avatar
Bug bounty
Public

Pine Labs Bug Bounty Program

Payment Services for Retail Merchant

Reward

Bounty
Hall of fame
$0
Low
$50
Medium
$250
High
$500
Critical
$1,000

Program

Avg reward
-
Max reward
-
Scopes
24
Supported languages
English

Hacktivity

Reports
455
1st response
< 1 day
Reports last 24h
2
Reports last week
3
Reports this month
2

Pine Labs

Pine Labs is an Indian merchant platform company that provides financing and last-mile retail transaction technology, founded in 1998. It is one of the unicorn companies, with a valuation of over US$5 billion. It provides a merchant platform and makes software for point of sale machines.

Program Rules

At Pine Labs we recognize the important role that security researchers play in helping to keep Pine Labs and our customers secure.

By participating in this program you acknowledge that you have read and agreed to the Program Rules, which is defined as this entire document.

Testing Policy and Responsible Disclosure

Please adhere to the following rules while performing research on this program:

  • Denial of service (DoS) attacks on Pine Labs applications, servers, networks or infrastructure are strictly forbidden.
  • Avoid tests that could cause degradation or interruption of our services.
  • Do not use automated scanners or tools that generate large amount of network traffic.
  • Only perform tests against your own accounts to protect our users' privacy.
  • Do not leak, manipulate, or destroy any user data or files in any of our applications/servers.
  • Do not copy any files from our applications/servers and disclose them.
  • No vulnerability disclosure, full, partial or otherwise, is allowed.

Reward Eligibility and Amount

We are happy to thank everyone who submits valid reports which help us improve the security of Pine Labs, however only those that meet the following eligibility requirements may receive a monetary reward:

  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability (see below).
  • The report must contain the following elements:
    • Clear textual description of the vulnerability, how it can be exploited, the security impact it has on the application, its users and Pine Labs, and remediation advice on fixing the vulnerability
    • Proof of exploitation: screenshots and/or videos demonstrating the exploit was performed, and showing the final impact
    • Provide complete steps with the necessary information to reproduce the exploit, including (if necessary) code snippets, payloads, commands etc
  • You must not break any of the testing policy rules listed above
  • You must not be a former or current employee of Pine Labs or one of its contractors.

Reward amounts are based on:

  • Reward grid of the report's scope
  • CVSS scoring and actual business impact of the vulnerability upon performing risk analysis

Reports of leaks and exposed credentials

We are open to some types of reports related to exposed secrets, credentials or information.
Please pay attention to our list of Qualifying/Non-Qualifying vulnerabilities, as well as our Scope and the following rules.

In order not to encourage dark and grey economies, in particular the purchase, resale and trade of identifiers or stolen information, as well as all types of dangerous behaviour (e.g. social engineering, ...), we will not accept or reward any report based on information whose source is not the result of failure on the part of our organization or one of our employees/service providers

Eligible reports

Reports of exposed secrets, credentials and sensitive information will be considered eligible if it complies with the following:

  • The source of exposure/leak is under our control, directly or indirectly. e.g. stolen information or bundled information from a random source is not eligible.
  • The exposed information has been verified (or tested) and confirmed

If you identify a source (under our control) that is leaking multiple data, we kindly ask you to report it in a single report and we will consider the impact based on the nature and depth of the exposed data.

To summarize our policy, you may refer to this table :

Source of leak is in-scope Source of leak belongs to Pine Labs but is out-of-scope Source of leak does not belong to Pine Labs and is out-of-scope
Impact is in-scope (e.g. valid credentials on an in-scope asset) Eligible Eligible Not eligible
Impact is out-of-scope (e.g. valid credentials for an out-of-scope asset) Eligible Eligible Not eligible

Important precautions and limitations

As a complement to the Program’s rules and testing policy :

  • DO NOT alter compromised accounts by creating, deleting or modifying any data
  • DO NOT use compromised accounts to search for post-auth vulnerabilities (they won’t be eligible anyway)
  • DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible.
  • In case of exposed credentials or secrets, limit yourself to verifying the credentials validity
  • In case of sensitive information leak, DO NOT extract/copy every document or data that is exposed and limit yourself to describe and list what is exposed.

Reward

Asset value CVSS
Low
 CVSS
Medium
 CVSS
High
 CVSS
Critical
Critical
$50$300$700$1,000
High
$50$250$500$1,000
Medium
$50$200$350$500
Low
$25$50$75$100

