PhonePe’s responsible disclosure policy

Public disclosure of the submission details of any identified or alleged security vulnerability without express written authorization from PhonePe will deem the submission noncompliant with this Responsible Disclosure Policy.

Furthermore, to remain compliant, you are prohibited from:

• Accessing, downloading, or modifying data residing in an account that does not belong to you
• Executing or attempting to execute any “Denial of Service” attack
• Posting, transmitting, uploading, linking to, sending, or storing any malicious software
• Testing in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, pyramid schemes, or other forms of unsolicited messages
• Testing in a manner that would degrade the operation of any PhonePe systems
• Testing third-party applications, websites, or services that integrate with or link to PhonePe systems

• Hall of Fame

The Program applies to security vulnerabilities found within PhonePe’s Environment, including, but not limited to, PhonePe’s websites, APIs, and mobile applications. We recognize security researchers who help us keep users safe by reporting vulnerabilities in our services. The recognition for these reports is entirely at PhonePe’s discretion and is determined based on factors such as Severity, Likelihood, and Business Impact of the reported finding.

Typically, in-scope submissions will include high-impact vulnerabilities. However, any vulnerability that could realistically place our customers’ security or their data at significant risk is in scope and might be rewarded. Vulnerabilities that directly or indirectly affect the confidentiality or integrity of user data or privacy are prime candidates for a reward. Some characteristics that are considered when “qualifying” vulnerabilities affect the following aspects:

• Directly or indirectly affect the confidentiality or integrity of user data or privacy;
• Compromise the integrity of the system;
• Enable unauthorized access to significant data or resources;
• Enable the running of unauthorized code;
• Increase privileges or access beyond that which is intended;
• Interfere with or bypass security controls or mechanisms;
• Are exploitable (i.e. not purely theoretical);
• Can be launched remotely; and
• Could cause damage to a user’s system

To be eligible for the Bug Bounty Program, you MUST meet the following requirements:

• Adhere to PhonePe Responsible Disclosure Policy
• Your report must describe a security vulnerability involving and/or affecting one of the products or services listed under “Scope”.
• We expressly exclude certain types of security findings; these are listed under “Program Exclusions”.
• If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations, or other confidential information) while investigating a vulnerability, make sure that you disclose this in your report.

In addition, you MUST NOT:

• Be in violation of any national, state, or local law or regulation;
• Be employed by PhonePe Private Limited or its subsidiaries;
• Be an immediate family member of a person employed by PhonePe Private Limited, or its subsidiaries or affiliates.

Our commitment

If you identify a valid security vulnerability in compliance with this Responsible Disclosure Policy, PhonePe commits to:

• Working with you to understand and validate the issue
• Addressing the risk (if deemed appropriate by PhonePe)
• PhonePe Security Team will investigate and respond to all valid reports. Our TAT for a new report is usually 3-5 business days; however, we prioritize investigations based on risk and other factors.
• In the event of duplicate reports, we recognize the first person (or submitter) of a qualifying security vulnerability. (PhonePe determines duplicates and may not share details of the other reports.)
• Note that the use of PhonePe services, including for the purposes of this program, is subject to PhonePe’s Terms and Policies. We may retain any communications about security vulnerabilities that you report for as long as we deem necessary for program purposes, and we may cancel or modify this program at any time.

• PhonePe Consumer mobile app (Android & iOS)
• PhonePe For Business mobile app (Android & iOS)
• Share.Market mobile app (Android & iOS)
• Indus OS App Store
• Share.Market web app
• Indus OS Developer Dashboard
• phonepe.com
• support.phonepe.com
• business.phonepe.com
• api.phonepe.com

The PhonePe Security Team might consider submissions outside the above scope for further processing at its discretion without any commitment to bounty or recognition.

If you happen to have identified a vulnerability on any of our web or mobile app properties, we request you to follow the steps outlined below:

• Please submit the vulnerability report form with the necessary details to recreate the vulnerability scenario. This may include screenshots, videos or simple text instructions.
• If the reported finding (vulnerability) can potentially extract information about our customers or systems or impair our system’s ability to function normally, please refrain from exploiting it. We must consider your disclosure a responsible one.
• While we appreciate the input of Whitehat hackers, we may pursue legal recourse if the identified vulnerabilities are exploited for unlawful gains, access to restricted customer or system information, or impairment of our systems.

