Flipkart HealthPlus's responsible disclosure policy

Flipkart Health+ is the digital healthcare marketplace platform that is a part of the Flipkart Group - India’s homegrown consumer internet ecosystem. Flipkart Health+ aims to provide millions of customers across the country access to quality and affordable healthcare through genuine medicines and healthcare products delivered to them. At Flipkart Health+, we take the security of our systems and our services very seriously, and it is our constant effort to make our products secure and keep customer data very safe.

How to report an issue?

At present, the Flipkart Bug Bounty Program is private and works as an invitation-only basis. If you are not invited to our program but think you have discovered a valid in scope vulnerability, please report it to us via the submission form available here.

Once we receive your submission, the team will investigate your report and work with you to understand and remediate the vulnerability. If you intend to make the information public for educational or other such needs, please give us reasonable time to appropriately fix the problem before making such information public. Our security team will work with you to estimate and commit to such a time frame. Please don’t discuss or disclose the vulnerability details until we close the report.

Also, if the identified vulnerability can be used to potentially extract information of our customers or systems, or impair our systems' ability to function normally, then please refrain from actually exploiting such a vulnerability. This is absolutely necessary for us to consider your disclosure a responsible one. While we appreciate the inputs of White Hat hackers, we may take legal recourse if the identified vulnerabilities are exploited for unlawful gains or getting access to restricted customer or system information or impairing our systems.

Thank you for keeping Flipkart and our customers safe.

Out-of-Scope vulnerabilities

  • Must demonstrate security impact for the report to be considered - general software bugs(like SSL, older versions etc.) are not in scope for this program.
  • Username Enumeration via signup and account recovery forms
  • Vulnerabilities regarding SPF/DMARC/DKIM records without verifiable proof of spoofing to a major mail client
  • Best practice concerns like cookie is not marked secure and http only, missing HSTS, SSL/TLS configuration, missing security headers, etc.
  • Vulnerabilities reported by automated tools and scanners without additional proof of concept
  • Vulnerabilities that only affect outdated app versions or browsers - we consider vulnerabilities only in the versions of our applications that are currently in the app store and exploits only in the latest browser versions
  • Denial of Service(DoS) and Distributed Denial of Service(DDoS) attacks
  • Exploits that need MITM or physical access to the victim’s device
  • Clickjacking on pages with no sensitive actions.
  • Unauthenticated/logout/login CSRF
  • Previously known vulnerable libraries without a working Proof of Concept
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Most of the open redirect vulnerabilities have low security impact. In case, the impact is high, do let us know.
  • Stack traces, directory listings or path disclosures
  • Self XSS
  • Social engineering attacks, both against users or Flipkart employees
  • Issues related to delivery charges exception on return

Out-of-Scope vulnerabilities for android/ios

  • Exploits reproducible only on rooted/jailbroken devices
  • Absence of certificate pinning
  • Snapshot/Pasteboard/Clipboard data leakage
  • Lack of obfuscation
  • Exploits using runtime changes
  • Application crashes
  • Irrelevant activities/intents exported
  • Android backup vulnerability

Acknowledgements

Our bounty payouts are directly tied to security impact, But, If we think that for a particular bug a researcher went an extra mile we might add a bonus to the existing payout. For public disclosure, we would need to review the report and ask you to hide certain details and also we can acknowledge your contributions in the "Hall of Fame" section.

A big thank-you!