popup close icon

Responsible Vulnerability Disclosure Program

1. What is a Responsible Vulnerability Disclosure Program?

This is a bug bounty program known as Responsible Vulnerability Disclosure Program (herein referred to as RVDP or Program). Our Program offers an opportunity for security researchers to discover and report flaws on our platform while earning recognition and reward for their contributions. By participating in this Program, you can help us maintain the highest standards of security and make a positive impact on the safety of our services.

2. Responsible Disclosure Guidelines
  • You are required to maintain the highest level of confidentiality about Ather Energy and must not publicly reveal any information about security vulnerabilities without written consent from Ather.

  • Please note that due to the high volume of submissions, it may take some time to process your submission and address the reported vulnerability. We are committed to acknowledging and responding to all emails/reports within 3-5 working days. We take these reports seriously and appreciate your efforts in helping us maintain the security of our systems.

  • The originality, quality, and content of your report will be evaluated during the processing of the submission. Please ensure that the report clearly explains the impact and exploitability of the issue, along with a detailed proof of concept.

  • Please ensure that any supporting materials such as proof of concept videos and scripts are not uploaded on any third-party website(s), but instead are attached directly to the acknowledgement email received from us.

  • You must provide additional information if requested. Failure to do so may result in the invalidation of your submission.

  • You must show respect for Ather's existing applications and not run any test cases that may disrupt our services.

  • In order to protect Ather's sensitive data and the privacy of other users, researchers should demonstrate impact in a secure manner. Researchers must cease testing and notify us immediately upon discovery of exposure of any non-public or “Personal Identifiable Information” (PII) data.

  • Researchers must purge any stored non-public or PII data of the organisation upon reporting a vulnerability.

  • If you ever find yourself unable to determine the impact without possibly having access to sensitive or production data, please let us know so that we can look into the matter on your behalf.

  • You must not use any automated tools/scripts as those can be disruptive or cause systems to misbehave, doing so will render your submission invalid and result in complete disqualification from this similar Programs by Ather

  • Even after the vulnerability has been fixed, researchers should not publicly disclose any information or data related to the discovered/reported vulnerabilities. 

  • The severity, impact, and complexity of the reported vulnerability will be used to decide on the eligibility for the rewards. Eligibility for rewards and recognition is at the discretion of Ather.

3. Program Scope

Please find below the list of web apps and mobile apps that are in the scope of this Program:

3.1 Web Apps

3.2 Mobile Apps

  • Ather app

  • Ather Grid app

4. Eligibility

Here are the prerequisites to qualify for a reward or recognition:

  • The Ather team will evaluate if the reported vulnerability has already been revealed by other researchers. Your reported vulnerability will not be taken into account if this is the case.

  • Adherence to our Responsible Disclosure & Reporting Guidelines is mandatory.

  • This program is open to individuals only and not to any organisation.

5. Reporting a Vulnerability

Please report the identified bug to our Security Team by sending an email from your email address to ([email protected]) with the subject line "Bug Bounty" and including the following details in the email. The format should be strictly followed.

6. Email Format of Reporting the Vulnerability:

Subject line: Bug Bounty: <Vulnerability Name> - <Vulnerability Severity>

Email body:

Vulnerability Information:

Name of Vulnerability:

Vulnerability Severity:

Description of Vulnerability:

Detailed Report:

Vulnerable Instances (URL, IP, API or Product Name):

Steps to Reproduce:

Proof of Concept:

Impact:

Mitigation steps:

 

Bounty Hunter details:

Full Name:

Email Address:

Mobile Number:

Any Publicly identifiable profile (optional): LinkedIn, Twitter, Hackerone etc.

7. Out-of-scope vulnerabilities

Although we review all reported issues on a case-by-case basis, please note that some of the reported issues with low impact may not qualify for recognition. A clear security impact must be demonstrated by any reported vulnerability. The severity of vulnerability will be evaluated based on the ease of exploitation and the impact it will have on Ather. Here are some common examples of ‘Out-of-Scope Vulnerabilities’ that typically do not warrant recognition and reward:

7.1 Web App Vulnerabilities:

  • Denial of Service (DOS) and Distributed Denial of Service (DDoS) attacks

  • User Enumeration on Login Forms/Forgot Password functionality

  • Older versions of software/plugins/third-party libraries

  • Vulnerabilities related to SPF/DMARC/DKIM records

  • Vulnerabilities related to HTTP security headers and methods

  • Phishing and social engineering of Ather employees, vendors, and users

  • Anything related to SSL/TLS protocol

  • Any exploit that requires user interaction

  • Cross-Site Request Forgery (e.g: Login, Logout )

  • Cross-Site Scripting (e.g. Self XSS), Clickjacking 

  • Disclosure of known public files or directories

  • Injection vulnerabilities (e.g. Host header injection etc.)

  • Brute forcing or bypassing any mechanism (e.g. Captcha using browser add-on)

  • Any vulnerability that requires physical device access

  • Vulnerability submission on third-party products, services, and/or applications not owned by Ather

  • Vulnerabilities involving any compromised/stolen data (credential, coupon, etc.)

  • Path disclosure of internal server file

  • Hypothetical subdomain takeovers without supporting evidence

  • Any vulnerability related to rate limit

  • Vulnerability related to cookie attributes

  • Price manipulation without a successful transaction

  • Open Redirect, URL Redirection leading to phishing

  • Open Ports/Services

            7.2 Out-of-Scope vulnerabilities for mobile applications (Android/IOS)

  •  Missing certificate pinning

  •  Exploits that require rooted/jailbroken devices

  •  Lack of obfuscation and binary protection

  •  Vulnerabilities in third-party libraries.

  •  Weak Encryption/Encoding Mechanism utilised without exploitation

  •  Vulnerabilities in WebView Feature

  •  Crashes due to malformed URL Schemes

  •  Lack of runtime exploit mitigation techniques

By participating, You hereby irrevocably agree to comply with these Terms and Conditions of the Program