{"id":3205,"date":"2020-10-01T09:08:00","date_gmt":"2020-10-01T09:08:00","guid":{"rendered":"https:\/\/pickyassist.com\/blog\/?p=3205"},"modified":"2026-02-18T07:31:16","modified_gmt":"2026-02-18T07:31:16","slug":"bug-bounty-program-bug-beacon","status":"publish","type":"post","link":"https:\/\/pickyassist.com\/blog\/bug-bounty-program-bug-beacon\/","title":{"rendered":"Bug Bounty Program – Bug Beacon"},"content":{"rendered":"\n

Our Team of dedicated security professionals works vigilantly to keep Picky Assist platform fortified, Even after our scrutinizing if you happen to come across any security issues you may report the same to our security team. We would be honestly thankful for your help and will be more than happy to offer you a reward for submission of security bugs.<\/p>\n\n\n\n

We take security issues with absolute seriousness here at Picky Assist ! <\/p>\n\n\n\n

We provide bug bounties for security related subjects \/ findings \/ concerns that are responsibly reported to us. Please read our Rules and Guidelines for bug bounties before you start to hunt.<\/p>\n\n\n\n

Majority of the products are either in beta or alpha and rapidly undergoing development and hot fixes so may have functional and UI based bugs however we consider the following category of bugs as serious and offer up to $100 depends on the severity of the bug as listed below;<\/p>\n\n\n\n

Qualifying Scope<\/h2>\n\n\n\n
    \n
  1. Remote Code Execution (RCE)<\/li>\n\n\n\n
  2. Data Leakage \/ Theft <\/li>\n\n\n\n
  3. Session Hijacking (Not Stored XSS \/ Self XSS)<\/li>\n\n\n\n
  4. SQL based Injections <\/li>\n\n\n\n
  5. Unauthorized Access to Restricted Area<\/li>\n\n\n\n
  6. Server Side Request Forgery<\/li>\n\n\n\n
  7. Subdomain\/Domain Takeover<\/li>\n\n\n\n
  8. Session Fixation<\/li>\n\n\n\n
  9. Improper TLS protection<\/li>\n\n\n\n
  10. Directory Traversal<\/li>\n\n\n\n
  11. Business Logic Issues<\/li>\n<\/ol>\n\n\n\n

    Scope <\/h2>\n\n\n\n

    Please see which scope included and not included for the bug bounty program<\/p>\n\n\n\n

    Domain<\/strong><\/td>Eligibility<\/strong> <\/td><\/tr>
    https:\/\/pickyassist.com<\/td>Eligible<\/td><\/tr>
    https:\/\/pickyassist.com\/app<\/td>Eligible<\/td><\/tr>
    https:\/\/app.pickyassist.com<\/td>Eligible<\/td><\/tr>
    https:\/\/pickyassist.com\/beta
    https:\/\/pickyassist.com\/alpha<\/td>    		Not Eligible <\/td><\/tr>
    https:\/\/pickyassist.com\/blog<\/td>Eligible<\/td><\/tr>
    https:\/\/feedbacks.pickyassist.com<\/td>Not Eligible <\/td><\/tr>
    http:\/\/status.pickyassist.com<\/td>Not Eligible <\/td><\/tr>
    https:\/\/help.pickyassist.com<\/td>Not Eligible <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

    Reporting <\/h2>\n\n\n\n

    If you think you have observed an issue we encourage you to report it to us to support@pickyassist.com (in the prescribed mentioned format).<\/p>\n\n\n\n

    Kindly note our team may not respond if your reporting is not qualified as per our program rules as mentioned in this page<\/p>\n\n\n\n


    Happy Hunting!!!<\/strong>
    <\/p>\n\n\n\n

    Rules<\/strong><\/h1>\n\n\n\n
      \n
    1. Do not attempt attacks against other users during your research.<\/li>\n\n\n\n
    2. Don’t violate the privacy of other users, destroy data, disrupt our services, etc.<\/li>\n\n\n\n
    3. Do not attempt to gain access to another user’s information or data.<\/li>\n\n\n\n
    4. Do not use automated or scanner tools and no DoS or Spam attacks either.<\/li>\n\n\n\n
    5. Do not disclose details in public until we patch the issue.<\/li>\n\n\n\n
    6. No domains other than https:\/\/pickyassist.com, its Facebook App\/Mobile App\/WAP Site shall be considered or targeted for Security Audits.<\/li>\n\n\n\n
    7. Never attempt any non-technical\/social attacks against other users or Picky Assist staff.<\/li>\n\n\n\n
    8. Bug disclosure communications with Picky Assist Security Team are to remain confidential. Researchers must destroy all artefact created to document vulnerabilities (POC code, videos, screenshots) after the bug report is closed.<\/li>\n<\/ol>\n\n\n\n

      What Does Not Qualify?<\/strong><\/h1>\n\n\n\n
        \n
      1. Bugs that are based on UI\/UX or non-functional elements of the product.<\/li>\n\n\n\n
      2. Any type of brute force cracking or automated attacks.<\/li>\n\n\n\n
      3. Problems that necessitate a significant amount of user interaction and\/or social engineering, such as persuading our clients to click on a link provided by an unknown party.<\/strong><\/li>\n\n\n\n
      4. Issues that only affect extensions, plug-ins, or legacy browsers.<\/li>\n\n\n\n
      5. Attack vectors that require the use of request interceptor tools or developer tools.<\/li>\n\n\n\n
      6. Any issue that has already been reported to us through our bug bounty program.<\/li>\n\n\n\n
      7. Vulnerabilities that Picky Assist has determined to be within an acceptable level of operational risk, such as clickjacking.<\/strong><\/li>\n\n\n\n
      8. XSS (or behaviors) that only allow you to attack yourself, such as “Self XSS”. This also includes stored XSS situations where you can’t inject XSS code into other accounts; any self-stored XSS in the same account is not considered for the bug bounty.<\/strong><\/li>\n\n\n\n
      9. Any issues targeting our support, blog, or other third-party sites.<\/li>\n\n\n\n
      10. CSV injection.<\/li>\n\n\n\n
      11. Session invalidation after password change.<\/li>\n\n\n\n
      12. Lack of adherence to best security practices that does not lead to a vulnerability.<\/li>\n\n\n\n
      13. Absence of security headers that do not directly result in a vulnerability.<\/li>\n\n\n\n
      14. Attacks that require physical access to a user device.<\/li>\n\n\n\n
      15. Disclosure of server information or files.<\/li>\n\n\n\n
      16. Email spoofing and related best practices.<\/li>\n\n\n\n
      17. Missing cookie flags on non-authentication cookies.<\/li>\n\n\n\n
      18. Missing best practices in DNS configuration (e.g., DKIM\/DMARC\/SPF\/TXT).<\/li>\n\n\n\n
      19. Missing best practices in SSL\/TLS configuration.<\/li>\n\n\n\n
      20. Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.<\/li>\n\n\n\n
      21. Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on a secure connection (HTTPS).<\/li>\n\n\n\n
      22. Credential re-usage from public dumps.<\/li>\n<\/ol>\n\n\n\n

        The Guidelines to Report Bugs<\/strong>.<\/strong><\/h1>\n\n\n\n