Xoxoday Bug Bounty Program

At Xoxoday, we understand that consumer data protection is a high priority & extremely significant responsibility that requires constant monitoring. We deeply value all those in the security community who help us ensure 100% security of all our systems at all times.

We believe that responsible disclosure of security vulnerabilities helps us maintain the utmost security & privacy of our users. We invite security researchers to report any security vulnerability that they may come across in our products. Those submitting any bugs within our program's scope will be heartily rewarded for their support & security expertise.

How it works

  1. Reach out to us at cs@xoxoday.com to raise a ticket, if you happen to notice any potential security issue whilst also meeting all the required criteria in our policy.
  2. The validation of the reported issue in terms of severity & authenticity will be done by our security team in around 30-45 days.
  3. Post validation, steps will be taken to fix the security issues in accordance with our security policies.
  4. The owner of the ticket will be informed once the issue is resolved.


To be eligible for a reward, the following requirements must be met by you:

  1. You must be the first person to raise that vulnerability issue.
  2. The issue must impact any one of the applications listed under our defined scope.
  3. The issue must fall under the Qualifying bugs listed.
  4. Publishing of vulnerability information in the public domain is not allowed.
  5. Any information about the vulnerability issue must be kept confidential until the issue is resolved.
  6. No privacy policies set by Xoxoday can be violated performing security testing.
  7. Modification or deletion of unauthenticated user data, disruption of production servers, or any form of degradation to user experience is completely prohibited.

Violation of any of these rules can result in ineligibility or removal from the Xoxoday bug bounty program.


  1. Use only the identified channel cs@xoxoday.com to report any security vulnerability.
  2. While raising the ticket, ensure that the description and potential impact of the vulnerability is clearly mentioned.
  3. Detailed instructions on the steps to be followed to reproduce the vulnerability must also be included.
  4. A Video POC can be submitted, wherever possible.
  5. Preferred name to be used for recognition in our Hall of Fame section on the Bug Bounty Program page.


Bug Bounty rewards will be paid in the form of popular gift cards. The value of the gift card will depend upon the severity and quality of the bug.

  • Low priority - ₹1,000.
  • Medium priority - ₹2000 to ₹5,000.
  • High priority - ₹10,000 to ₹15,000.


The final decision on bug eligibility & rewarding will be made by Xoxoday. The program exists completely at the firm’s discretion and has the provision to be canceled at any time.

Found a Bug?

Reach out to us to raise a ticket, If you happen to notice any potential security issue whilst also meeting all the required criteria in our policy.