bug bounty banner

Identifing vulnerability on our web and reporting

new program where people from all around the world are welcome to identify bugs and report to us, and we will work closely with them to address such issues with urgency, and publicly acknowledge their contribution over our Hall of Fame.

Step by step

If it happens that you have identified a vulnerability on our web or mobile portal, we request you to follow the following

1. Identify the impact

Vulnerability it’s severity and impact as per you

2. Recreate the scenario

Process to recreate the scenario an reach out to you if further inputs are needed to identify or close the problem.

3. Share screenshot/video

share screenshots/ videos related to the issue that could help us inspect further

4. Get intouch with us

share your contact details (email, phone number), so that our security team can reach out to you if further inputs are needed.
Contact us immediately by sending an email over to
resolution icon

What will we do

Once we receive your submission, the team will investigate your report and work with you to understand and remediate the vulnerability. Meantime, please don’t discuss or disclose the vulnerability details until we close the report

Out-of-Scope vulnerabilities

  • Exploits using runtime changes
  • Application crashes
  • Irrelevant activities/intents exported
  • Android backup vulnerability
  • Exploits reproducible only on rooted/jailbroken devices
  • Lack of obfuscation
  • Denial of service attacks
  • Phishing attacks
  • Social engineering attacks
  • Reflected file download
  • Software version disclosure
  • Issues requiring direct physical access
  • Issues requiring exceedingly unlikely user interaction
  • Flaws affecting out-of-date browsers and plugins
  • CSV injection
  • Email enumeration
  • Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)
  • Missing cookie flags on non-authentication cookies
  • CSP Weaknesses
  • Email Spoofing
  • Broken links or unclaimed social media accounts (unless chained with an impactful exploit)

Out Of Scope Domains

  • cultx.fit
  • eatfit.in
  • partner.cult.fit
  • academy.cult.fit
  • sugarfit.com
  • design.cult.fit
  • warehousexyz.curefit.co
winner icon

Rewards Awaiting

Rewards and awards are complete based on the severity and impact of the issue reported and will be at the discretion of the Security Team.


















If the identified vulnerability can be used to potentially extract information of our customers or systems, or impair our systems' ability to function normally, then please refrain from actually exploiting such a vulnerability. This is absolutely necessary for us to consider your disclosure a responsible one. While we appreciate the inputs of Whitehat hackers, we may take legal recourse if the identified vulnerabilities are exploited for unlawful gains or getting access to restricted customers. Appreciate your help in keeping Cultfit and our customers' data safe.