vman-and-white-cult-text
FITNESS
SPORTS
STORE
logged-out-image
notification-icon
cart-image

violet-circle
bug bounty banner

Identifing vulnerability on our web and reporting

new program where people from all around the world are welcome to identify bugs and report to us, and we will work closely with them to address such issues with urgency, and publicly acknowledge their contribution over our Hall of Fame.

Step by step

If it happens that you have identified a vulnerability on our web or mobile portal, we request you to follow the following
https://static.cure.fit/assets/images/Steps_Card_1.png

1. Identify the impact

Vulnerability it’s severity and impact as per you
https://static.cure.fit/assets/images/Steps_Card_2.png

2. Recreate the scenario

Process to recreate the scenario an reach out to you if further inputs are needed to identify or close the problem.
https://static.cure.fit/assets/images/Steps_Card_3.png

3. Share screenshot/video

share screenshots/ videos related to the issue that could help us inspect further
https://static.cure.fit/assets/images/Steps_Card_4.png

4. Get intouch with us

share your contact details (email, phone number), so that our security team can reach out to you if further inputs are needed.
Contact us immediately by sending an email over to
[email protected]
resolution icon

What will we do

Once we receive your submission, the team will investigate your report and work with you to understand and remediate the vulnerability. Meantime, please don’t discuss or disclose the vulnerability details until we close the report
[email protected]

Out-of-Scope vulnerabilities

  • Exploits using runtime changes
  • Application crashes
  • Irrelevant activities/intents exported
  • Android backup vulnerability
  • Exploits reproducible only on rooted/jailbroken devices
  • Lack of obfuscation
  • Denial of service attacks
  • Phishing attacks
  • Social engineering attacks
  • Reflected file download
  • Software version disclosure
  • Issues requiring direct physical access
  • Issues requiring exceedingly unlikely user interaction
  • Flaws affecting out-of-date browsers and plugins
  • CSV injection
  • Email enumeration
  • Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)
  • Missing cookie flags on non-authentication cookies
  • CSP Weaknesses
  • Email Spoofing
  • Broken links or unclaimed social media accounts (unless chained with an impactful exploit)

In Scope Domains

  • *.cult.fit
  • *.curefit.co
  • *.cultsport.com
  • *.curefit.com
winner icon

Rewards Awaiting

Rewards and awards are complete based on the severity and impact of the issue reported and will be at the discretion of the Security Team.

Gold

-2019-

-2021-

-2022-

Jaikishan Tulswani
Sachin Kumar
Mohsin Khan
Udhaya Praveen
Vaibhav KT

-2023-

Swapnil Sharma

-2024-

Silver

-2019-

Navoneel Jana

-2021-

-2022-

Simranjeet Singh Gill

-2023-

Mohsin Khan
Vaibhav KT
Yash Vardhan

-2024-

Suraj Bisht

Bronze

-2019-

-2021-

Pratik Yadav

-2022-

Sachin Kumar
Ritu Sardiwal
Jitaksh Kapoor
Krutika Vinayak Thakur

-2023-

Sachin

-2024-

Thanks

-2019-

Madhuri Deb

-2021-

Mohsin Khan

-2022-

Jaikishan Tulswani
Ritu Sardiwal
Mohsin Khan
Chaitanya Surabhi

-2023-

Ananya Pandey
Suraj Singh Bisht
Piyush
G kranthi kumar
Niraj Kumar
Jaikishan Tulswani

-2024-

Pradeep Jhuriya
Akshay Adak
Shivasai Pasham
Joy Bapuly
Deepeshwar
Dinesh kumar Goud

Disclaimer

If the identified vulnerability can be used to potentially extract information of our customers or systems, or impair our systems' ability to function normally, then please refrain from actually exploiting such a vulnerability. This is absolutely necessary for us to consider your disclosure a responsible one. While we appreciate the inputs of Whitehat hackers, we may take legal recourse if the identified vulnerabilities are exploited for unlawful gains or getting access to restricted customers. Appreciate your help in keeping Cultfit and our customers' data safe.
For better experience, use Cult app