Close menu

Bug Bounty Program

Identify a security vulnerability within FYERS trading platform or FYERS App and report it to us. Read Terms & Conditions properly before reporting.

Bug illustration

Terms & Conditions

Eligibility down
Eligibility Program Scope Vulnerability Submission Guidelines Bounty Rewards Confidentiality & External Disclosure Legal, Compliance & Safe Harbor Liability & Indemnity Right to Refusal Termination Governing Law & Jurisdiction Contact Information Severity Matrix Overview

Eligibility

The FYERS Bug Bounty Program is open to individuals aged 18 and above.

  • Participants must not be residents of countries listed under India's export controls or trade sanctions.
  • Employees, consultants, contractors, and immediate family members of FYERS or its affiliates are not eligible.

Program Scope

This program exclusively covers vulnerabilities in FYERS-owned, FYERS-operated, and FYERS-maintained online trading systems (Web & Mobile) and explicitly listed in-scope assets.

Only assets where FYERS has full technical control (source code, infrastructure, deployment pipeline) are eligible for bounty consideration.

In-Scope

  • FYERS Trading Platform (Web & Mobile App)
  • FYERS APIs part of trading platform

Out of Scope

  1. Assets Not Owned or Managed by FYERS

    Vulnerabilities in the following are strictly out-of-scope and not eligible for bounty:

    • Third-party vendor platforms
    • Partner-hosted or white-labelled systems
    • Legacy, deprecated, or soon-to-be-decommissioned systems
    • Internal tools, corporate website, marketing pages, community or help pages
    • Any domain/subdomain not explicitly marked as "In Scope"

  2. Known or Accepted Issues

    • Vulnerabilities already known internally or currently under revamp, refactor, or decommissioning, even if publicly accessible
    • Findings pending migration to a new architecture
    • Issues reported previously or tracked internally as part of product transformation

  3. Prohibited Testing Techniques

    • Denial of Service (DoS), resource exhaustion, or rate-limit bypass attempts
    • Social engineering attacks
    • Automated high-volume scanning
    • Sending OTPs/messages/emails/SMS to other users
    • Attempting to brute-force account credentials, 2FA codes, or client IDs
    • Creating fake KYC documents or synthetic identities
    • Any actions affecting live trading systems during market hours

  4. Low-Impact or Non-Security Issues

    The following are not considered security vulnerabilities:

    • Functional/UI bugs
    • Missing non-security headers
    • Informational disclosures without impact
    • Non-sensitive keys intended for public client-side usage
    • Cookies without security flags unless leading to real exploitation
    • Login enumeration without actual data exposure
    • Report-only configuration flags or non-sensitive debug info

  5. Duplicate Submissions

    FYERS follows a first-valid-report policy:

    • Only the first researcher to report a valid, reproducible, in-scope issue is eligible for a bounty.
    • All subsequent reports of the same issue, root cause, or exploit path are marked as duplicates.

Vulnerability Submission Guidelines

  • Submissions must be reported only through the official Bug Bounty form.
  • A valid submission must include:
    • Clear and reproducible steps
    • Impact explanation
    • Proof-of-Concept (PoC)
    • Screenshots or video evidence with accessible permissions
  • Submissions must not be publicly disclosed before FYERS resolves the issue.
  • Proof-of-Concept must:
    • Use only the researcher's own account
    • Avoid bulk data extraction
    • Avoid modifying production trading data
    • Demonstrate minimum interaction required to prove impact

Bounty Rewards

Rewards are determined solely at FYERS' discretion based on severity, impact, exploitability, compensating controls, and regulatory risk.

Reward Bands:

  • Critical: Up to 1,00,000
  • High: Up to 50,000
  • Medium: Up to 20,000
  • Low: Up to 5,000

Critical - Severity

Upto 1,00,000

High - Severity

Upto 50,000

Medium - Severity

Upto 20,000

Low - Severity

Upto 5,000

Payout Terms:

  • Paid in INR to Indian bank accounts only
  • KYC is mandatory
  • Processing within 60 days after validation
  • Applicable taxes/TDS will be deducted

FYERS reserves the right to withhold or modify rewards for any reason including insufficient impact, inability to reproduce, or policy violation.

