Introduction

Hello Security researchers, bug hunters and White Hat Groups, we are here to announce that Nepalekart has taken the initiative to successfully launch a Bug Bounty program, to honour all the trailblazing external contributions that help us keep our users data and customer’s wallets safe. We are launching Bug Bounty Program for all our owned Web and Mobile Application platforms.

If you believe that you have found security vulnerability or Bug on any of Nepalekart owned Website or Application, we encourage you to let us know straight away. Our Team will investigate all legitimate reports and do our best to quickly fix the problem

Please review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules

Guidelines

Responsible Disclisure Policy

Nepalekart believes effective disclosure requires mutual respect and transparency between researchers and our security team.

1. Security Researchers/Bug Hunters should Respect the Rules, Respect Privacy, Be Patient and Do No Harm.
2. You must be the first researcher to responsibly report vulnerability.
3. You may not publicly disclose the vulnerability prior to our resolution.
4. You need to be little patient and allow us at least 48-72 hours to respond you back and open a ticket.
5. You need to allow us atleast 15 to 20 days depending upon the Severity of issue for resolution of vulnerability also depending upon the criticality we will try to fix immediately with best of our efforts.
6. Any Improper public disclosure/ misuse of information will entitle Nepalekart to take appropriate legal action. ELIGIBILITY

To qualify for a bounty, you should:

1. Adhere to our Responsible Disclosure Policy (as mentioned above)
2. Be the first researcher to responsibly disclose the bug.
3. Use only Test accounts to produce vulnerability and do not attempt on Live accounts.
4. Submit a bug only if you have exploited a real vulnerability (refer Scope Exclusion below)
Note: If you employ automated scanning tools their request rate must not exceed 2 requests per second without prior approval. Failure to do so will be considered as DoS attack and will result in disqualification from the reward program. Results from automated scanning tools must be validated manually before submitting the reports as they commonly have low priority issues/ false positives.

Scope

Nepalekart Web Application - www.nepalekart.com

Nepalekart Mobile Application – Android. (Latest Version)

Researchers should report a bug that could compromise the Confidentiality, Integrity and Availability of our Customer’s Wallet account, User Data. Below are in-scope vulnerabilities.

"Typical" web vulnerabilities (such as OWASP Top-10) are generally considered in-scope. This includes:

1. Cross-Site Scripting (XSS)
2. SQL Injection
3. Cross-Site Request Forgery (CSRF)
4. Broken Authentication (including OAuth bugs)
5. Broken Session flaws
6. Remote Code Execution
7. Privilege Escalation
8. Provisioning Errors
9. Business Logical flaws
10. Misuse/Unauthorized use of our APIs
11. Improper TLS protection
12 Leaking of sensitive customer data (especially anything in the scope of PCI)

SCOPE EXCLUSIONS

Vulnerabilities not in scope:

1. Issues related to software/application not under Nepalekart's control
2. Vulnerabilities dependent upon social engineering techniques
3. Brute Force protection on login page
4. Autocomplete attribute on web forms ( this works as designed)
5. Any physical attempts against Nepalekart property or data centres
6. Protocols or standards not developed by Nepalekart.
7. Minor issues like version disclosures.
8. DDOS attacks.
9. Cookie attributes not set/Secure flag issues
10. Click Jacking
11. Java Script Library disclosures

Rewards

1. There is no maximum reward- each bug is awarded a bounty based on its severity, scope and exploit level.
2. High severity bug reporters will be listed on Nepalekart’s Wall of Fame.

On behalf of our thousands of users, Nepalekart would like to thank the following people who have found security vulnerabilities in products or services and have made a responsible disclosure to us.

  • Ajay Gautam
  • Rushi Gaikwad
  • Kishore Hariram
  • Virendra Tiwari
  • Fayis Vadakkan

Report Expectations

To ensure that we are able to understand what you are reporting and the potential impact, please make sure your report contains the following items and are structured as follows:
1. Only post ONE ISSUE per report.
2. What type of issue are you reporting? Does it align to a CWE or OWASP issue?
3. Problem: What is the security issue? Please summarize in one sentence.
4. Functioning Exploit: Detailed steps on reproducing the bug. If possible, please include video or screenshots, links you clicked on, pages visited, etc.
5. What are the security implications? How will the problem affect Nepalekart, our users or our Merchant partners? What's the worst thing that could happen if an attacker takes advantage of this security flaw? We don’t accept Copied reports from another site, without actually proving a vulnerability actually exists in our Applications, will be Marked as N/A.

Duplicate Reports

Nepalekart reserves the right to mark “duplicate report”, if we receive a report of a similar issue which has already been reported and would be resolved by the same fix that would resolve your issue, then report will be marked duplicate because the root-cause is the same.

Report Vulnerability at - cs@nepalekart.com