Bug Bounty Program
Help us secure our platform and earn rewards for responsible vulnerability disclosure
Apni Sec Bug Bounty Responsible Disclosure Program
We, at Apni Sec, work hard to keep our customers secure and make every effort to be on top of the latest threats. We believe that information security is as important as our product offerings and should be handled with utmost attention.
The program is active from November 1, 2025.
Security researchers are increasingly engaging with internet companies to hunt down vulnerabilities. If you are a security researcher and have found a valid security vulnerability in our applications (refer scope provided below), please report it to us right away through our Bug Bounty Responsible Disclosure Program.
Eligibility
If you have identified a vulnerability on any of our in-scope applications, we request you to follow the steps outlined below:
We only reward the first reporter of a vulnerability
You must report a qualifying vulnerability through the steps identified in "how to report a bug?" section
HoF is only eligible if the bug qualifies as critical or high
If you are an Apni Sec employee or are related to an employee (parent, sibling, spouse, relative etc), you are not eligible
If you are our customer or a security researcher interested in making our systems safe, you are eligible
Any disclosure of the vulnerability without prior consent from Apni Sec will result in disqualification
Important Notes:
• Only vulnerabilities rated critical and high are eligible for the Security Hall of Fame!
• Apni Sec may at its sole discretion rate vulnerabilities as critical, high, medium and low.
• You may be ineligible for our program basis its impact and severity if found to be minimal or the vulnerability is a false positive
Scope for our program
Out of Scope
• 3rd party applications
• Any activity that could lead to the disruption of our service
• DoS and DDoS attacks are STRICTLY PROHIBITED
• UI-redressing/clickjacking on non-sensitive endpoints
• Issues that do not affect the latest version of modern browsers
• Disclosure of information that does not present a significant risk
• Cross-site Request Forgery with minimal security impact
• General best practices concerns
• Attacks requiring physical access to a user's device
• Missing email best practices & SSL/TLS misconfiguration
• Missing httpOnly or secure-only flags on cookies
• Public 0day vulnerabilities that have had an official patch for less than 1 month will be awarded on case by case basis
• Email/Username enumeration
• Self XSS
• No Rate limit on non-sensitive endpoints
• API key disclosure without proven business impact
• Wordpress usernames disclosure
• Self-XSS that cannot be used to exploit other users
• Verbose messages/files/directory listings without disclosing any sensitive information
• CORS misconfiguration on non-sensitive endpoints
• Missing cookie flags
• Missing security headers
• Presence of autocomplete attribute on web forms
• Reverse tabnabbing
• Bypassing rate-limits or the non-existence of rate-limits
• Best practices violations (password complexity, expiration, re-use, etc.)
• Clickjacking without proven impact/unrealistic user interaction
• CSV Injection
• Sessions not being invalidated (logout, enabling 2FA, etc.)
• Tokens leaked to third parties
• Anything related to email spoofing, SPF, DMARC or DKIM
• Content injection without being able to modify the HTML
• Username/email enumeration
• Email bombing
• HTTP Request smuggling without any proven impact
• Homograph attacks
• XMLRPC enabled
• Banner grabbing/Version disclosure
• Same-site scripting
• Subdomain takeover without taking over the subdomain
• Arbitrary file upload without proof of the existence of the uploaded file
• Blind SSRF without proven business impact (pingbacks are not sufficient)
• Disclosed/misconfigured Google Maps API keys
• Host header injection without proven business impact
How to report a bug?
If you have identified a vulnerability on any of our in-scope applications, we request you to follow these simple steps to report the vulnerability:
Write to us at security@apnisec.com with all the necessary details:
Vulnerability Details
- •Name of vulnerability
- •Description
- •Steps to reproduce and proof of concept - screenshots, videos or simple text/document instructions
- •Impact
- •Vulnerable HTTP Request and Response (if applicable)
- •Remediation
Contact Details
In order for us to reach out to you quickly, please share your contact details with us so that our security team can reach out to you if further inputs are required to identify or close the vulnerability. In case it is a vulnerability in the Apni Sec Android/iOS app or website, please share the registered phone number you used to discover the vulnerability.
- •Your full name
- •Your email address
- •Your phone number
- •The phone number associated with your Apni Sec account
- •Link to any of your publicly identifiable profile (such as LinkedIn, Github, etc.)
Reward Information:
We will reward you if we assess your vulnerability to be critical and if we end up making a critical change in our workflow. Participants to the Program shall strictly be bound by the Responsible Disclosure Policy.
Responsible Disclosure Policy
Confidentiality & Data Protection
You shall protect all our Confidential Information (as defined below) from disclosing to any third party, hold the same in trust and strictest confidence, and protect it against disclosure to any person in the same manner and with the same degree of care, but not less than a reasonable degree of care, which you would do to protect your own confidential information.
You shall not access, store, modify or reproduce in writing our users data or other Confidential Information. Further, you agree that you shall:
• not use any such Confidential Information except solely for the purpose of this program
• not divulge any such Confidential Information to any third party without prior written approval of Apni Sec
• not copy or reverse engineer any such Confidential Information or use/exploit such Confidential Information for your own benefit or the benefit of another
Testing Guidelines
You shall ensure that no disruption is caused to the production systems, degradation of user experience and destruction of data during security testing either by any automated security scanner, brute forcing, DoS/DDoS attack, or rate limiting issue on non-sensitive endpoints, etc.
If you inadvertently cause a privacy violation or disruption in the absence of any malicious intention (such as accessing account data, service configurations, or other confidential information) while investigating an issue, be sure to disclose this immediately in your communication with the Company.
You shall refrain from exploiting and/or proceeding with subsequent testing of a security issue you discover for any reason (including demonstrating additional risk etc).
Disclosure & Communication
You shall allow us a reasonable time to acknowledge your finding/report.
You shall not be allowed to disclose the vulnerability in the public channels before it gets fixed. Before publishing any write-up on your finding, you will have to first confirm with the company in writing. We might ask you for a draft of your write-up as well for review before you intend to publish the same on the various public channels.
Legal & Compliance
Appropriate legal recourse shall be taken if the identified vulnerabilities are exploited for unlawful gains or getting access to restricted customer or system information or impairing Company's systems or Program guidelines are not followed or breach of the Confidential Information, also you shall not be eligible for our Program.
You shall not independently develop or have developed for itself, products, concepts, systems or techniques that are similar to or compete with the products, concepts, systems or techniques contemplated under the Program.
You shall indemnify, defend and hold the Company harmless from and against any losses, costs, expenses, damages of whatsoever nature which may be incurred or suffered by the Company arising out of or as a result of any breach of Program (including negligence) or otherwise of any of your obligations contained herein.
Program Terms & Jurisdiction
All Confidential Information furnished to you by the Company shall remain the exclusive property of the Company and the Company shall have the sole and exclusive ownership of all right, title, and interest in and to the Confidential Information, including ownership of all copyrights, patents and trade secrets pertaining thereto, subject only to the rights and privileges expressly granted by the Company under the terms of this Program.
This Program shall be governed by, construed and enforced in accordance with the laws of the Republic of India. The courts in India shall have the exclusive jurisdiction.
Nothing contained in this Program shall be construed to obligate the Company to disclose any information to you. This Program shall be fully binding upon you.
Hall of Fame
Apni Sec is proud to showcase the following researchers for their valuable contributions to making our products more secure for everyone.
Ready to Help Secure Our Platform?
Join our community of security researchers and help us build a safer digital world