Confidentiality & External Disclosure

Participants must:

  • Keep all findings strictly confidential until resolved
  • Not identify FYERS publicly without explicit approval
  • Not share PoCs, logs, screenshots, or sensitive information with any third party
  • Not reference FYERS in any public or private forums without written consent
  • Not disclose any vulnerability or submission externally - even after it is fixed - under "responsible disclosure," "coordinated disclosure," or any similar justification unless FYERS provides explicit written approval

Violation may result in disqualification, banning from the program, or legal action.

Additionally, the following actions will result in immediate disqualification and potential legal escalation:

  • Accessing or attempting to access other users' trading accounts
  • Executing trades on behalf of another user
  • Extracting bulk PII
  • Attempting to monetize findings prior to resolution
  • Public disclosure without authorization

Legal, Compliance & Safe Harbor

Participants must:

  • Comply with all Indian laws and cyber regulations
  • Not attempt unauthorized access to personal data, financial data, wallets, trades, or order systems
  • Immediately delete any sensitive information inadvertently accessed
  • Avoid disruptions to production trading, market operations, or regulatory workflows

FYERS provides no "safe harbor" protections for activity deemed unlawful under Indian law.

Liability & Indemnity

FYERS is not responsible for any damages resulting from participation.

Participants agree to indemnify FYERS against claims arising from violation of these terms.

Acceptance, validation, or reward of a submission does not constitute admission of legal liability, regulatory breach, or systemic failure by FYERS.

Severity classification and bounty determination are internal risk assessments and do not imply regulatory non-compliance.

Right to Refusal

FYERS reserves the right to reject any submission, including but not limited to:

  • Out-of-scope assets
  • Third-party systems
  • Low/no-impact issues
  • Non-reproducible findings
  • Issues already known or under revamp
  • Violations of testing guidelines
  • Duplicate submissions

All decisions on eligibility, severity, and payout are final.

Termination

FYERS may modify, pause, or terminate the bug bounty program at any time without notice.

Governing Law & Jurisdiction

These terms are governed by the Laws of India. Courts ofBengaluru Urban shall have exclusive jurisdiction.

Contact & Submission

For general queries about the FYERS Bug Bounty Program, please reach out to:

📧 [email protected]

All vulnerability submissions must be made exclusively through the official submission form to ensure proper triage, tracking, and compliance:

🔗 Submit Vulnerability via Zoho Form

Submissions sent through email, social media, or other channels will not be considered valid for bounty evaluation.

SEVERITY MATRIX OVERVIEW

Severity determination is made solely by FYERS based on this rubric and is not subject to negotiation. FYERS may reference CVSS scoring; however, final severity is determined based on trading-system context and regulatory exposure rather than CVSS score alone.

Additionally, the following conditions automatically reduce severity:

  • Requires victim interaction + social engineering
  • Requires prior credential compromise
  • Requires device-level compromise
  • Requires attacker-owned account only
  • Limited to pre-auth informational disclosure

Unclassified Vulnerabilities

If a submitted issue does not fit any listed severity example, FYERS will classify it based on:

  • Demonstrated business impact
  • Real-world exploitability
  • Regulatory exposure (SEBI / DPDP / CERT-In)
  • Presence of compensating controls

FYERS' severity decision is final and non-negotiable. The absence of an example does not imply higher severity or reward.

Severity Definition (Trading Context)
Critical Unauthorized access or system behavior that can directly cause financial loss, trading disruption, regulatory breach, or mass user compromise.
High High-impact issues that affect confidentiality or integrity of a single user, or disrupt core flows without financial loss.
Medium Issues that pose moderate risk, require complex exploitation, or reveal non-critical data with compensating controls.
Low Cosmetic or informational gaps with no practical exploitability.

Critical Severity (Up to 1,00,000)

Actual or practical ability to cause financial loss, regulatory exposure, or takeover of trading/system functionality. Theoretical impact without a practical and reproducible exploit path will not be classified as Critical or High. Exploitation must not require prior credential compromise, social engineering, or victim interaction.

