This is a bug bounty program known as Responsible Vulnerability Disclosure Program (herein referred to as RVDP or Program). Our Program offers an opportunity for security researchers to discover and report flaws on our platform while earning recognition and reward for their contributions. By participating in this Program, you can help us maintain the highest standards of security and make a positive impact on the safety of our services.
You are required to maintain the highest level of confidentiality about Ather Energy and must not publicly reveal any information about security vulnerabilities without written consent from Ather.
Please note that due to the high volume of submissions, it may take some time to process your submission and address the reported vulnerability. We are committed to acknowledging and responding to all emails/reports within 3-5 working days. We take these reports seriously and appreciate your efforts in helping us maintain the security of our systems.
The originality, quality, and content of your report will be evaluated during the processing of the submission. Please ensure that the report clearly explains the impact and exploitability of the issue, along with a detailed proof of concept.
Please ensure that any supporting materials such as proof of concept videos and scripts are not uploaded on any third-party website(s), but instead are attached directly to the acknowledgement email received from us.
You must provide additional information if requested. Failure to do so may result in the invalidation of your submission.
You must show respect for Ather's existing applications and not run any test cases that may disrupt our services.
In order to protect Ather's sensitive data and the privacy of other users, researchers should demonstrate impact in a secure manner. Researchers must cease testing and notify us immediately upon discovery of exposure of any non-public or “Personal Identifiable Information” (PII) data.
Researchers must purge any stored non-public or PII data of the organisation upon reporting a vulnerability.
If you ever find yourself unable to determine the impact without possibly having access to sensitive or production data, please let us know so that we can look into the matter on your behalf.
You must not use any automated tools/scripts as those can be disruptive or cause systems to misbehave, doing so will render your submission invalid and result in complete disqualification from this similar Programs by Ather
Even after the vulnerability has been fixed, researchers should not publicly disclose any information or data related to the discovered/reported vulnerabilities.
The severity, impact, and complexity of the reported vulnerability will be used to decide on the eligibility for the rewards. Eligibility for rewards and recognition is at the discretion of Ather.
Here are the prerequisites to qualify for a reward or recognition:
The Ather team will evaluate if the reported vulnerability has already been revealed by other researchers. Your reported vulnerability will not be taken into account if this is the case.
Adherence to our Responsible Disclosure & Reporting Guidelines is mandatory.
This program is open to individuals only and not to any organisation.
Please report the identified bug to our Security Team by sending an email from your email address to ([email protected]) with the subject line "Bug Bounty" and including the following details in the email. The format should be strictly followed.
Subject line: Bug Bounty: <Vulnerability Name> - <Vulnerability Severity>
Name of Vulnerability:
Description of Vulnerability:
Vulnerable Instances (URL, IP, API or Product Name):
Steps to Reproduce:
Proof of Concept:
Bounty Hunter details:
Any Publicly identifiable profile (optional): LinkedIn, Twitter, Hackerone etc.
Although we review all reported issues on a case-by-case basis, please note that some of the reported issues with low impact may not qualify for recognition. A clear security impact must be demonstrated by any reported vulnerability. The severity of vulnerability will be evaluated based on the ease of exploitation and the impact it will have on Ather. Here are some common examples of ‘Out-of-Scope Vulnerabilities’ that typically do not warrant recognition and reward:
Denial of Service (DOS) and Distributed Denial of Service (DDoS) attacks
User Enumeration on Login Forms/Forgot Password functionality
Older versions of software/plugins/third-party libraries
Vulnerabilities related to SPF/DMARC/DKIM records
Vulnerabilities related to HTTP security headers and methods
Phishing and social engineering of Ather employees, vendors, and users
Anything related to SSL/TLS protocol
Any exploit that requires user interaction
Cross-Site Request Forgery (e.g: Login, Logout )
Cross-Site Scripting (e.g. Self XSS), Clickjacking
Disclosure of known public files or directories
Injection vulnerabilities (e.g. Host header injection etc.)
Brute forcing or bypassing any mechanism (e.g. Captcha using browser add-on)
Any vulnerability that requires physical device access
Vulnerability submission on third-party products, services, and/or applications not owned by Ather
Vulnerabilities involving any compromised/stolen data (credential, coupon, etc.)
Path disclosure of internal server file
Hypothetical subdomain takeovers without supporting evidence
Any vulnerability related to rate limit
Vulnerability related to cookie attributes
Price manipulation without a successful transaction
Open Redirect, URL Redirection leading to phishing
Missing certificate pinning
Exploits that require rooted/jailbroken devices
Lack of obfuscation and binary protection
Vulnerabilities in third-party libraries.
Weak Encryption/Encoding Mechanism utilised without exploitation
Vulnerabilities in WebView Feature
Crashes due to malformed URL Schemes
Lack of runtime exploit mitigation techniques
By participating, You hereby irrevocably agree to comply with these Terms and Conditions of the Program