UPDATED: 06TH SEPTEMBER 2023
Primofrast’s Responsible Disclosure Policy
Primofrast takes the security of our systems and data privacy very seriously. We constantly strive to make our systems safe for our customers to use. However, if in the rare case a security researcher or member of the general public discovers a security vulnerability in our systems and responsibly shares the details with us, we appreciate their contribution and work closely with them to address any reported issue with urgency. Further, we are happy to acknowledge your contributions publicly.
Process to report an issue
- E-mail your findings to [email protected]. Please share your contact information with your mobile number.
- Do provide enough information to reproduce the problem, so we will be able to resolve it as quickly as possible.
- Screenshots or video recordings explaining the process in any detail would be greatly helpful.
Terms and Guidelinesa
- No user/customer data is modified, deleted or misused without prior explicit permission
- The finding of vulnerabilities should not cause any disruption of services and thus a deprecated user experience for any user
- You shall not expose the findings on any medium – including but not limited to social media, research papers and blogs (personal or otherwise)
- Any and all information and/or finding(s) regarding the vulnerability shall be kept confidential between you and Nykaa and not disclosed to any third party by you at any time
- Exploiting vulnerability for personal gains will lead us to take strict legal action against you
- In case of an inadvertent privacy breach, ensure that you notify us with immediate effect
- You shall allow us time to close the vulnerabilities identified
- Please remember that law of the land is always withheld and while conducting your research, you shall refrain from violating applicable laws and regulation, including but not limited to applicable information technology and data privacy laws
- Assist in mitigation of the vulnerability if required
- You hereby agree to the above mentioned Responsible Disclosure Guidelines and any deviation therefrom will entitle us to take appropriate legal action against you
SCOPE OF THE PROGRAM
Targets in scope
- *.nykaa.com
- *.nykaaman.com
- *.nykaafashion.com
- *.nykdbynykaa.com
- *.superstore.in
- *.twentydresses.com
- *.pipabella.com
- *.gloot.co.in
- *.kicaactive.com
- *.lbb.in
- *.lbbshop.in
- *.iykykclub.com
- *.gajragang.com
- Nykaa Beauty mobile app ( Android | iOS )
- NykaaMan mobile app ( Android | iOS )
- NykaaFashion mobile app ( Android | iOS)
- SuperStore mobile app ( Android )
- Disha mobile app ( Android )
- LBB mobile app ( Android | iOS )
Out of Scope Targets
All external services/software not managed or controlled by Nykaa are considered out of scope / ineligible for recognition.
Vendor Endpoints
Delivery Endpoints
3rd Party Applications
OUT OF SCOPE VULNERABILITIES
WEB
- Vulnerabilities that do not demonstrate security impact will be considered out of scope for this program.
- Vulnerabilities regarding SPF/DMARC/DKIM records without verifiable proof of spoofing
- Best practice concerns like non-session cookies not marked secure and HTTP only, SSL/TLS configuration, missing security headers, etc.
- Vulnerabilities reported by automated tools and scanners without additional proof of concept
- End of Life Browsers / Old Browser versions (e.g. Internet Explorer 6)
- Denial of Service(DoS) and Distributed Denial of Service(DDoS) attacks
- Exploits that need physical access to the victim’s device
- Host header injection
- Unauthenticated/logout/login CSRF
- Previously known vulnerable libraries without a working Proof of Concept
- Any kind of spoofing attacks or any attacks that lead to phishing (e.g. Email spoofing, Capturing login credentials with fake login page)
- Self XSS
- Bugs requiring exceedingly unlikely user interaction example Social engineering attacks, both against users or Nykaa employees
- Third-party API key disclosures without any impact or which are supposed to be open/public. Specifically, exposed Google Map API keys and keys in Android XML files.
- OPTIONS / TRACE HTTP methods enabled
- Known public files or directories disclosure (e.g. robots.txt, CSS/images, etc)
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
- Any kind of vulnerabilities that require installation of software like web browser add-ons, etc. in the victim’s machine
- Brute force on forms (e.g. Newsletter / ContactUs page)
- Missing best practices in Content Security Policy.
- Missing SSL, CAA headers
- Functional, UI, and UX bugs and spelling mistakes.
Android/IOS
- Exploits that are reproducible only on rooted/jailbroken devices
- Absence of certificate pinning
- Bypassing root/jailbroken detection
- Snapshot/Pasteboard/Clipboard data leakage
- Lack of obfuscation
- Irrelevant activities/intents exported
- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries in the IOS app
- Lack of binary protection control
Acknowledgements
We are not part of a cash/bug bounty program but are happy to issue a certificate of recognition to individuals who report security issues responsibly and help us make Primofrast systems more secure
“On behalf of Nykaa, we would like to thank the following people for making a responsible disclosure to us”
DOWNLOAD OUR APP
FOR ANY HELP, YOU MAY C