We’re committed to protecting our community. If you are a security researcher or expert and believe you’ve identified security-related issues with Sandbox's website & APIs, we would appreciate you disclosing it to us responsibly.


Our team is committed to addressing all security issues in a responsible and timely manner, and we ask the security community to give us the opportunity to do so without disclosing them publicly. Please submit a detailed description of the issue to us, along with the steps to reproduce it. We trust the security community to make every effort to protect our users’ data and privacy.


 

Rules of the Program

  • Do not violate the privacy of other users, destroy data, disrupt our services, etc.
  • High-quality submissions allow our team to better understand the issue and relay the bug to the internal team to fix it. The best reports provide enough actionable information to verify and validate the issue without any follow-up clarifying questions.
  • We only reward the first reporter of a vulnerability. 
  • Public disclosure of the vulnerability prior to resolution will result in disqualification from the program. You must report a qualifying vulnerability through the steps mentioned in the ‘How to report a vulnerability?’ section to be eligible for a reward.
  • Check the scope section before you begin writing your report to ensure the issue you are reporting is within the scope of the program.
  • In case you find a severe vulnerability that allows system access, you must not proceed further.
  • It is Sandbox Financial Technologies Private Limited’s decision to determine when and how bugs should be addressed and fixed.
  • Disclosing bugs to a party other than Sandbox Financial Technologies Private Limited is forbidden, all bug reports are to remain at the reporter and Sandbox's discretion.
  • Bug disclosure communications with Sandbox's Security Team are to remain confidential. Researchers must destroy all artifacts created to document vulnerabilities (POC code, videos, screenshots) after the bug report is closed.


How to Report a Vulnerability?


Please submit a form by clicking here.


 

In Scope                                                   

  • api.sandbox.co.in
  • dashboard.sandbox.co.in
  • accounts.sandbox.co.in


Out of Scope

  • *.sandbox.co.in
  • Any services hosted by third-party providers are excluded from the scope.
  • Anything else not explicitly mentioned in ‘In Scope Targets’ above.



Note: 
If you think you have found a bug with critical impact even if it lies outside the scope of the program, please submit a report and we will get back to you!



We determine Vulnerability Severity based on the following factors -


Components
Description
Attack Vector
How exploitable the vulnerability is. The score increases the more remote an attacker can be in order to exploit the vulnerability.

Attack Complexity

The conditions beyond the attacker's control must exist in order to exploit the vulnerability.
Privilege Required
The level of privileges an attacker must possess before successfully exploiting the vulnerability. The severity increases as fewer privileges are required.
User Interaction
Whether the vulnerability can be exploited solely at the will of the attacker or whether a separate user (or user-initiated process) must participate in some matter.
Scope
Whether a successful attack impacts a component other than the vulnerable component.
Confidentiality
The impact of the bug as it relates to confidential information being accessed.
Integrity
Whether the data can be modified due to the vulnerability.
Availability
Whether data or functionality can be rendered inaccessible. The impact to the availability of the impacted component.


  


Vulnerability Classification:


Severity
Category
Critical
Remote Code Execution (RCE), Leakage of Sensitive Information
High
Broken Authentication & Authorization Flow, Privilege Escalation, Server-Side Injection with Critical Impact, File Inclusion, Account Takeover, Insecure Direct Object Reference (IDOR)
Medium
Cross-Site-Scripting (XSS), Cross-Site Request Forgery (CSRF), Server-Side Request Forgery (SSRF), Broken Access Control


 


Non-qualifying Vulnerabilities & Prohibited Actions


  • Automated tools or scripts are STRICTLY PROHIBITED and any reports generated by automated scan tools are not acceptable.
  • DoS & DDoS, Spamming, Social Engineering (including phishing), Any Physical Attempts or requiring MITM, Any brute-force techniques (e.g. repeatedly entering passwords) in order to gain access to the system.
  • Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other user's data.
  • Do not reveal the problem to third parties.
  • The publicly available information and/or browser instructions.
  • Missing any best security practice that is not a vulnerability.
  • Mail Server Misconfiguration - Invalid or missing SPF/DKIM/DMARC records.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Promo code enumeration, abuse of our promotional offers and referral codes.
  • Missing Secure or HTTPOnly Cookie Flag / Insecure SSL / Certificate Error / Mixed Content (HTTPS Sourcing HTTP).
  • Rate Limiting based issues.
  • Lack of Security Headers.
  • Clickjacking
  • Session Expiration/Invalidation Related Issues.
  • Username/Email Enumeration.
  • Logout or unauthenticated CSRF.
  • Lack of Password Confirmation.
  • EXIF Geolocation Data Not Stripped From Uploaded Images.
  • Issues that don't affect the latest version of modern browsers or platforms.
  • Use of a known-vulnerable library (without evidence of exploitability).
  • Any other issues determined to be of negligible security impact.
  • 0-day vulnerabilities in any third parties we use within 10 days of their disclosure.
  • Known Vulnerability Report.
  • Password Policy Related Issues.


Note: Abuse of any vulnerability found shall be liable for legal penalties




                                                                Rewards 


We will reward reports according to the severity of their impact on a case-by-case basis as determined by our security team.


Critical (P1) vulnerabilities    Rewarded by Cash (Max. INR 5000) + Appreciation Certificate
High (P2) vulnerabilities
Rewarded by Cash (Max. INR 1000) + Appreciation Certificate 

Medium (P3) vulnerabilities 
Rewarded by Appreciation Certifications and HOF

Low (P4) vulnerabilities 
Rewarded by Appreciation Certifications and HOF 
P5 vulnerabilities Not Eligible


All the bounty rewards will be paid based on an internal assessment by our security team. Based on the severity, the team will revert within 1-7 days, and communicate whether the bug report was accepted/declined and the steps forward including the payment of the reward.



Do we Recruit?


We are constantly looking for skilled Security professionals! Feel free to consult our Job offers on click here. The IT Security Team will make sure to put a good word for you.