avatar
Bug bounty
Public

Pine Labs Bug Bounty Program

Payment Services for Retail Merchant

Reward

Bounty
Hall of fame
$0
Low
$50
Medium
$250
High
$500
Critical
$1,000

Program

Avg reward
-
Max reward
-

Scopes
24
Supported languages
English

Hacktivity

Reports
465
1st response
< 1 day
Reports last 24h
-
Reports last week
4
Reports this month
12

Pine Labs

Pine Labs is an Indian merchant platform company that provides financing and last-mile retail transaction technology, founded in 1998. It is one of the unicorn companies, with a valuation of over US$5 billion. It provides a merchant platform and makes software for point of sale machines.

Program Rules

At Pine Labs we recognize the important role that security researchers play in helping to keep Pine Labs and our customers secure.

By participating in this program you acknowledge that you have read and agreed to the Program Rules, which is defined as this entire document.

Testing Policy and Responsible Disclosure

Please adhere to the following rules while performing research on this program:

  • Denial of service (DoS) attacks on Pine Labs applications, servers, networks or infrastructure are strictly forbidden.
  • Avoid tests that could cause degradation or interruption of our services.
  • Do not use automated scanners or tools that generate large amount of network traffic.
  • Only perform tests against your own accounts to protect our users' privacy.
  • Do not leak, manipulate, or destroy any user data or files in any of our applications/servers.
  • Do not copy any files from our applications/servers and disclose them.
  • No vulnerability disclosure, full, partial or otherwise, is allowed.

Reward Eligibility and Amount

We are happy to thank everyone who submits valid reports which help us improve the security of Pine Labs, however only those that meet the following eligibility requirements may receive a monetary reward:

  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability (see below).
  • The report must contain the following elements:
    • Clear textual description of the vulnerability, how it can be exploited, the security impact it has on the application, its users and Pine Labs, and remediation advice on fixing the vulnerability
    • Proof of exploitation: screenshots and/or videos demonstrating the exploit was performed, and showing the final impact
    • Provide complete steps with the necessary information to reproduce the exploit, including (if necessary) code snippets, payloads, commands etc
  • You must not break any of the testing policy rules listed above
  • You must not be a former or current employee of Pine Labs or one of its contractors.

Reward amounts are based on:

  • Reward grid of the report's scope
  • CVSS scoring and actual business impact of the vulnerability upon performing risk analysis

Reward

Asset value CVSS
Low
CVSS
Medium
CVSS
High
CVSS
Critical
Critical
$50$300$700$1,000
High
$50$250$500$1,000
Medium
$50$200$350$500
Low
$25$50$75$100

Systemic issues

1st report100%
2nd report100%
3rd report50%
4th report25%
5th report0%
6th+ report0%

We appreciate all valid reports submitted to our program that enhance our security. However, please note that if a similar issue has already been reported by another hunter, the reward will be decreasing according to these percentages.


Scopes

ScopeTypeAsset value
https://billingserver.pinelabs.com/ Web application
High
Low
$50
Medium
$250
High
$500
Critical
$1,000
dashboard.pluralonline.com Web application
High
Low
$50
Medium
$250
High
$500
Critical
$1,000
https://lounge.pinelabs.com/loungeui/login Web application
High
Low
$50
Medium
$250
High
$500
Critical
$1,000
https://pinepgconsole.in:9099 Web application
High
Low
$50
Medium
$250
High
$500
Critical
$1,000
analytics.pinelabs.com Web application
Medium
Low
$50
Medium
$200
High
$350
Critical
$500
https://myplutus.pinelabs.my/ Web application
Medium
Low
$50
Medium
$200
High
$350
Critical
$500
trm.pinepaymentsolutions.com Web application
Medium
Low
$50
Medium
$200
High
$350
Critical
$500
https://trm.pinelabs.ae Web application
Medium
Low
$50
Medium
$200
High
$350
Critical
$500
https://www.pinelabs.ae/ Web application
Low
Low
$25
Medium
$50
High
$75
Critical
$100
https://www.letspaylater.ph/ Web application
Medium
Low
$50
Medium
$200
High
$350
Critical
$500
https://credit.pinelabs.com Web application
Medium
Low
$50
Medium
$200
High
$350
Critical
$500
https://plmcixt.pinelabs.com/ Web application
Medium
Low
$50
Medium
$200
High
$350
Critical
$500
https://play.google.com/store/apps/details?id=com.pinelabs.emicatalogue.pinelabs&hl=uz Mobile application Android
Low
Low
$25
Medium
$50
High
$75
Critical
$100
https://emistores.pinelabs.com/ Web application
Low
Low
$25
Medium
$50
High
$75
Critical
$100
https://www.pinelabs.com/ Web application
Low
Low
$25
Medium
$50
High
$75
Critical
$100
https://www.pinelabs.my/ Web application
Low
Low
$25
Medium
$50
High
$75
Critical
$100
https://www.pinelabs.ae/ Web application
Low
Low
$25
Medium
$50
High
$75
Critical
$100
https://www.pinelabs.us/ Web application
Low
Low
$25
Medium
$50
High
$75
Critical
$100
https://board.pinelabs.com/ Web application
High
Low
$50
Medium
$250
High
$500
Critical
$1,000
https://nbs.pinelabs.com/ Web application
Medium
Low
$50
Medium
$200
High
$350
Critical
$500
https://api.pluralonline.com API
Critical
Low
$50
Medium
$300
High
$700
Critical
$1,000
https://api.pluralpay.in API
Critical
Low
$50
Medium
$300
High
$700
Critical
$1,000
https://pinepg.in/ API
Critical
Low
$50
Medium
$300
High
$700
Critical
$1,000
https://pluralcheckout.pinepg.in API
Critical
Low
$50
Medium
$300
High
$700
Critical
$1,000