Report a Vulnerability

Any design or implementation issue that is reproducible and substantially affects the security of PhonePe customers is likely part of the scope of the program. The Vulnerability Rating Taxonomy is the baseline guide used for classifying technical severity. Common examples include:

• Injection vulnerabilities, including SQL and XML injection
• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
• Server-side or Remote Code Execution (RCE)
• Authentication/Authorisation flaws, including IDOR and authentication bypass
• Domain take-over vulnerabilities
• Account Takeover (while testing, use a test account for PoC)
• Directory Traversal
• Sensitive Information Disclosure that can affect PhonePe’s customers, merchants, and/or overall PhonePe brand
• Significant security misconfiguration with a verifiable/exploitable vulnerability (must be having PoC)
• Sensitive/Internal Credentials disclosed by PhonePe or its employees posing a valid/verifiable risk to an in-scope asset (subject to investigation/authenticity of data).

The following bugs are unlikely to be eligible:

The following categories of vulnerabilities are excluded from recognition in the Program unless otherwise directed by PhonePe:

• Findings/Reports generated by automated scanner tools.
• Mobile client findings that require a ROOTED device.
• Outdated OS versions/App versions related vulnerabilities.
• Findings that cannot be utilised to exploit other users/customers of PhonePe – e.g., self-XSS.
• Publicly released CVEs and 0-days (zero-day vulnerabilities) within 90 days of their disclosure.
• “Advisory” or “Informational” reports that do not include any PhonePe testing or context.
• Threat Intel Reports.
• Vulnerabilities requiring MITM or physical access to the victim’s unlocked device.
• Any form of Denial of Service attacks/exploits.
• SPF and DKIM issues.
• Content injection.
• Hyperlink injection in emails.
• IDN homograph attacks.
• RTL Ambiguity.
• Content Spoofing.
• Password Policy related issues in Applications.
• Full-Path Disclosure on any property.
• Version number information disclosure.
• Clickjacking on pre-authenticated pages, the non-existence of X-Frame-Options, or other non-exploitable clickjacking vulnerabilities.
• CSRF-able actions that do not require authentication (or a session) to exploit.
• Login/logout CSRF.
• Reports related to the following security-related headers, Strict Transport Security (HSTS) XSS mitigation headers (X-Content-Type and X-XSS-Protection) X-Content-Type-Options Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario)
• Bugs that do not represent any security risk – e.g. functional bugs, logical bugs, workflow bugs, feature bugs, etc.
• Open Redirect vulnerabilities (Phishing). Security bugs in third-party applications or services built on the PhonePe API: Please report them directly to the company that built the application or service.
• Security bugs in software related to an acquisition for 90 days following any public announcement.
• Findings related to HTTP TRACE or OPTIONS methods.
• Non-sensitive (i.e., non-session) cookies are missing the Secure or HttpOnly flags.
• Tap jacking.
• Subdomain takeovers without supporting evidence.
• Missing best practices in SSL/TLS configuration.
• Open ports without an accompanying proof-of-concept demonstrating vulnerability.
• PhonePe Mobile App-specific Exclusions:
• PhonePe app does not have control over verifying the CVV of Credit Cards because this verification can only be done by the card issuing bank.
• Vulnerabilities requiring a rooted, jailbroken, or otherwise modified device.
• Username enumeration on customer-facing systems (i.e. using server responses to determine whether a given account exists).
• Vulnerabilities requiring extensive user interaction.
• Exposure of non-sensitive data on the device.
• Vulnerabilities on third-party libraries without showing specific impact on the target application (e.g. a CVE with no exploit).

Reports not Eligible for Recognition

All out-of-scope assets and vulnerabilities mentioned above are NOT eligible for recognition/rewards. Multiple reports of the same bug on different endpoints will be closed as duplicates if they require one fix.

Reporting a security finding

We encourage security researchers to share the details of any suspected vulnerabilities with the PhonePe Security Engineering Team by submitting the form under the header “How to Report a Security Vulnerability?”. PhonePe will review the submission to determine if the finding is valid and has not been previously reported. At PhonePe’s discretion, you may be eligible for monetary compensation for your efforts. Employees of PhonePe or PhonePe subsidiaries and vendors currently working with PhonePe are not eligible for financial compensation. If you belong to any of the listed categories, you must specify that in your report. We require security researchers to include detailed information with steps for us to reproduce the vulnerability.

We do not have a bounty/cash reward program for such disclosures, but we express our gratitude for your contribution in different ways. For genuine ethical disclosures, we would be glad to publicly acknowledge your contribution in this section on our website. Of course, this will be done if you want a public acknowledgement.

Phonepe thanks the following People for finding & responsibly disclosing security vulnerabilities in phonepe owned Apps, products or services. We are grateful for their contribution & efforts towards the security of PhonePe.

• Dhruv Shekhawat
• Saeel N Relekar
• Rahul Kumar Sah (CyberBeast)
• Lohith Gowda M
• Chaitanya Surabhi
• Srikanth Bairi
• Sivadanam Yaswanth Lingam
• Akash Kumar
• Ahmed Ramzy Ibrahim
• Mayank Kumar
• SaiKumar Reddy Duganapalli
• Arijit Mondal