracking system to know the same.
- If you disclose a bug/security issue via social media, you will be rendered ineligible for this program
- You would refrain from contacting any Yatra employee regarding the program
Scope for the Yatra's Bug Bounty Program
The scope of this program includes the following only:
- Our mobile sites - Android & iOS
- Our mobile apps - Android & iOS
Web in-scope vulnerabilities for bug-bounty are :
- Cross-Site Scripting (XSS)
- SQL Injection/ XXE / RCE
- Server Side Request Forgery (SSRF)
- Broken Authentication (including OAuth bugs)
- Broken Session flaws
- Remote Code Execution
- Privilege Escalation
- Provisioning Errors
- Business Logical flaws
- Misuse/Unauthorized use of our APIs
- Improper TLS protection
- Leaking customer's sensitive data related with PCI norm
Not in scope
- Issues related to software/application not under Yatra's control
- Cross-Site Request Forgery(CSRF/XSRF)
- Vulnerabilities dependent upon social engineering techniques
- Brute Force protection on login page
- Autocomplete attribute on web forms ( this works as designed)
- Any physical attempts against Yatra property or data centres
- Protocols or standards not developed by Yatra.
- Minor issues like version disclosures.
- DDOS attacks.
- Cookie attributes not set/Secure flag issues
- Click Jacking
- Java Script Library disclosure
Out of scope for Android app
- Absence of certificate pinning
- Sensitive data stored in app private directory
- User data stored unencrypted on external storage
- Lack of binary protection control in android app
- Shared links leaked through the system clipboard.
- Any URIs leaked because a malicious app has permission to view URIs opened
- Sensitive data in URLs/request bodies when protected by TLS
- Lack of obfuscation
- oauth app secret hard-coded/recoverable in apk
- Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope)
Out of Scope bugs for iOS apps
- Absence of certificate pinning
- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
- Path disclosure in the binary
- User data stored unencrypted on the file system
- Lack of binary protection (anti-debugging) controls
- Lack of obfuscation
- Lack of jailbreak detection
Breach of our program's terms
You are expected to respect all the terms and conditions of Yatra's Big Bounty Program. Non-adherence or non-compliance will automatically disqualify you. A serious breach may also lead to suspension of your account.
Changes to Program Terms
Yatra's Bug Bounty Program, and its policies, are subject to change or cancellation by Yatra at any time, without notice. Also, we may amend the terms and/or policies of the program at any time. In case of any change, a revised version will be posted here.