Out of scopes

  • All other Pine Labs assets that are not listed above are to be treated as out of scope

Vulnerability types

Qualifying vulnerabilities

  • Cross-Origin Resource Sharing (CORS)/Cross-site Request Forgery (CSRF) with real security impact
  • Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
  • Business logic vulnerability with real security impact
  • Authentication bypass & broken authentication
  • Horizontal and vertical privilege escalation
  • Code injections (HTML, JS, SQL, PHP, ...)
  • Insecure Direct Object References (IDOR)
  • Remote Code Execution (RCE)
  • Cross-Site Scripting (XSS)
  • Exposed secrets, credentials or sensitive information from an asset in-scope

Non-qualifying vulnerabilities

  • Incomplete reports missing one or more of the following elements: clear textual description of the vulnerability, proof of exploitation, complete steps with the neccesary information to reproduce the exploit
  • Reports describing hypothetical attack scenarios that are not demonstrable
  • Reports with attack scenarios requiring physical access to victim and/or victim's device, or social engineering attempts
  • Security best practices without demonstrated security impact
  • Recently disclosed 0-day vulnerabilities (less than 1 month since patch release)
  • Disclosure of information without security impact (Stack traces, path disclosure, directory listings, software versions, IP disclosure, 3rd party secrets etc.)
  • Vulnerabilities affecting outdated browsers - only exploits working on latest browser versions of Safari, FireFox, Chrome, Edge, IE will be accepted
  • Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM/DMARC)
  • Missing security-related HTTP headers which do not lead directly to a vulnerability
  • Vulnerable/outdated software/libraries without demonstrated security impact
  • Vulnerabilities involving stolen credentials or physical access to a device
  • Account oracles: possibility to enumerate phone number, email, GUID etc
  • Logout and other instances of low-severity Cross-Site Request Forgery
  • XSS in POST requests (eg XSS in HTTP Host Header)
  • Presence of autocomplete attribute on web forms
  • Lack of rate-limiting or Captcha
  • Denial of Service (DoS) attacks
  • Crashing your own application
  • Clickjacking/UI redressing
  • Mixed content warnings
  • SSL/TLS best practices
  • Missing cookie flags
  • Protocol mismatch
  • Self XSS
  • Vulnerabilities affecting outdated application binaries - only exploits working on latest Android/iOS versions from the respective app stores will be accepted
  • Lack of client-side protections on mobile binaries: SSL pinning/binary protection/code obfuscation/jailbreak detection/root detection/anti-debugging controls/ etc
  • Lack of encryption on internal databases/preference files on mobile device
  • Exploits that are only possible on Android version 7 and below
  • Exploits that are only possible on IOS version 10 and below
  • Exploits that are only possible on a jailbroken device
  • Generic Android or iOS vulnerabilities
  • Stolen secrets, credentials or information gathered from a third-party asset that we have no control over

Reports of leaks and exposed credentials

In the context of this program, we do not intend to encourage, accept or reward reports of leaks that are not applicable to our program’s scope and policy. To summarize our policy, you may refer to the below table:

Type of leak
Source of leak is in-scope
Source of leak belongs to the Organization and is out-of-scope
Source of leak does not belong to the Organization and is out-of-scope
Impact is in-scope (e.g. valid credentials on an in-scope asset)
checked Eligible
checked Not eligible
checked Not eligible
Impact is out-of-scope (e.g. valid credentials for an out-of-scope asset)
checked Eligible
checked Not eligible
checked Not eligible

Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.

To submit a vulnerability report, you need to login with your hunter account.