Xoxoday Bug Bounty Program

1. Reach out to us at cs@xoxoday.com to raise a ticket, if you happen to notice any potential security issue whilst meeting all the required criteria in our policy.
2. The validation of the reported issue in terms of severity & authenticity will be done by our security team in around 90 days.
3. Post validation, steps will be taken to fix the security issues in accordance with our security policies.
4. The owner of the ticket will be informed once the issue is resolved.

To be eligible for a reward, the following requirements must be met by you:

1. You must be the first person to report a vulnerability to Xoxoday.
2. The issue must impact any one of the applications listed under our defined scope.
3. The issue must fall under the ‘Qualifying’ bugs listed.
4. Publishing of vulnerability information in the public domain is not allowed.
5. Any information about the vulnerability issue must be kept confidential until the issue is resolved.
6. No privacy policies set by Xoxoday must be violated when performing security testing.
7. Modification or deletion of unauthenticated user data, disruption of production servers, or any form of degradation to user experience is completely prohibited.

Violation of any of these rules can result in ineligibility or removal from the Xoxoday bug bounty program

1. Use only the identified channel cs@xoxoday.com to report any security vulnerability.
2. While raising the ticket, ensure that the description and potential impact of the vulnerability is clearly mentioned.
3. Detailed instructions on the steps to be followed to reproduce the vulnerability must also be included.
4. A complete Video POC should mandatorily be attached showing all the steps and information.
5. Details about the scope and qualification criteria are mentioned below.

1. Website: Xoxoday Store
2. Out-of-Scope websites: Staging subdomains, any other subdomain which is not connected to xoxoday.com

Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Common examples include:

• Cross-site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
• Server-Side Request Forgery (SSRF)
• SQL Injection
• Server-Side Remote Code Execution (RCE)
• XML External Entity Attacks (XXE)
• Access Control Issues (Insecure Direct Object Reference Issues, Privilege Escalation, etc)
• Exposed Administrative Panels that don't require login credentials
• Directory Traversal Issues
• Local File Disclosure (LFD) and Remote File Inclusion (RFI)
• Payments Manipulation
• Server-side code execution bugs
  

• Open-Redirects: 99% of open redirects have low security impact. For the rare cases where the impact is higher, e.g., stealing oauth tokens, we do still want to hear about them
• Reports that state that software is out of date/vulnerable without a 'Proof of Concept'
• Host header issues without an accompanying POC demonstrating vulnerability
• XSS issues that affect only outdated browsers
• Stack traces that disclose information
• Clickjacking and issues only exploitable through clickjacking
• CSV injection. Please see this article: CSV formula injection | Google
• Best practices concerns
• Highly speculative reports about theoretical damage. Be concrete
• Self-XSS that can not be used to exploit other users
• Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue
• Reports from automated web vulnerability scanners (Acunetix, Burp Suite, Vega, etc.) that have not been validated
• Denial of Service Attacks
• Brute Force Attacks
• Reflected File Download (RFD)
• Physical or social engineering attempts (this includes phishing attacks against Xoxoday employees)
• Content injection issues
• Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)
• Missing autocomplete attributes
• Missing cookie flags on non-security-sensitive cookies
• Issues that require physical access to a victim's computer
• Missing security headers that do not present an immediate security vulnerability.
• Fraud Issues
• Recommendations about security enhancement
• SSL/TLS scan reports (this means output from sites such as SSL Labs)
• Banner grabbing issues (figuring out what web server we use, etc.)
• Open ports without an accompanying POC demonstrating vulnerability
• Recently disclosed vulnerabilities. We need time to patch our systems just like everyone else – please give us two weeks before reporting these types of issues

Bug Bounty rewards will be paid in the form of popular gift cards. The value of the gift card will depend upon the severity and quality of the bug as below:

The final decision on bug eligibility and rewarding will be made by Xoxoday. The program exists completely at the firm’s discretion and has the provision to be canceled at any time.