Our Team of dedicated security professionals works vigilantly to keep Picky Assist platform fortified, Even after our scrutinizing if you happen to come across any security issues you may report the same to our security team. We would be honestly thankful for your help and will be more than happy to offer you a reward for submission of security bugs.
We take security issues with absolute seriousness here at Picky Assist !
We provide bug bounties for security related subjects / findings / concerns that are responsibly reported to us. Please read our Rules and Guidelines for bug bounties before you start to hunt.
Majority of the products are either in beta or alpha and rapidly undergoing development and hot fixes so may have functional and UI based bugs however we consider the following category of bugs as serious and offer up to $100 depends on the severity of the bug as listed below;
Qualifying Scope
- Remote Code Execution (RCE)
- Data Leakage / Theft
- Session Hijacking (Not Stored XSS / Self XSS)
- SQL based Injections
- Unauthorized Access to Restricted Area
- Server Side Request Forgery
- Subdomain/Domain Takeover
- Session Fixation
- Improper TLS protection
- Directory Traversal
- Business Logic Issues
Scope
Please see which scope included and not included for the bug bounty program
Domain | Eligibility |
https://pickyassist.com | Eligible |
https://pickyassist.com/app | Eligible |
https://pickyassist.com/beta https://pickyassist.com/alpha | Not Eligible |
https://pickyassist.com/blog | Eligible |
https://feedbacks.pickyassist.com | Not Eligible |
http://status.pickyassist.com | Not Eligible |
https://help.pickyassist.com | Not Eligible |
Reporting
If you think you have observed an issue we encourage you to report it to us to [email protected] (in the prescribed mentioned format).
Kindly note our team may not respond if your reporting is not qualified as per our program rules as mentioned in this page
Happy Hunting!!!
Rules
- Do not attempt attacks against other users during your research.
- Don’t violate the privacy of other users, destroy data, disrupt our services, etc.
- Do not attempt to gain access to another user’s information or data.
- Do not use automated or scanner tools and no DoS or Spam attacks either.
- Do not disclose details in public until we patch the issue.
- No domains other than https://pickyassist.com, its Facebook App/Mobile App/WAP Site shall be considered or targeted for Security Audits.
- Never attempt any non-technical/social attacks against other users or Picky Assist staff.
- Bug disclosure communications with Picky Assist Security Team are to remain confidential. Researchers must destroy all artefact created to document vulnerabilities (POC code, videos, screenshots) after the bug report is closed.
What Does Not Qualify?
- Bugs that are based on UI/UX or non-functional elements of the product.
- Any type of brute force cracking or automated attacks.
- Problems that necessitate a significant amount of user interaction and/or social engineering, such as persuading our clients to click on a link provided by an unknown party.
- Issues that only affect extensions, plug-ins, or legacy browsers.
- Attack vectors that require the use of request interceptor tools or developer tools.
- Any issue that has already been reported to us through our bug bounty program.
- Vulnerabilities that Picky Assist has determined to be within an acceptable level of operational risk, such as clickjacking.
- XSS (or behaviors) that only allow you to attack yourself, such as “Self XSS”. This also includes stored XSS situations where you can’t inject XSS code into other accounts; any self-stored XSS in the same account is not considered for the bug bounty.
- Any issues targeting our support, blog, or other third-party sites.
- CSV injection.
- Session invalidation after password change.
- Lack of adherence to best security practices that does not lead to a vulnerability.
- Absence of security headers that do not directly result in a vulnerability.
- Attacks that require physical access to a user device.
- Disclosure of server information or files.
- Email spoofing and related best practices.
- Missing cookie flags on non-authentication cookies.
- Missing best practices in DNS configuration (e.g., DKIM/DMARC/SPF/TXT).
- Missing best practices in SSL/TLS configuration.
- Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.
- Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on a secure connection (HTTPS).
- Credential re-usage from public dumps.
The Guidelines to Report Bugs.
- Report shall be explained sequentially with clear specifications so to reproduce the bug and shall be supported with URL, Videos and Screenshots.
- Report shall be explained with the impact of bugs in business/ to users.
- Report shall be submitted with the Reporter’s Name, Email ID and other contact details
- Report shall be submitted with the details including the Severity and Types of Severity.
Recommended Report Format
At Glance
Provide the information at glance
Severity Index
Critical / High / Medium / Low
Proof Of Concept
Detailed POF with Video or Screencasts
End Points
End points which are affected , if server side or backdoor entries kindly mention the server hostname, IP etc
Steps to Reproduce
Please give step by step to reproduce the bug
Picky Assist Registered Email Address
The account used by you as part of your research
Impact to Users & Business
Explain your findings how this can impact users or our business
Contact Info
Your Name | Email | Profile
Send your report to [email protected] with Subject Contains “Bug Bounty”
Points To Be Noted Before Submitting Report
- Please do report the issue with immediate effect.
- Please do not upload your findings in any file sharing website/youtube as we prefer you to upload the same in Google Drive/to your private server
- Please do try to include only one problem per report to avoid complication.
- Please do give a try to reproduce the bug at least thrice before writing a bug report.
- Please test the same bug occurrence on other modules of similar description.
- Please do read the Bug Report before you submit.
“Please do conclude the report as the point of reporting a bug is to get bugs fixed”
FAQ
What is the Picky Assist Bug Beacon Program?
Our Bug Beacon program provides individuals across the world to submit vulnerability reports in prescribed format but no business other than Picky assist will be qualified. All qualified submissions shall be eligible for a payment. Bounties will be paid out at Picky Assist discretion based on the severity and impact of the vulnerability.
How are bounty payments made?
Bounty payments for accepted issues will be sent out to researchers using bank transfer or Paypal. The amount will vary upon the gravity / severity of the issues reported.
Will credit be given?
Definitely! Once the issue is patched up, we shall publish the details in the PIcky Assist “Hall of Fame” page. In addition to that we will include the name and link to the researchers responsible for reporting the issue.
Even after submitting an issue I have not received a response!
You will have to provide and we require at least 2-7 days in getting back to you. We do review each report with utmost care and are required to fully understand the scope of all issues reported by you.
Will Picky Assist offer a job for a Security Auditor / for reporting any security related bugs?
We’ve always been proactive in offering jobs to researchers who report any security related bugs but they need to sweep through the HR Interview or Tech Team Interview or both, to prove them more proficient. If they are disinterested in the employment system then they can be offered to work with us as freelance security auditors and we may assign them as and when new versions are updated, whereby you can report a bug and be financially compensated.
What is Picky Assist looking for?
We are looking for any bug maliciously cracking the security of our users, within the purview of our threat model. Finding bigger bugs brings you closer to bigger rewards (maximum $100 being a self funded startup), but all security related bugs shall be bountied.
“We Offer Rewards For Any Security Relevant Bugs. These Comprise Exploits, Vulnerabilities And Any Information About Ongoing Attacks.”
Add comment