Identifing vulnerability on our web and reporting
new program where people from all around the world are welcome to identify bugs and report to us, and we will work closely with them to address such issues with urgency, and publicly acknowledge their contribution over our Hall of Fame.
Step by step
If it happens that you have identified a vulnerability on our web or mobile portal, we request you to follow the following
1. Identify the impact
Vulnerability it’s severity and impact as per you
2. Recreate the scenario
Process to recreate the scenario an reach out to you if further inputs are needed to identify or close the problem.
3. Share screenshot/video
share screenshots/ videos related to the issue that could help us inspect further
4. Get intouch with us
share your contact details (email, phone number), so that our security team can reach out to you if further inputs are needed.
What will we do
Once we receive your submission, the team will investigate your report and work with you to understand and remediate the vulnerability. Meantime, please don’t discuss or disclose the vulnerability details until we close the report
security@curefit.comOut-of-Scope vulnerabilities
Exploits using runtime changes
Application crashes
Irrelevant activities/intents exported
Android backup vulnerability
Exploits reproducible only on rooted/jailbroken devices
Lack of obfuscation
Denial of service attacks
Phishing attacks
Social engineering attacks
Reflected file download
Software version disclosure
Issues requiring direct physical access
Issues requiring exceedingly unlikely user interaction
Flaws affecting out-of-date browsers and plugins
CSV injection
Email enumeration
Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)
Missing cookie flags on non-authentication cookies
CSP Weaknesses
Email Spoofing
Broken links or unclaimed social media accounts (unless chained with an impactful exploit)
Out Of Scope Domains
cultx.fit
eatfit.in
partner.cult.fit
academy.cult.fit
sugarfit.com
design.cult.fit
warehousexyz.curefit.co
Rewards Awaiting
Rewards and awards are complete based on the severity and impact of the issue reported and will be at the discretion of the Security Team.
Gold
-2019-
-2021-
-2022-
-2023-
Silver
-2019-
-2021-
-2022-
-2023-
Bronze
-2019-
-2021-
-2022-
-2023-
Thanks
-2019-
-2021-
-2022-
-2023-
Disclaimer
If the identified vulnerability can be used to potentially extract information of our customers or systems, or impair our systems' ability to function normally, then please refrain from actually exploiting such a vulnerability. This is absolutely necessary for us to consider your disclosure a responsible one. While we appreciate the inputs of Whitehat hackers, we may take legal recourse if the identified vulnerabilities are exploited for unlawful gains or getting access to restricted customers. Appreciate your help in keeping Cultfit and our customers' data safe.