Bykea’s Vulnerability Disclosure Program Policy
Bykea’s management and senior leadership is committed towards protecting its brands, partners and users. As a part of this commitment, Bykea’s internal security team in collaboration with external researchers regularly test for new ways of how our adversaries might attempt to compromise our system. For this purpose, Bykea has launched a vulnerability disclosure program (VDP) to encourage security researchers and put forward clear guidelines for reporting security issues.
Your participation in Bykea’s Vulnerability Disclosure Program (VDP) is subject to the certain terms and conditions set forth in this Policy. By reporting a vulnerability to Bykea, you acknowledge that you have read and agreed to fully comply with this Policy.
Scope:
Bykea: Moving People & Parcels – Android | https://play.google.com/store/apps/details?id=com.bykea.pk |
Bykea Partner – Android | https://play.google.com/store/apps/details?id=com.bykea.pk.partner |
Bykea Bike Taxi & Delivery App – iOS | https://apps.apple.com/pk/app/bykea-bike-taxi-delivery-app/id1351179184 |
Exposed assets | *.bykea.net |
Exposed assets | *.bykea.shop |
Exposed assets | *.bykea.cash |
Qualifying Vulnerabilities
All security vulnerabilities having a substantial impact on confidentiality, integrity and availability of the user data is likely to be a part of the scope. Following are common examples but not limited to:
- Server-side Remote Code Execution (RCE)
- Cross Site Scripting (XSS)
- Cross-site request forgery in a privileged context
- Authentication and Authorization Flaws
- Server-Side Code Execution bugs
- Server-Side Injection Vulnerabilities
- Business Logic Flaws
- Insecure De-serialization Vulnerabilities
- Anything not listed but important/impactful
Program Rules and Restrictions:
- All Security Vulnerabilities should be reported through security[at]bykea.com email address.
- Researchers are advised to keep threads limited to 60 requests in 60 seconds while conducting an automated scan.
- Researchers may use a proof of concept (POC) to demonstrate the existence of the vulnerability, however they are not to use a finding to exfiltrate data or use it for post-exploitation without Bykea’s authorization.
- Researchers may not publicly disclose, or otherwise share information regarding vulnerabilities to any third party pertaining to Bykea’s intellectual property.
- When investigating a vulnerability, researchers may only use their own accounts as a target. Researchers may not interact with an individual Bykea’s user account in any way, including modifying or accessing data from an account, if the account owner has not expressly consented to such interaction.
- Researchers may not, and are not authorized to, engage in any activity that would be disruptive, damaging, or harmful to Bykea’s user base.
- In case, if a vulnerability provides unintended access to data, do not access the data beyond the minimum extent necessary to effectively demonstrate the presence of a vulnerability.
- Bykea is not liable to share the progress on reported vulnerability and how it is being patched. The bug bounty amount would be issued to the researcher once the vulnerability has been fixed.
- When reports on the same asset using the same attack vector/exploit are received, only the first report received is triaged. All other subsequent reports will be marked as a duplicate. Any report marked as duplicate of an already reported vulnerability is not eligible for a monetary reward.
- All the documented identified issues which are reported by the internal security team will also be marked as duplicate and wouldn’t be eligible for monetary rewards.
- Any unauthorized activity outside the terms of this program may be subject to disciplinary and/or legal action pursuant to applicable laws and Bykea’s policies.
- By making a Submission, you give us the right to use your Submission for any purpose.
- Bykea reserves the right to amend the terms and conditions of this program or terminate this VDP Program at any time with or without prior notice.
- Reports that include only crash dumps or other automated tool output will not be considered and may not receive a response. Please submit a clearly written report with steps to reproduce.
- We may modify the Program Terms or cancel the Responsible Disclosure Program at any time.
- Upon submitting a vulnerability you aren’t authorized to disclose the details of the vulnerability without permission or at least 5 years from the date of submission.
Safe Harbor Clause
Bykea will not initiate a lawsuit or law enforcement investigation against a researcher in response to reporting a vulnerability if the researcher fully complies with this Policy.
Out of Scope Items
Vulnerabilities falling in any of the following categories are not eligible for a reward:
- Click-jacking on Static HTML pages with no sensitive actions.
- Unauthenticated/logout/login CSRF.
- Attacks requiring MITM or physical access to a user’s device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Best Security practices concerns.
- Any kind of Denial of Service testing.
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
- Rate-limiting issues on endpoints that do not disclose PII or can be used for account takeover.
- Vulnerabilities as reported by automated tools without additional analysis as to how they’re an issue
- Open ports without an accompanying proof-of-concept demonstrating vulnerability
- Third party websites and tools used by Bykea
- Missing cookie flags, missing or weak Content Security Policy or other security-related headers without demonstrating a vulnerability.
- Vulnerabilities that cannot be used to exploit other users — e.g. self-xss or having a user paste JavaScript into the browser console
- Username harvesting, guessable user account names, account enumeration.
- Information disclosure through error messages or response headers without demonstrating a vulnerability.
- OPTIONS/TRACE HTTP method enabled.
- Presence of autocomplete functionality in form fields.
- Lack of crossdomain.xml, p3p.xml, robots.txt or any other policy files and/or wildcard. presence/misconfiguration in these.
- Browser cache weakness.
- Reports of SSL/TLS Weak Ciphers
- Session management concerns such as session duration, concurrent active sessions or session invalidation triggers.
- Physical, Social engineering or phishing attempts
- Missing/Insufficient SPF, DKIM or DMARC record
- Vulnerabilities only affecting users of outdated or unpatched browsers
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
- Open redirect vulnerabilities including reports of window.opener redirects – unless an additional security impact can be demonstrated
- Stack traces
- DDOS (This is excluded from safe harbor and actions will be taken against the attacker)
- Spam attacks
- Vulnerabilities in third party software identified without proof of concept
- Root Detection Bypass or lack of SSL Pinning and/or bypass
- Lack of obfuscation in mobile apps.
- Lack of jailbreak/Root detection in mobile apps.
- Native Android/IOS vulnerabilities with no serious security impact
- Account oracles — the ability to submit a phone number, email, UUID and receive back a message indicating a Bykea account exists
- Android Tap Jacking
- UUID enumeration of any kind
- Invite/Promo code enumeration
- Endpoint/Email/IP disclosure without any exploitation.
- Path disclosure
- Missing Broken Links
Reward Amounts
Bug bounties vary according to the overall risk which is calculated mainly on the basis of several factors such as Privacy violations, Financial impact, potential to cause harm as well as its impact on the overall user base of Bykea. In Parallel, other factors such as complexity of the vulnerability and likelihood of the vulnerability being discovered are also considered when deciding the reward amount.