FirstCry Responsible/Vulnerability Disclosure
Scope
Scope includes both Shopping & Parenting Application for all platforms (Desktop site, Mobile site, Android, iOS).
Scope includes all subdomains related to Shopping & Parenting application.
Note: Bugs that impact both Shopping and Parenting will be considered as a single bug. Bugs that impacts more than one domain will only be eligible for a single bug. Issues outside of the defined scope (Ex. – other than the FirstCry.com, backend application) will not be eligible for responsible disclosure program, but we welcome the researcher if vulnerabilities are impacting these domains or subdomains.
We are more interested in the following vulnerabilities:
- Authentication/Authorization
- Insecure Cryptography
- Remote code execution
- Injection vulnerabilities
- Cross-site scripting (XSS)
- Server-Side Request Forgery
- Business Logic Flaws
Exclusions
- Missing SPF/DMARC.
- Reports from automated scripts or scanners
- Missing security headers
- Open redirects / forwards when leaving site
- Vulnerabilities that require extensive or obtuse social engineering
- Cross Site Scripting (XSS) with only self-impact.
- Missing best practices in SSL/TLS configuration.
- Attacks using MITM or physical access to a user’s device.
- Use of known vulnerable libraries without POC.
- Lack of secure/HTTP Only flags on non-sensitive cookies, rate limiting without impact, Password policy
- Credential Stuffing Attack.
- Lack of obfuscation in mobile apps.
FirstCry reserves the right to modify from Exclusions list.
Guidelines
- E-mail your findings to secure@firstcry.in
- Do not disclose the reported vulnerability to others until we have reasonable time to address it.
- Do respect our user’s privacy
- Do not extort, shake down us.
- Do not take advantage of the vulnerability which you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other user's data.
- Do not perform Denial of Service attacks, cause corruption of data, buffer overflow and any social engineering or spam.
- Do include detailed report with finding, proof of concept, impact, screenshots, reproducible steps & recommendations else you may get delays in the disclosure process or not be considered as a valid report.
- Multiple vulnerability caused by one underlying issue will be considered as a single.
- Do provide enough information to reproduce the vulnerability, so we will be able to resolve it as quickly as possible.
- Do not reveal the report/vulnerability to others or do not write any write-up related to vulnerability without permission.
Program Policy
FirstCry reserves all the rights to modify terms & conditions of this program and your participation in the program constitutes acceptance of all terms. Program terms and eligibility immediately effective upon updated posting. Researcher who is first to report a vulnerability will be acknowledged once vulnerability is resolved. We appreciate the efforts of the researchers and would acknowledge the same with an appreciation email/digital certificate/Name on HoF page depending on the severity of the vulnerability. The severity of the vulnerability will be decided by FirstCry.
Hall of Fame
On Behalf of FirstCry team, we would like to thank the following researchers for contributing towards the security of FirstCry
- Harsh Gandhi (https://www.linkedin.com/in/harsh-gandhi-7a904b1ba/)
- Dwij Patel (https://www.linkedin.com/in/dwij-patel-806a8b176/)
- Sumit Sahoo (www.sumitsahoo.com)
- Abinesh Kamal K U (https://www.linkedin.com/in/abinesh-kamal-7b124493/)
- Mohsin Khan (https://www.linkedin.com/in/mohsin-khan-7185a615b)