Our Team of dedicated security professionals works vigilantly to keep Picky Assist platform fortified, Even after our scrutinizing if you happen to come across any security issues you may report the same to our security team. We would be honestly thankful for your help and will be more than happy to offer you a reward for submission of security bugs.
We take security issues with absolute seriousness here at Picky Assist !
We provide bug bounties for security related subjects / findings / concerns that are responsibly reported to us. Please read our Rules and Guidelines for bug bounties before you start to hunt.
Majority of the products are either in beta or alpha and rapidly undergoing development and hot fixes so may have functional and UI based bugs however we consider the following category of bugs as serious and offer up to $100 depends on the severity of the bug as listed below;
- Remote Code Execution
- Data Leakage / Theft
- Session Hijacking
- SQL based Injections
- Unauthorized Access to Restricted Area
- Server Side Request Forgery
Please see which scope included and not included for the bug bounty program
If you think you have observed an issue we encourage you to report it to us to [email protected] (in the prescribed mentioned format).
- Do not attempt attacks against other users during your research.
- Don’t violate the privacy of other users, destroy data, disrupt our services, etc.
- Do not attempt to gain access to another user’s information or data.
- Do not use automated or scanner tools and no DoS or Spam attacks either.
- Do not disclose details in public until we patch the issue.
- No domains other than https://pickyassist.com, its Facebook App/Mobile App/WAP Site shall be considered or targeted for Security Audits.
- Never attempt any non-technical/social attacks against other users or Picky Assist staff.
- Bug disclosure communications with Picky Assist Security Team are to remain confidential. Researchers must destroy all artefact created to document vulnerabilities (POC code, videos, screenshots) after the bug report is closed.
What Does Not Qualify?
- Any UI/UX based or product non-functional bugs.
- Any type of brute cracking or automated attack will not qualify for bounties.
- Problem that requires a large amount of user interaction and/or social engineering.
- The issues that affect only extension, plug-in, legacy browser.
- The attack vectors that require request interceptor tools or developer tools.
- Any issue that has already been reported to us through the bug bounty program.
- Vulnerabilities that Picky Assist has deemed to be at an agreeable level of operational risk. (Clickjacking)
- XSS (or a behavior) where you can only attack yourself (e.g. “Self XSS”).
- Any of the Issues targeting our support, blog or other third party sites
- CSV injection
- Invalidate Session after password change
- Missing any best security practice that is not a vulnerability
- Missing security headers that don’t lead directly to a vulnerability
- Attacks that require physical access to a user device
- Server Informations disclosures of files
- Email Spoofing and best practices
The Guidelines to Report Bugs.
- Report shall be explained sequentially with clear specifications so to reproduce the bug and shall be supported with URL, Videos and Screenshots.
- Report shall be explained with the impact of bugs in business/ to users.
- Report shall be submitted with the Reporter’s Name, Email ID and other contact details
- Report shall be submitted with the details including the Severity and Types of Severity.
Recommended Report Format
Provide the information at glance
Critical / High / Medium / Low
Proof Of Concept
Detailed POF with Video or Screencasts
End points which are affected , if server side or backdoor entries kindly mention the server hostname, IP etc
Steps to Reproduce
Please give step by step to reproduce the bug
Picky Assist Registered Email Address
The account used by you as part of your research
Impact to Users & Business
Explain your findings how this can impact users or our business
Your Name | Email | Profile
Send your report to [email protected] with Subject Contains “Bug Bounty”
Points To Be Noted Before Submitting Report
- Please do report the issue with immediate effect.
- Please do not upload your findings in any file sharing website/youtube as we prefer you to upload the same in Google Drive/to your private server
- Please do try to include only one problem per report to avoid complication.
- Please do give a try to reproduce the bug at least thrice before writing a bug report.
- Please test the same bug occurrence on other modules of similar description.
- Please do read the Bug Report before you submit.
“Please do conclude the report as the point of reporting a bug is to get bugs fixed”
What is the Picky Assist Bug Beacon Program?
Our Bug Beacon program provides individuals across the world to submit vulnerability reports in prescribed format but no business other than Picky assist will be qualified. All qualified submissions shall be eligible for a payment. Bounties will be paid out at Picky Assist discretion based on the severity and impact of the vulnerability.
How are bounty payments made?
Bounty payments for accepted issues will be sent out to researchers using bank transfer or Paypal. The amount will vary upon the gravity / severity of the issues reported.
Will credit be given?
Definitely! Once the issue is patched up, we shall publish the details in the PIcky Assist “Hall of Fame” page. In addition to that we will include the name and link to the researchers responsible for reporting the issue.
Even after submitting an issue I have not received a response!
You will have to provide and we require at least 2-7 days in getting back to you. We do review each report with utmost care and are required to fully understand the scope of all issues reported by you.
Will Picky Assist offer a job for a Security Auditor / for reporting any security related bugs?
We’ve always been proactive in offering jobs to researchers who report any security related bugs but they need to sweep through the HR Interview or Tech Team Interview or both, to prove them more proficient. If they are disinterested in the employment system then they can be offered to work with us as freelance security auditors and we may assign them as and when new versions are updated, whereby you can report a bug and be financially compensated.
What is Picky Assist looking for?
We are looking for any bug maliciously cracking the security of our users, within the purview of our threat model. Finding bigger bugs brings you closer to bigger rewards (maximum $100 being a self funded startup), but all security related bugs shall be bountied.
“We Offer Rewards For Any Security Relevant Bugs. These Comprise Exploits, Vulnerabilities And Any Information About Ongoing Attacks.”