Security
Bug Bounty Program
Help us keep Chapa safe. If you've found a security vulnerability in any Chapa product or service, we want to hear from you.
⚠️
Notice: As of April 10, 2024, we are not accepting submissions except from local testers.
Chapa recognizes the importance of the security community in our quest to provide a safe and secure experience for our customers and stakeholders. By submitting a security bug or vulnerability, you acknowledge that you have read and agreed to the Program Terms and Conditions, and you agree not to publicly disclose your findings without Chapa's prior written approval.
On this page
IntroductionSubmit a VulnerabilityScopeAuthorized TestingPermitted ActivitiesProhibited ActivitiesResponsible DisclosureNo Legal ActionsRewards & RecognitionProgram ChangesSafe HarborProgram DurationIneligible VulnerabilitiesVulnerability CategoriesBug Bounty Program
Introduction
Chapa recognizes the importance of the security community in our quest to provide a safe and secure experience for our customers and stakeholders. If you are a security researcher who has found a vulnerability in any Chapa product or service, we would like to hear from you.
By submitting a security bug or vulnerability to Chapa via email, you acknowledge that you have read and agreed to the Program Terms and Conditions below. By providing a submission, you agree not to publicly disclose your findings or the contents of your submission to any third parties without Chapa's prior written approval.
Bug Bounty Program
Submit a Vulnerability
Please include detailed reporting and a working Proof of Concept in your report.
Send your submission to
security@chapa.coYour report should include a clear description of the vulnerability, steps to reproduce, and a working Proof of Concept (PoC). Submissions without sufficient detail may not be accepted.
Bug Bounty Program
Scope
In-Scope
*.chapa.co
Any subdomain under chapa.co is eligible for testing and reporting.
Out-of-Scope
internal.chapa.co
Testing or probing of this domain is strictly prohibited. Vulnerabilities found here will not be accepted.
Bug Bounty Program
Authorized Testing
Bug hunters are only authorized to test and report security vulnerabilities on the domains within the in-scope domain, specifically any subdomains under *.chapa.co. Testing or probing of internal.chapa.co is strictly prohibited and any vulnerabilities discovered on this domain will not be accepted under this bug bounty program.
Bug Bounty Program
Permitted Activities
Bug hunters may perform the following activities:
Information gathering (reconnaissance)
Vulnerability scanning and assessment
Exploitation of vulnerabilities for proof of concept
Reporting of security vulnerabilities
Bug Bounty Program
Prohibited Activities
Bug hunters are not permitted to:
Engage in any activity that may disrupt the normal operation of the services under test.
Access, modify, or delete data on the systems.
Share discovered vulnerabilities with any third parties until they have been properly disclosed to and accepted by the program maintainers.
Bug Bounty Program
Responsible Disclosure
All vulnerabilities must be reported responsibly and promptly through the bug bounty platform or contact information provided by the program maintainers. Do not publicly disclose vulnerability details before Chapa has had a reasonable opportunity to address the issue.
Bug Bounty Program
No Legal Actions
The program maintainers commit to not pursue legal actions against bug hunters for good-faith security research and reporting of vulnerabilities within the scope of this program. Researchers who comply with these rules and act in good faith are protected under the Safe Harbor provisions of this program.
Bug Bounty Program
Rewards & Recognition
Rewards will be provided based on the severity of the reported vulnerability and at the discretion of the program maintainers. Recognition may be given to individuals who responsibly report and help fix security issues.
Reward amounts are determined by Chapa based on the validated severity, impact, and quality of the report. Duplicate reports or reports of ineligible vulnerabilities will not qualify for rewards.
Bug Bounty Program
Program Changes
The program maintainers reserve the right to modify the rules, scope, or rewards of the bug bounty program at any time without prior notice. Continued participation in the program constitutes acceptance of any such changes.
Bug Bounty Program
Safe Harbor
Bug hunters who abide by these rules and act in good faith will be protected from legal actions by the program maintainers. “Good faith” means conducting research in a manner that does not harm Chapa, its customers, or its systems, and disclosing vulnerabilities responsibly.
Bug Bounty Program
Program Duration
The bug bounty program is ongoing, and there is no set end date. Bug hunters are encouraged to continuously test for vulnerabilities within the defined scope.
⚠️
Notice: As of April 10, 2024, we are not accepting submissions with the exception of those from local testers.
Bug Bounty Program
Ineligible Vulnerabilities
Chapa does not consider the following to be eligible vulnerabilities:
API Key Disclosure without Proven Business Impact
Arbitrary File Upload without Proof of the Existence of the Uploaded File
Banner Grabbing / Version Disclosure
Best Practice Reports without a Valid Exploit
Best Practices Violations (Password Complexity, Expiration, Re-Use, etc.)
Blind SSRF without Proven Business Impact (Pingbacks are Not Sufficient)
Bypassing Rate-Limits or the Non-Existence of Rate-Limits
Clickjacking without Proven Impact / Unrealistic User Interaction
Content Injection without Being Able to Modify the HTML
Content / Text Spoofing
CSV Injection
CORS Misconfiguration on Non-Sensitive Endpoints
Denial of Service
Disclosed / Misconfigured Google Maps API Keys
Disclosure of Server or Software Version Numbers
Email Bombing
Anything Related to Email Spoofing, SPF, DMARC, or DKIM
Homograph Attacks
HTTP Request Smuggling without Any Proven Impact
Hypothetical Subdomain Takeovers without Supporting Evidence
Missing Cookie Flags
Missing Security Headers
Not Stripping Metadata of Files
Pre-Auth Account Takeover
Reports Exploiting the Behavior of, or Vulnerabilities in, Outdated Browsers
Reports of Spam
Reverse Tabnabbing
Self-XSS that Cannot be Used to Exploit Other Users
Session Invalidation or Improved Security Related to Account Management when a Credential is Already Known
Sessions Not Being Invalidated (Logout, Enabling 2FA, etc.)
Tokens Leaked to Third Parties
Unconfirmed Reports from Automated Vulnerability Scanners
User / Merchant Enumeration
Verbose Messages / Files / Directory Listings without Disclosing Sensitive Information
XMLRPC Enabled
Bug Bounty Program
Vulnerability Categories
Rewards are tiered based on the severity of the reported vulnerability. The following categories are used to classify eligible reports:
Low Severity
Minor Info Disclosure
Low-Impact XSS
Open Redirects
Medium Severity
Stored XSS
SQL Injection (Low)
Session Fixation
Insecure Direct Object Reference (IDOR)
High Severity
SQL Injection (High)
Sensitive Data Exposure
Significant XSS
Server-Side Request Forgery (SSRF)
Broken Authentication
XML External Entity (XXE)
Insecure Deserialization
Privilege Escalation
For questions about this program, contact security@chapa.co