Scopes

ScopeTypeAsset value
https://billingserver.pinelabs.com/ Web application
High
Low
$50
Medium
$250
High
$500
Critical
$1,000
dashboard.pluralonline.com Web application
High
Low
$50
Medium
$250
High
$500
Critical
$1,000
https://lounge.pinelabs.com/loungeui/login Web application
High
Low
$50
Medium
$250
High
$500
Critical
$1,000
https://pinepgconsole.in:9099 Web application
High
Low
$50
Medium
$250
High
$500
Critical
$1,000
analytics.pinelabs.com Web application
Medium
Low
$50
Medium
$200
High
$350
Critical
$500
https://myplutus.pinelabs.my/ Web application
Medium
Low
$50
Medium
$200
High
$350
Critical
$500
trm.pinepaymentsolutions.com Web application
Medium
Low
$50
Medium
$200
High
$350
Critical
$500
https://trm.pinelabs.ae Web application
Medium
Low
$50
Medium
$200
High
$350
Critical
$500
https://www.pinelabs.ae/ Web application
Low
Low
$25
Medium
$50
High
$75
Critical
$100
https://www.letspaylater.ph/ Web application
Medium
Low
$50
Medium
$200
High
$350
Critical
$500
https://credit.pinelabs.com Web application
Medium
Low
$50
Medium
$200
High
$350
Critical
$500
https://plmcixt.pinelabs.com/ Web application
Medium
Low
$50
Medium
$200
High
$350
Critical
$500
https://play.google.com/store/apps/details?id=com.pinelabs.emicatalogue.pinelabs&hl=uz Mobile application Android
Low
Low
$25
Medium
$50
High
$75
Critical
$100
https://emistores.pinelabs.com/ Web application
Low
Low
$25
Medium
$50
High
$75
Critical
$100
https://www.pinelabs.com/ Web application
Low
Low
$25
Medium
$50
High
$75
Critical
$100
https://www.pinelabs.my/ Web application
Low
Low
$25
Medium
$50
High
$75
Critical
$100
https://www.pinelabs.ae/ Web application
Low
Low
$25
Medium
$50
High
$75
Critical
$100
https://www.pinelabs.us/ Web application
Low
Low
$25
Medium
$50
High
$75
Critical
$100
https://board.pinelabs.com/ Web application
High
Low
$50
Medium
$250
High
$500
Critical
$1,000
https://nbs.pinelabs.com/ Web application
Medium
Low
$50
Medium
$200
High
$350
Critical
$500
https://api.pluralonline.com API
Critical
Low
$50
Medium
$300
High
$700
Critical
$1,000
https://api.pluralpay.in API
Critical
Low
$50
Medium
$300
High
$700
Critical
$1,000
https://pinepg.in/ API
Critical
Low
$50
Medium
$300
High
$700
Critical
$1,000
https://pluralcheckout.pinepg.in API
Critical
Low
$50
Medium
$300
High
$700
Critical
$1,000

Out of scopes

  • All other Pine Labs assets that are not listed above are to be treated as out of scope

Vulnerability types

Qualifying vulnerabilities

  • Cross-Origin Resource Sharing (CORS)/Cross-site Request Forgery (CSRF) with real security impact
  • Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
  • Business logic vulnerability with real security impact
  • Authentication bypass & broken authentication
  • Horizontal and vertical privilege escalation
  • Code injections (HTML, JS, SQL, PHP, ...)
  • Insecure Direct Object References (IDOR)
  • Remote Code Execution (RCE)
  • Cross-Site Scripting (XSS)
  • Exposed secrets, credentials or sensitive information from an asset under our control

Non-qualifying vulnerabilities

  • Incomplete reports missing one or more of the following elements: clear textual description of the vulnerability, proof of exploitation, complete steps with the neccesary information to reproduce the exploit
  • Reports describing hypothetical attack scenarios that are not demonstrable
  • Reports with attack scenarios requiring physical access to victim and/or victim's device, or social engineering attempts
  • Security best practices without demonstrated security impact
  • Recently disclosed 0-day vulnerabilities (less than 1 month since patch release)
  • Disclosure of information without security impact (Stack traces, path disclosure, directory listings, software versions, IP disclosure, 3rd party secrets etc.)
  • Vulnerabilities affecting outdated browsers - only exploits working on latest browser versions of Safari, FireFox, Chrome, Edge, IE will be accepted
  • Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM/DMARC)
  • Missing security-related HTTP headers which do not lead directly to a vulnerability
  • Vulnerable/outdated software/libraries without demonstrated security impact
  • Vulnerabilities involving stolen credentials or physical access to a device
  • Account oracles: possibility to enumerate phone number, email, GUID etc
  • Logout and other instances of low-severity Cross-Site Request Forgery
  • XSS in POST requests (eg XSS in HTTP Host Header)
  • Presence of autocomplete attribute on web forms
  • Lack of rate-limiting or Captcha
  • Denial of Service (DoS) attacks
  • Crashing your own application
  • Clickjacking/UI redressing
  • Mixed content warnings
  • SSL/TLS best practices
  • Missing cookie flags
  • Protocol mismatch
  • Self XSS
  • Vulnerabilities affecting outdated application binaries - only exploits working on latest Android/iOS versions from the respective app stores will be accepted
  • Lack of client-side protections on mobile binaries: SSL pinning/binary protection/code obfuscation/jailbreak detection/root detection/anti-debugging controls/ etc
  • Lack of encryption on internal databases/preference files on mobile device
  • Exploits that are only possible on Android version 7 and below
  • Exploits that are only possible on IOS version 10 and below
  • Exploits that are only possible on a jailbroken device
  • Generic Android or iOS vulnerabilities
  • Stolen secrets, credentials or information gathered from a third-party asset that we have no control over

Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.

To submit a vulnerability report, you need to login with your hunter account.
program thumbnail
To submit a vulnerability report, you need to login with your hunter account.