Examples (FYERS Trading Platform Context)

  1. Account Takeover (ATO)
    • Bypassing login + OTP
    • Stealing trading session tokens
    • Resetting credentials of another user
  2. Unauthorized Trading Actions
    • Placing, modifying, or cancelling orders of another user
    • Access to order book, holdings, funds
    • API key extraction enabling trade execution
  3. Regulatory Breach / Sensitive Identifier Leak
    • PAN, Aadhaar, BO ID, DP ID leakage (unmasked values)
    • PII exposure that violates DPDP / SEBI cyber framework
  4. Payment / Fund Transfer Compromise
    • Unauthorized withdrawals
    • Razerpay secret leak (server-side secret)
    • MITM on payment flows
  5. Complete System Disruption
    • Trading engine DoS
    • Market-hour disruption
    • Queue poisoning
  6. Mass User Impact
    • Ability to extract data for large sets of users
    • Broken access control exposing multiple accounts
  7. Remote Code Execution / Server Access
    • RCE on backend systems
    • Cloud misconfiguration enabling takeover

High Severity (Up to 50k)

Defination:

Single-user impact with confidentiality or availability implications. Theoretical impact without a practical and reproducible exploit path will not be classified as Critical or High.

Examples

  1. Pre-auth PII Exposure (Non-regulated but sensitive)
    • Name, masked email, masked phone but correlated with other info
    • KYC stage information visible to unauthorized user
  2. OTP Abuse Leading to Session Disruption
    • Account lockout / pre-auth DoS (during market hours = High)
    • 2FA bypass attempts requiring partial attacker control
  3. Access Control Issues (Non-financial but sensitive)
    • Viewing user profile without modification capability
    • Viewing watchlists, settings, partial logs
  4. Sensitive Business Logic Flaws
    • Placing user into inconsistent trading state
    • Workflow manipulation without fund/financial impact

Medium Severity (Up to 20k)

Defination:

Localized issues requiring multiple conditions to exploit or exposing low-impact data.

Examples

  1. User Enumeration (Low-risk)
    • Login greets with first name (no financial impact)
    • OTP flow reveals user validity
  2. Scoped Token Reuse
    • Signup/Pre-auth tokens valid longer than expected
    • No cross-user access, no privilege escalation
  3. Payment Key Exposure (Publishable key + attack chain)
    • Not critical by itself
    • But can be High if attacker can create phishing workflow
  4. Broken Authorization (Non-critical flows)
    • Accessing user-specific non-financial data
    • Reading endpoints tied to specific authenticated user

Low Severity (Upto 5,000)

Definition:

Informational, cosmetic, or non-exploitable findings.

Examples

  1. UI/UX Bugs Not Affecting Security
    • Redirect behavior
    • Static content misconfiguration
  2. Hardening Suggestions
    • Signup token cleanup
    • OTP flow consistency suggestions
    • API naming/structure observations
  3. Non-Exploitable Info Leakage
    • Version numbers
    • Debug strings without impact
  4. Deprecated Endpoints / Beta Assets
    • Not exposed to critical data
    • No exploitability
  5. Non-sensitive Config Exposure
    • Environment flags
  6. Rate-Limit Gaps (Non-critical places)
    • OTP resend throttle weak but no DoS
    • Login attempts throttled but passive enumeration exists
  7. Non-Impactful Mobile App Findings
    • Decompilable APK
    • Debug classes unused
    • Android stack traces without sensitive data
    • iOS binary "unencrypted" (normal for App Store)

Explicit Non-Vulnerability Category (No Bounty)

  1. Expected Behavior
    • Signup tokens
    • Public Firebase/Google API keys
    • Client-side SDK public keys
    • Pre-auth configurations that expose no PII
    • Informational (security headers etc)
  2. Third-Party or Vendor-Managed Assets
    • No bounty, even if valid vulnerability
    • FYERS does not own/operate
  3. Known Issues Under Revamp
    • Internally tracked
    • Already being replaced
    • Not eligible for reward
  4. Duplicate Reports
    • Only first-valid gets the bounty
  5. Informational
    • Public Razorpay publishable key
    • Missing server banners
    • Using malloc or specific native calls (safe pattern)
    • Binary encryption flag showing "false" (expected with FairPlay DRM)

Found a security vulnerability in FYERS trading platform or FYERS App?

Report bug now
icon-5-minutes

Open Your Demat Account in Under 5 Minutes

Have any queries? Get support icon-link-next

Sign Up Now