At Hike Private Limited (including its affiliates) (hereinafter referred to as ‘Hike’ or ‘We’), we are committed to the safety and security of our services and to the integrity of its data. We appreciate and encourage security researchers/analysts to contact us to report potential security vulnerabilities/bug (“Bug”) in respect of the services offered on www.getrushapp.com and related mobile application ("Rush Platform").

If you believe you have discovered a Bug with the Rush Platform, we appreciate your help in disclosing the issue to us responsibly. In support, We have established a Responsible Disclosure Policy. This policy is designed to create a clear communication path around reporting and disclosing exploitable vulnerabilities in our Rush Platform.

Your participation in the Program is voluntary. By disclosing/reporting a Bugto us, you are indicating that you have read and have agreed to adhere to the terms and conditions set out on this page.

Once we receive your submission, we will investigate your report and work with you to understand and remediate the Bug.

We may modify and revise this policy at our sole discretion as we move forward into the future; please continue to check here for updates.

Eligibility

• Must be the first person to responsibly report the Bug to us.
• Bug discovered must be found when testing within the scope of this policy.
• You agree to participate in testing the effectiveness of the countermeasure applied to your report.
• You agree to keep any communication with us private.
• Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to your participation in the Program.

Rules of Engagement

• Do not perform any attack that could harm the reliability, integrity, and capacity of our services. DDoS/spam attacks are not allowed.
• Do not violate the privacy of other users, destroy data, disrupt our services or Rush Platform, etc.
• Do not violate any laws or breach any agreements in order to discover bugs.
• Use the identified email address/form on our websites to report any bug-related information to us.
• You must comply with this policy when discovering the bug and submitting the form on our website.
• Keep information in relation to any bug you have discovered confidential between yourself and Hike. You shall not publicly disclose the bug on any online or physical platform before it is fixed and prior written approval/consent to publicly disclose is obtained from Hike.
• Bug disclosure communications with Hike’s Security Team are to remain confidential. Researchers must destroy all artifacts created to document bugs (PoC code, videos, screenshots) after the bug report is closed.
• Threatening of any kind will automatically disqualify you from participating in the program.
• Do not use scanners or automated tools to find bugs.
• Do not in any way try to abuse any bug found, as it shall be liable for legal penalties.
• Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
• As a security researcher, you represent and warrant that you have the right, title, and interest to disclose any bug found and to submit any information, including documents, codes, among others, in connection therewith.
• Once you inform a bug, you grant Hike an irrevocable, worldwide, royalty-free, transferable, sublicensable right to use in any way Hike deems appropriate for any purpose.
• Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure accepted by Hike.

In-Scope Assets

• Rush by Hike app available for download via getrushapp.com and via Apple app store

How to Report Bug(s)?

If you think you have discovered a valid in scope Bug, please report it to us by filling out the form on the website.

Once we receive your submission, the team will investigate your report and work with you to understand and remediate the vulnerability. Meantime, please don’t discuss or disclose the Bug details until we close the report.

Thank you for helping keep Hike and our users safe!

Authorization

• If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, will work with you to understand and resolve the issue quickly, and Hike will not initiate or recommend legal action related to your research.
• If the identified Bug can be used to potentially extract information of our customers or systems, or impair our systems' ability to function normally, then please refrain from actually exploiting such a Bug. This is absolutely necessary for us to consider your disclosure a responsible one.
• While we appreciate the inputs of researchers, we may take legal recourse if the identified Bug(s) are exploited for unlawful gains or getting access to restricted customer or system information, or impairing our systems. While we appreciate the inputs of researchers, we may take legal recourse if the identified Bug(s) are exploited for unlawful gains or getting access to restricted customer or system information or impairing our systems.

Out of Scope Bug(s)

• Physical or social engineering attempts (this includes phishing attacks against Hike employees)
• Ability to send push notifications/SMS messages/emails without the ability to change content
• Ability to take over social media pages (Twitter, Facebook, LinkedIn, etc.)
• Mail configuration issues including SPF, DKIM, DMARC settings
• Best practice concerns like cookie is not marked secure and HTTP only, missing HSTS, SSL/TLS configuration, missing security headers, etc.
• Negligible security impact
• Reports that state that software is out of date/vulnerable without a proof-of-concept
• Highly speculative reports about theoretical damage
• Bug(s) as reported by automated tools without additional analysis as to how they're an issue
• Open ports without an accompanying proof-of-concept demonstrating vulnerability
• Subdomain takeovers - please demonstrate that you are able to take over the page by leaving a non-offensive message, such as your username
• CSV injection
• Protocol mismatch
• Rate limiting
• Bug(s) that cannot be used to exploit other users or Hike -- e.g. self-XSS or having a user paste JavaScript into the browser console
• Content injection issues
• Missing cookie flags on non-authentication cookies
• Cross-site Request Forgery (CSRF) with minimal security implications (e.g. Logout CSRF)
• Issues that require physical access to a victim’s computer/device
• Stack traces, path disclosure, or directory listings
• Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
• Issues on non-Hike assets like hikeapp.atlassian.net, hikeapp.notion.site

Out-of-Scope Bug(s) for Android/iOS

• Exploits using runtime changes
• Absence of certificate pinning
• Snapshot/Pasteboard/Clipboard data leakage
• Lack of obfuscation
• Exploits reproducible only on rooted/jailbroken devices
• Android backup bug
• Irrelevant activities/intents exported

Rewards

Bounty: The quantum of the Bounty given for any Bug disclosed to us will be determined solely by us. Hike shall have the absolute sole discretion in deciding the category of the Bug reported: Advanced, Intermediate or Basic. This determination of the category of Bug shall not be subject to discussion, review, or appeal.

Certification: If and once a bug is verified and fixed as a result of the report, we may provide you with an App Quality Assurance Certificate subject to the level of Bug disclosed and per our discretion. Please note this is a merit certificate intended solely for recognition of achievement within our organization. This certificate may be referenced by your resume or professional profile or otherwise in a public forum, however it does not carry any official academic or professional accreditation.t. This Certificate is solely awarded to recognize your participation in the said bug bounty program. It does not constitute an endorsement or representation by Hike of your proficiency, skill level, or qualifications in the subject matter. It is the responsibility of the certificate holder to demonstrate their competence through practical application and further experience and for any person relying on the Certificate to make their independent evaluation. Any person or entity choosing to rely on this certificate for any purpose does so at their own risk. Hike shall not be held responsible or liable for any consequences arising from such reliance.