Responsible Disclosure Program
At Adda247, we believe that our products should be safe for all of our users. If you discover a security vulnerability in our platform, we appreciate your support in disclosing it to us in a responsible manner. Before reporting the vulnerability, please be sure to review our responsible disclosure policy. By participating in this program, you agree to be bound by these rules.
Reporting Guidelines and Rules:
To report a bug, fill out this form. We will get back to you within seven working days.
Please include a detailed summary of the vulnerability, including the target, steps to reproduce the issue, tools used during discovery, and screenshots/ video. You can send a mail to firstname.lastname@example.org if you have any questions. Only emails sent to this email address will be considered valid for any questions regarding the Responsible Disclosure Program.
Only those reported bugs will be considered valid, which have been unknown to Adda247 and its subsidiaries.
Do not attempt to gain access to another user's account or data.
Do not brute force any of our services.
Your testing should not affect any service or user account.
Do not disclose a bug to anyone else other than our official email id email@example.com even not to our employees directly.
Adda247 employees and their family members are excluded from this responsible disclosure program.
Android App: Exam Prep - https://play.google.com/store/apps/details?id=com.adda247.app
StudyIQ Web - studyiq.com
StudyIQ Android App - https://play.google.com/store/apps/details?id=com.studyiq.android
Any domain/asset used by Adda247.
Out of Scope:
The following type of vulnerabilities are considered to be out of scope:
Android App: Career Power - https://play.google.com/store/apps/details?id=com.career.power
WordPress Blogs: All blogs including bankersadda.com, sscadda.com
StudyIQ Blogs, other domains, and subdomains, other than those mentioned in the above scope list.
Denial of service attacks
Resource Exhaustion Attacks
Open redirect (Unless chained to show an impact)
Reports from automated tools or scans
Logout CSRF attacks
Missing or incorrect SPF/DMARC/DKIM records
Lack of DNS CAA and DNS-related configuration
Missing security headers that do not lead directly to a vulnerability
Missing Cookie attributes
Insufficient Session Expiration
Server information disclosure / software version disclosure / unhandled error messages
No Rate Limit on emails/SMS sent (email/SMS bombing)
No Rate Limit on login/ password reset/ otp
Lack of jailbreak or root detection
Best practice TLS/ SSL configuration
Issues that are related to partner applications/ third-party services
Issues that require phisical access to a victim's device
Android vulnerabilities related to Task Hijacking
Any other issues determined to be of low or negligible security impact.
We will reward you with a Hall of Fame and Certificate of Appreciation for each valid bug report once issue is fixed.
Based on the severity and impact of the reported bug, we may give an amazon.in gift voucher.
*The decision to reward is solely at the discretion of Adda247 and Adda247 may choose not to provide any reward if we feel the vulnerability is not critical and/or the submission doesn’t follow any of the guidelines.
This program does not allow public disclosure.
Adda247 reserves the right to terminate or discontinue the Responsible Disclosure Program.
Hall of Fame:
We would like to thank the following people for helping us to secure our platform.
Thank you once again.
M. Arslan Kabeer