Responsible Disclosure Program

At Adda247, we believe that our products should be safe for all of our users. If you discover a security vulnerability in our platform, we appreciate your support in disclosing it to us in a responsible manner. Before reporting the vulnerability, please be sure to review our responsible disclosure policy. By participating in this program, you agree to be bound by these rules.

Reporting Guidelines and Rules:

To report a bug, fill out this form. We will get back to you within seven working days.
Please include a detailed summary of the vulnerability, including the target, steps to reproduce the issue, tools used during discovery, and screenshots/ video. You can send a mail to security@adda247.com if you have any questions. Only emails sent to this email address will be considered valid for any questions regarding the Responsible Disclosure Program.
Only those reported bugs will be considered valid, which have been unknown to Adda247 and its subsidiaries.
Do not attempt to gain access to another user's account or data.
Do not brute force any of our services.
The use of automated security testing tools is strictly prohibited. Engaging in such activities may result in legal action.
Your testing should not affect any service or user account.
Do not disclose a bug to anyone else other than our official email id security@adda247.com even not to our employees directly.
Adda247 employees and their family members are excluded from this responsible disclosure program.

Scope:

*.adda247.com
Android App: Exam Prep - https://play.google.com/store/apps/details?id=com.adda247.app
StudyIQ Web - studyiq.com
StudyIQ Android App - https://play.google.com/store/apps/details?id=com.studyiq.android
Any domain/asset used by Adda247.

Out of Scope:

The following type of vulnerabilities are considered to be out of scope:

*.careerpower.in
Android App: Career Power - https://play.google.com/store/apps/details?id=com.career.power

WordPress Blogs: All blogs including bankersadda.com, sscadda.com
- Vulnerabilities reported on generic WordPress installations (core, plugins, themes) are out of scope unless the reporter provides:
  - Proof-of-concept (PoC) demonstrating a tangible and severe impact, such as data theft, account takeover, or unauthorized system access. This PoC should not rely on social engineering or user interaction to achieve impact.
StudyIQ Blogs, other domains, and subdomains, other than those mentioned in the above scope list.
Phishing
Social Engineering
Denial of service attacks
Resource Exhaustion Attacks
Self-XSS
Clickjacking
User enumeration
Open redirect (Unless chained to show an impact)
Reports from automated tools or scans
Logout CSRF attacks
Missing or incorrect SPF/DMARC/DKIM records
Lack of DNS CAA and DNS-related configuration
Missing security headers that do not lead directly to a vulnerability like Content Security Policy (CSP)
Missing Cookie attributes
Issues related to InvalidateCache policy / cache purge
Email addresses disclosed
Insufficient Session Expiration
No Captcha / Weak Captcha / Captcha Bypass
Weak password policies (length, complexity, etc.)
Tabnabbing
Server information disclosure / software version disclosure / unhandled error messages
No Rate Limit on emails/SMS sent (email/SMS bombing)
No Rate Limit on login/ password reset/ otp
Lack of jailbreak or root detection
Best practice TLS/ SSL configuration
Issues that are related to partner applications/ third-party services
Issues that require phisical access to a victim's device
Android vulnerabilities related to Task Hijacking
Any other issues determined to be of low or negligible security impact.

Rewards:

We will reward you with a Hall of Fame and Certificate of Appreciation for each valid bug report once issue is fixed.
Based on the severity and impact of the reported bug, we may give an amazon.in gift voucher.

*The decision to reward is solely at the discretion of Adda247 and Adda247 may choose not to provide any reward if we feel the vulnerability is not critical and/or the submission doesn’t follow any of the guidelines.

Legal Terms:

This program does not allow public disclosure.
Adda247 reserves the right to terminate or discontinue the Responsible Disclosure Program.

Hall of Fame:

We would like to thank the following people for helping us to secure our platform.

Thank you once again.

2022
- Lokesh Agrawal
- Bhargab Kaushik
- Finlay James
- M. Arslan Kabeer
- Mahima Mangal
2023
- Muhammad Asad
- Raju Basak
- Raghav Mishra
2024
- Tabassum
- Mayank Narware
- Suraj Saini