Reward
Program
Hacktivity
Pine Labs
Pine Labs is an Indian merchant platform company that provides financing and last-mile retail transaction technology, founded in 1998. It is one of the unicorn companies, with a valuation of over US$5 billion. It provides a merchant platform and makes software for point of sale machines.
Program Rules
At Pine Labs we recognize the important role that security researchers play in helping to keep Pine Labs and our customers secure.
By participating in this program you acknowledge that you have read and agreed to the Program Rules, which is defined as this entire document.
Testing Policy and Responsible Disclosure
Please adhere to the following rules while performing research on this program:
- Denial of service (DoS) attacks on Pine Labs applications, servers, networks or infrastructure are strictly forbidden.
- Avoid tests that could cause degradation or interruption of our services.
- Do not use automated scanners or tools that generate large amount of network traffic.
- Only perform tests against your own accounts to protect our users' privacy.
- Do not leak, manipulate, or destroy any user data or files in any of our applications/servers.
- Do not copy any files from our applications/servers and disclose them.
- No vulnerability disclosure, full, partial or otherwise, is allowed.
Reward Eligibility and Amount
We are happy to thank everyone who submits valid reports which help us improve the security of Pine Labs, however only those that meet the following eligibility requirements may receive a monetary reward:
- You must be the first reporter of a vulnerability.
- The vulnerability must be a qualifying vulnerability (see below).
- The report must contain the following elements:
- Clear textual description of the vulnerability, how it can be exploited, the security impact it has on the application, its users and Pine Labs, and remediation advice on fixing the vulnerability
- Proof of exploitation: screenshots and/or videos demonstrating the exploit was performed, and showing the final impact
- Provide complete steps with the necessary information to reproduce the exploit, including (if necessary) code snippets, payloads, commands etc
- You must not break any of the testing policy rules listed above
- You must not be a former or current employee of Pine Labs or one of its contractors.
Reward amounts are based on:
- Reward grid of the report's scope
- CVSS scoring and actual business impact of the vulnerability upon performing risk analysis
Reward
Asset value | CVSS | CVSS | CVSS | CVSS |
---|---|---|---|---|
$50 | $300 | $700 | $1,000 | |
$50 | $250 | $500 | $1,000 | |
$50 | $200 | $350 | $500 | |
$25 | $50 | $75 | $100 |
Systemic issues
We appreciate all valid reports submitted to our program that enhance our security. However, please note that if a similar issue has already been reported by another hunter, the reward will be decreasing according to these percentages.
Scopes
Scope | Type | Asset value | Expand rewards grid |
---|---|---|---|
https://billingserver.pinelabs.com/ | Web application | ||
Low Medium High Critical | |||
dashboard.pluralonline.com | Web application | ||
Low Medium High Critical | |||
https://lounge.pinelabs.com/loungeui/login | Web application | ||
Low Medium High Critical | |||
https://pinepgconsole.in:9099 | Web application | ||
Low Medium High Critical | |||
analytics.pinelabs.com | Web application | ||
Low Medium High Critical | |||
https://myplutus.pinelabs.my/ | Web application | ||
Low Medium High Critical | |||
trm.pinepaymentsolutions.com | Web application | ||
Low Medium High Critical | |||
https://trm.pinelabs.ae | Web application | ||
Low Medium High Critical | |||
https://www.pinelabs.ae/ | Web application | ||
Low Medium High Critical | |||
https://www.letspaylater.ph/ | Web application | ||
Low Medium High Critical | |||
https://credit.pinelabs.com | Web application | ||
Low Medium High Critical | |||
https://plmcixt.pinelabs.com/ | Web application | ||
Low Medium High Critical | |||
https://play.google.com/store/apps/details?id=com.pinelabs.emicatalogue.pinelabs&hl=uz | Mobile application Android | ||
Low Medium High Critical | |||
https://emistores.pinelabs.com/ | Web application | ||
Low Medium High Critical | |||
https://www.pinelabs.com/ | Web application | ||
Low Medium High Critical | |||
https://www.pinelabs.my/ | Web application | ||
Low Medium High Critical | |||
https://www.pinelabs.ae/ | Web application | ||
Low Medium High Critical | |||
https://www.pinelabs.us/ | Web application | ||
Low Medium High Critical | |||
https://board.pinelabs.com/ | Web application | ||
Low Medium High Critical | |||
https://nbs.pinelabs.com/ | Web application | ||
Low Medium High Critical | |||
https://api.pluralonline.com | API | ||
Low Medium High Critical | |||
https://api.pluralpay.in | API | ||
Low Medium High Critical | |||
https://pinepg.in/ | API | ||
Low Medium High Critical | |||
https://pluralcheckout.pinepg.in | API | ||
Low Medium High Critical |
Out of scopes
- All other Pine Labs assets that are not listed above are to be treated as out of scope
Vulnerability types
Qualifying vulnerabilities
- Cross-Origin Resource Sharing (CORS)/Cross-site Request Forgery (CSRF) with real security impact
- Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
- Business logic vulnerability with real security impact
- Authentication bypass & broken authentication
- Horizontal and vertical privilege escalation
- Code injections (HTML, JS, SQL, PHP, ...)
- Insecure Direct Object References (IDOR)
- Remote Code Execution (RCE)
- Cross-Site Scripting (XSS)
- Exposed secrets, credentials or sensitive information from an asset in-scope
Non-qualifying vulnerabilities
- Incomplete reports missing one or more of the following elements: clear textual description of the vulnerability, proof of exploitation, complete steps with the neccesary information to reproduce the exploit
- Reports describing hypothetical attack scenarios that are not demonstrable
- Reports with attack scenarios requiring physical access to victim and/or victim's device, or social engineering attempts
- Security best practices without demonstrated security impact
- Recently disclosed 0-day vulnerabilities (less than 1 month since patch release)
- Disclosure of information without security impact (Stack traces, path disclosure, directory listings, software versions, IP disclosure, 3rd party secrets etc.)
- Vulnerabilities affecting outdated browsers - only exploits working on latest browser versions of Safari, FireFox, Chrome, Edge, IE will be accepted
- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM/DMARC)
- Missing security-related HTTP headers which do not lead directly to a vulnerability
- Vulnerable/outdated software/libraries without demonstrated security impact
- Vulnerabilities involving stolen credentials or physical access to a device
- Account oracles: possibility to enumerate phone number, email, GUID etc
- Logout and other instances of low-severity Cross-Site Request Forgery
- XSS in POST requests (eg XSS in HTTP Host Header)
- Presence of autocomplete attribute on web forms
- Lack of rate-limiting or Captcha
- Denial of Service (DoS) attacks
- Crashing your own application
- Clickjacking/UI redressing
- Mixed content warnings
- SSL/TLS best practices
- Missing cookie flags
- Protocol mismatch
- Self XSS
- Vulnerabilities affecting outdated application binaries - only exploits working on latest Android/iOS versions from the respective app stores will be accepted
- Lack of client-side protections on mobile binaries: SSL pinning/binary protection/code obfuscation/jailbreak detection/root detection/anti-debugging controls/ etc
- Lack of encryption on internal databases/preference files on mobile device
- Exploits that are only possible on Android version 7 and below
- Exploits that are only possible on IOS version 10 and below
- Exploits that are only possible on a jailbroken device
- Generic Android or iOS vulnerabilities
- Stolen secrets, credentials or information gathered from a third-party asset that we have no control over
Reports of leaks and exposed credentials
In the context of this program, we do not intend to encourage, accept or reward reports of leaks that are not applicable to our program’s scope and policy. To summarize our policy, you may refer to the below table:
Hunters collaboration
When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.
For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.