Bug bounty program

Setu’s bug bounty program

Setu works closely with security communities and white-hat hackers to ensure product safety.

We encourage this by offering rewards for ethical vulnerability disclosures via our vulnerability disclosure program (VDP).

Qualifying vulnerabilities

Our VDP includes vulnerabilities risking user data or service functionality—across all domains, properties, and infrastructure. Reported issues are assessed by our engineers for eligibility and severity.

Reward amounts are determined based on the reported vulnerability’s severity.

Scope of reporting vulnerabilities

To qualify for bug bounty rewards or recognition, the reported vulnerability must pertain to a product directly owned by Setu and cannot involve third-party services hosted or utilised by Setu, such as Wordpress, Auth service, AWS, Freshdesk, and similar platforms.

When submitting a vulnerability report, please include a step-by-step video demonstration detailing how to expose the vulnerability. Ensure that the steps are clearly articulated and reproducible by our team to exploit the identified vulnerability.

Also, please note that the following reports are out of scope—

• "Self" XSS

• Blind SSRF

• CSV injection

• Tabnabbing

• Clickjacking on pages with no sensitive actions

• Sandbox domains

• Subdomain takeover without actually claiming it

• Content spoofing (ability to inject text on web pages)

• Autocomplete attribute on web forms

• Social engineering our employees or support agents

• Verbose error pages (without proof of exploitability), especially /metrics endpoint

• Software version disclosure

• Missing email best practices (invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)

• Issues that do not affect the latest versions of modern browsers

• Issues that we are already aware of or have been previously reported

• Cross-Site Request Forgery with minimal security impact

• Lack of rate limiting or brute force issues

• Results of automated scanners without full exploitation

• Attacks requiring MITM or physical access to a user's device

• Denial of service attacks

• Missing security headers which do not lead directly to a vulnerability

• Missing best practices (we require evidence of a security vulnerability)

• Host header injections unless you can show how they can lead to stealing user data

• Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end-user interactions to be exploited

• API Key(s) or Token(s) without actually exploiting them

Investigating and reporting vulnerabilities

Report vulnerabilities here with detailed descriptions, hardware/software used, and supporting screenshots or recordings for reproduction. When investigating vulnerabilities, please follow these practices—

• Do not use or attempt to use any account or user information other than your own.

• Do not destroy or compromise any confidential, proprietary, or personal information that you may gain access to.

• Do not intentionally damage our systems or those of any associated third-parties.

• Do not violate any applicable local laws, including privacy & data protection laws.

• Do not compromise or publicly disclose any confidential, proprietary, or personal information that does not belong to you.

• If you make copies of any such information in the course of investigation, please permanently delete them as soon as possible after making the disclosure to us.

• Give us a reasonable period of time (at least 30 days) to fix the vulnerability, before sharing it with us.

Legal

We support responsible security research and will not pursue legal action against individuals who report vulnerabilities in good faith and follow best practices. Additionally, please note that—

• This is not a competition or prize—VDP and rewards offered are at Setu's discretion, subject to withdrawal or modification at any time.

• Participation in the VDP implies confidentiality regarding the vulnerability, and an agreement to delete confidential, proprietary, or personal information obtained during investigation.

• Rewardees are responsible for any applicable taxes on reward amounts.

Report a bug

Please fill this form to submit your bug report. Do make sure you’ve read through and accepted our vulnerability disclosure policy beforehand.

Your name

Your email

Type of bug

Title for bug

Description for bug

Provide a short description and share a Google drive link for a screen recording that can help us reproduce the bug.

+ Add attachments

Accepted formats—PNG, JPG, PDF and TXT and total file size limit—2MB

By submitting the vulneranilities in the bug bounty program, I agree to complete confidentality and will not disclose the issues noted anywhere else, either privately or publicly.

—

–