Introduction

At DPDzero, we prioritize the security of our systems. If you discover a vulnerability, we encourage you to report it. Rewards are offered based on the severity of the issue.

Rewards

• Minor Vulnerability: 5,000 INR
• Moderate Vulnerability: 15,000 INR
• Critical Vulnerability: 50,000 INR

Reporting

Send your findings to infosec <at> dpdzero <dot> com with:

• Description of vulnerability
• Steps to reproduce
• Proof of concept

Rules

• Do not exploit the vulnerability
• Do not disclose publicly before resolution
• First report of the issue only

Please exclude the following test cases while conducting your tests:

• Denial of Service attacks and Distributed Denial of Service attacks.
• Rate limiting, brute force attack.
• Missing HTTP security headers and cookie flags on insensitive cookies.
• Clickjacking / UI Redressing attack.
• Self-XSS and XSS that affects only outdated browsers.
• Host header and banner grabbing issues.
• Automated tool scan reports. Example: Web, SSL/TLS Scan, Nmap scan results etc.
• Login/logout/low-business impact CSRF.
• Unrestricted file uploads.
• Open redirects – unless they can be used for actively stealing tokens.
• User enumeration such as User email, User ID etc.
• Session fixation and session timeout.
• Phishing / Spam (including issues related to SPF/DKIM/DMARC)
• Email spoofing.
• Attacks requiring MITM or physical access to a user’s device.
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS/HSTS configuration.
• Vulnerabilities that send unsolicited bulk messages (spam).
• Vulnerabilities reported by automated tools without analysis or qualification. Reports from automated web vulnerability scanners are acceptable only if you demonstrate the vulnerability is reproducible and has a security impact.
• Missing best practices in Content Security Policy.
• Missing HttpOnly or Secure flags on cookies.
• Tabnabbing.
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
• Vulnerabilities relying highly on social engineering aspect.
• Email flooding.
• Vulnerabilities such as xmlrpc that are no more valid on newer versions.

While we encourage you to discover and report to us any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited:

• Performing actions that may negatively affect DPDzero or its users (e.g. Spam, Brute Force, Denial of Service…)
• Accessing, or attempting to access, data or information that does not belong to you
• Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you
• Conducting any kind of physical or electronic attack on DPDzero personnel, property or data centers
• Social engineering any DPDzero service desk, employee or contractor
• Conduct vulnerability testing of participating services using anything other than test accounts
• Violating any laws or breaching any agreements in order to discover vulnerabilities

Legal

Participation implies agreement to comply with all applicable laws and DPDzero’s terms of service.

Thank you for helping DPDzero stay secure!