Unauthorized attempts to access, modify, or delete other users' data are strictly prohibited. If you inadvertently access user data, delete all relevant information immediately and report the incident to us without delay. Disclose any reproducible security issues to us as soon as possible. Vulnerability disclosures should only occur after we have confirmed the deployment or release of a fix. Findings obtained through automated tools that cause significant server load will not be considered.

Scope

https://www.abhibus.com
• Latest Release of Abhibus mobile applications from Google Play Store and Apple App Store

Qualifying Vulnerabilities

Any design or implementation issue that is reproducible and substantially affects the security of Abhibus users/Platform is likely to be in scope for the program. Common examples include:

• Injections
• Cross Site Scripting (XSS)
• Cross Site Request Forgery (CSRF)
• Remote Code Execution (RCE)
• Authentication/Authorisation flaws
• Domain take-over vulnerabilities
• Able to take-over other Abhibus user accounts (while testing, use your own another test account to validate)
• Any vulnerability that can affect the Abhibus Brand, user data and financial transactions

Non-Qualifying Vulnerabilities

• Clickjacking/ UI redressing
• Duplicates / Internally Known Issues
• Vulnerabilities found using automated tools(Unless possible impact is demonstrated)
• Vulnerabilities requiring MITM or physical access to the victim's unlocked device
• No Rate Limiting (Unless it can lead to some serious issue for eg: Account hijacking)
• Incomplete or missing SPF/DMARC/DKIM records
• Low impact information disclosures such as software version disclosure
• Missing Cookie flags
• Vulnerabilities requiring the use of outdated browsers, plugins or platforms
• Vulnerabilities having low or no security implications
• Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS)
• IIS Tilde File and Directory Disclosure
• CSV Injection
• PHP Info

Feel free to report security issues at [email protected], but note that issues falling into the "Non-Qualifying" category may not be addressed.

Miscellaneous

Please adhere to the stated rules; non-compliance may result in legal action. When reporting a bug, ensure it is thoroughly documented, including the following details:

• A comprehensive description of the bug, its impact, and recommended fixes
• Step by step instructions to replicate the attack
• A video proof of concept (POC) and clear snapshots of the actions performed
• The IP address from which the requests were sent to our servers

Rewards (if applicable)

Unique bugs will be eligible for rewards. We do not offer monetary compensation for bug reports aimed at improving the security of Abhibus. In case of duplicate reports, the original reporter(s) will be notified.

Note

Abhibus reserves the right to change or modify its security policy as needed.