Zomato has increased rewards for its bug bounty programme on Thursday. According to Zomato, an individual can win up to $4,000 ( 2.99 lakh) for finding the bug on its website or its mobile application.

“The Zomato Bug Bounty Program is a crucial part of our security efforts and we hope that this improvement will further motivate the hacker community. Thank you for your contribution to our program so far and we look forward to your reports!” the food delivery platform said in a statement.

As per Zomato’s bug bounty programme, there is a range of rewards for each severity level. And, the progrmme requires two-factor authentication enabled to participate in.

Zomato said that it will be using Common Vulnerability Scoring System (CVSS) to determine the severity of a vulnerability. The bounties will be calculated based on the exact CVSS score finalised by the Zomato Security team.

“For example, A critical vulnerability with CVSS 10.0 will be awarded $4,000; A critical vulnerability with CVSS 9.5 will be awarded $3,000 and so on,” Zomato said in a statement.

The food ordering platform also promised to pay more for unique and hard-to-find bugs. Besides, it may pay less for bugs with complex prerequisites that lower the risk of exploitation.

Zomato has cited examples of vulnerabilities and their impacts grouped by our severity ranking:

Zomato's reward for bug bounty programme . (Screenshot from Hackerone)

View Full Image

Zomato’s reward for bug bounty programme . (Screenshot from Hackerone) (hackerone.com)


  • Remote Code Execution (RCE) – able to execute arbitrary commands on a remote device
  • SQL Injection – able to read Personally Identifiable Information (PII) or other sensitive data / full read/write access to a database
  • Server-Side Request Forgery (SSRF) – able to pivot to internal application and/or access credentials (not blind)
  • Information Disclosure – mass PII leaks including data such as names, emails, phone numbers and addresses


  • Stored Cross-Site Scripting (XSS) – stored XSS with access to non HttpOnly cookies
  • Information Disclosure – leaked credentials
  • Subdomain Takeover – on a domain that sees heavy traffic or would be a convincing candidate for a phishing attack
  • Cross-Site Request Forgery (CSRF) – leading to account takeover
  • Account Takeover (ATO) – with no or minimal user interaction
  • Insecure Direct Object Reference (IDOR) – read or write access to sensitive data or important fields that you do not have permission to
  • SQL Injection – able to perform queries with a limited access user


  • CSRF – able to modify important information (authenticated)
  • ATO – required user interaction
  • IDOR – write access to modify objects that you do not have permission to
  • XSS – reflected/DOM XSS with access to cookies


  • Directory listings
  • XSS – POST based XSS (with CSRF bypass)
  • Lack of HTTPS on dynamic pages (judged on a case-by-case basis)
  • Server information page (no credentials)
  • Subdomain Takeover – on an unused subdomain

Subscribe to Mint Newsletters

* Enter a valid email

* Thank you for subscribing to our newsletter.

Never miss a story! Stay connected and informed with Mint.
our App Now!!

Source link

Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *