Setu’s bug bounty program

Setu works closely with security communities and white-hat hackers to ensure product safety.
We encourage this by offering rewards for ethical vulnerability disclosures via our vulnerability disclosure program (VDP).
API connections

Qualifying vulnerabilities

Our VDP includes vulnerabilities risking user data or service functionality—across all domains, properties, and infrastructure. Reported issues are assessed by our engineers for eligibility and severity.

Reward amounts are determined based on the reported vulnerability’s severity.
Get featured on the Hall of Fame, for your bug finding abilities!

Scope of reporting vulnerabilities

To qualify for bug bounty rewards or recognition, the reported vulnerability must pertain to a product directly owned by Setu and cannot involve third-party services hosted or utilised by Setu, such as Wordpress, Auth service, AWS, Freshdesk, and similar platforms.

When submitting a vulnerability report, please include a step-by-step video demonstration detailing how to expose the vulnerability. Ensure that the steps are clearly articulated and reproducible by our team to exploit the identified vulnerability.

Also, please note that the following reports are out of scope—

• Denial of service attacks

• Rate limiting not present

• Sandbox domains

• Vulnerabilities only affecting users of outdated or unpatched browsers and platforms

• Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token)

• Attacks requiring physical access to a user’s device or vulnerabilities requiring physical access to the victim’s unlocked device

• Missing security headers which do not lead directly to a vulnerability

• Missing best practices (we require evidence of a security vulnerability)

• Host header injections unless you can show how they can lead to stealing user data

Investigating and reporting vulnerabilities

Report vulnerabilities here with detailed descriptions, hardware/software used, and supporting screenshots or recordings for reproduction. When investigating vulnerabilities, please follow these practices—

• Do not use or attempt to use any account or user information other than your own.

• Do not destroy or compromise any confidential, proprietary, or personal information that you may gain access to.

• Do not intentionally damage our systems or those of any associated third-parties.

• Do not violate any applicable local laws, including privacy & data protection laws.

• Do not compromise or publicly disclose any confidential, proprietary, or personal information that does not belong to you.

• If you make copies of any such information in the course of investigation, please permanently delete them as soon as possible after making the disclosure to us.

• Give us a reasonable period of time (at least 30 days) to fix the vulnerability, before disclosing details elsewhere.


We support responsible security research and will not pursue legal action against individuals who report vulnerabilities in good faith and follow best practices. Additionally, please note that—

• This is not a competition or prize—VDP and rewards offered are at Setu's discretion, subject to withdrawal or modification at any time.

• Participation in the VDP implies confidentiality regarding the vulnerability, and an agreement to delete confidential, proprietary, or personal information obtained during investigation.

• Rewardees are responsible for any applicable taxes on reward amounts.

Report a bug

Please fill this form to submit your bug report. Do make sure you’ve read through our vulnerability disclosure policy beforehand.

Provide a short description and share a Google drive link for a screen recording that can help us reproduce the bug.