Identifing vulnerability on our web and reporting

We welcome ethical hackers from around the world to help make our systems more secure. While we strive to build secure platforms, vulnerabilities may still exist. If you discover one, report it to us, we'll work with you to resolve it quickly and will proudly recognize your efforts in our Hall of Fame.

Step by step

If you’ve discovered a vulnerability on our web or mobile portal, we invite you to share it with us, no formal application needed. Just follow the steps below.

https://static.cure.fit/assets/images/Steps_Card_1.png

1. Identify the impact

Vulnerability it’s severity and impact as per you

2. Recreate the scenario

Process to recreate the scenario an reach out to you if further inputs are needed to identify or close the problem.

https://static.cure.fit/assets/images/Steps_Card_3.png

3. Share screenshot/video

share screenshots/ videos related to the issue that could help us inspect further

4. Get intouch with us

share your contact details (email, phone number), so that our security team can reach out to you if further inputs are needed.

Contact us immediately by sending an email over to

[email protected]

What will we do

Once we receive your submission, the team will investigate your report and work with you to understand and remediate the vulnerability. Meantime, please don’t discuss or disclose the vulnerability details until we close the report

[email protected]

Out-of-Scope vulnerabilities

Self-XSS, XSS in outdated browsers or without security impact
Denial of Service (DoS) or resource exhaustion attacks without data/authentication/security impact
Phishing attacks (including variants such as social engineering, physical, phishing or fraudulent schemes and vulnerabilities leading to phishing attacks)
Rounding errors, race conditions or timing issues without demonstrated financial or security impact
Bugs only affecting out-of-scope, third-party or non-production assets (including issues in third-party assets, domains)
Reflected file download
Software version disclosure (including version/server banner disclosure: stack banners, HTTP headers, version info or identifiable error messages)
Automated high-volume scanning or DoS attempts
Issues requiring direct physical access
Issues requiring exceedingly unlikely user interaction (including vulnerabilities depending on improbable scenarios or requiring advanced end-user action and attacks requiring significant user interaction)
CSV/Text Injection
Spamming (e.g. SMS/Email Bombing)
Session fixation issues unless they enable privilege escalation or account takeover
Email/Phone/username enumeration
Cross-Site Request Forgery (CSRF) on login/logout, insignificant or unauthenticated endpoints
Missing Security Headers
Public login panels or pages without proven issue/impact
Unvalidated findings from automated scanners or tools (including theoretical vulnerabilities/scanner reports: automated scans, unverified or “possible” bugs)
Absence of CSP or HSTS headers unless proven exploitable
Email Spoofing
Rate limiting/brute force missing on non-sensitive actions.
CORS misconfiguration without exploit path
Issues related to image metadata (e.g., EXIF data leakage or filename disclosure) unless exposing sensitive information
Broken links, hijacking or unclaimed social media accounts
Clickjacking or Tapjacking on pages with no sensitive functionality (e.g. non-payment or info-gathering pages)
Missing or weak DMARC/SPF/DKIM (email policy errors) without proven impact
Missing security best practices
Open redirects without demonstrable impact (e.g., cannot be leveraged for phishing or token theft)
SSL/TLS issues unless exploit can demonstrate interception/tampering
Software/libraries version outdated: reports about outdated components with no working exploit