At Hike Private Limited (including its affiliates) (hereinafter referred to as ‘Hike’ or ‘We’), we are committed to the safety and security of our services and to the integrity of its data. We appreciate and encourage security researchers/analysts to contact us to report potential vulnerabilities in respect of the services offered on www.getrushapp.com and related mobile application ("Rush Platform").

If you believe you have discovered a potential security vulnerability with the Rush Platform, we appreciate your help in disclosing the issue to us responsibly. In support, We have established a Responsible Disclosure Policy, also known as Vulnerability Disclosure Policy. This policy is designed to create a clear communication path around reporting and disclosing exploitable vulnerabilities in our Rush Platform.

Your participation in the Program is voluntary. By disclosing/reporting a vulnerability to us, you are indicating that you have read and have agreed to adhere to the terms and conditions set out on this page.

Once we receive your submission, we will investigate your report and work with you to understand and remediate the vulnerability.

We may modify and revise this policy at our sole discretion as we move forward into the future; please continue to check here for updates.

Eligibility

• Must be the first person to responsibly report the vulnerability to us.
• Vulnerability discovered must be found when testing within the scope of this policy.
• Reported vulnerability significantly impacts security and integrity of Rush Platform services or impacts the privacy of customer or partner data.
• You agree to participate in testing the effectiveness of the countermeasure applied to your report.
• You agree to keep any communication with us private.
• Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to your participation in the Program.

Rules of Engagement

• Do not perform any attack that could harm the reliability, integrity and capacity of our services. DDoS/spam attached not allowed;
• Do not violate the privacy of other users, destroy data, disrupt our services or Rush Platform, etc.
• Do not violate any laws or breach any agreements in order to discover vulnerabilities.
• Use the identified email address to report any vulnerability information to us.
• You must comply with this Policy when discovering the vulnerability and submitting the vulnerability report
• Keep information in relation to any vulnerabilities you have discovered confidential between yourself and Hike. The Researcher shall not publicly disclose the bug or vulnerability on any online or physical platform before it is fixed and prior written approval/consent to publicly disclose obtained from Hike.
• Bug disclosure communications with Hike’s Security Team are to remain confidential. Researchers must destroy all artifacts created to document vulnerabilities (PoC code, videos, screenshots) after the bug report is closed.
• Threatening of any kind will automatically disqualify you from participating in the program.
• Do not use scanners or automated tools to find vulnerabilities.
• Do not in any way try to abuse any vulnerability found, it shall be liable for legal penalties.
• Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
• As a security researcher, you represent and warrant that you have the right, title and interest to disclose any vulnerability found and to submit any information, including documents, codes, among others, in connection therewith. Once you inform a vulnerability, you grant Hike an irrevocable, worldwide, royalty-free, transferable, sublicensable right to use in any way Hike deems appropriate for any purpose. Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure accepted by Hike.

In-Scope Assets

Type	URL / Application
Android	Rush Android App
iOS	Rush iOS App
Domain	*.hike.in, *.getrushapp.com

How to Report Vulnerability?

At present, the Hike Bug Bounty Program is private and works as an invitation-only basis. If you are not invited to our program but think you have discovered a valid in-scope vulnerability, Please report it to us by clicking on the Submit Report button.

Once we receive your submission, the team will investigate your report and work with you to understand and remediate the vulnerability. Meantime, please don’t discuss or disclose the vulnerability details until we close the report.

Thank you for helping keep Hike and our users safe!

Authorization

• If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, will work with you to understand and resolve the issue quickly, and Hike will not initiate or recommend legal action related to your research.
• If the identified vulnerability can be used to potentially extract information of our customers or systems, or impair our systems' ability to function normally, then please refrain from actually exploiting such a vulnerability. This is absolutely necessary for us to consider your disclosure a responsible one.
• While we appreciate the inputs of researchers, we may take legal recourse if the identified vulnerabilities are exploited for unlawful gains or getting access to restricted customer or system information, or impairing our systems. While we appreciate the inputs of researchers, we may take legal recourse if the identified vulnerabilities are exploited for unlawful gains or getting access to restricted customer or system information or impairing our systems.

Out of Scope Vulnerabilities

• Physical or social engineering attempts (this includes phishing attacks against Hike employees)
• Ability to send push notifications/SMS messages/emails without the ability to change content
• Ability to take over social media pages (Twitter, Facebook, Linkedin, etc)
• Mail configuration issues including SPF, DKIM, DMARC settings
• Best practice concerns like cookie is not marked secure and http only, missing HSTS, SSL/TLS configuration, missing security headers, etc.
• Negligible security impact
• Reports that state that software is out of date/vulnerable without a proof-of-concept
• Highly speculative reports about theoretical damage
• Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue
• Open ports without an accompanying proof-of-concept demonstrating vulnerability
• Subdomain takeovers - please demonstrate that you are able to take over the page by leaving a non-offensive message, such as your username
• CSV injection
• Protocol mismatch
• Rate limiting
• Vulnerabilities that cannot be used to exploit other users or Hike -- e.g. self-xss or having a user paste JavaScript into the browser console
• Content injection issues
• Clickjacking on pages with no sensitive actions
• Missing cookie flags on non-authentication cookies
• Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)
• Issues that require physical access to a victim’s computer/device
• Stack traces, Path disclosure or Directory listings
• Denial of Service(DoS) and Distributed Denial of Service(DDoS) attacks
• All the sandbox and staging environments
• Issues on non-hike assets like hikeapp.atlassian.net, hikeapp.notion.site

Out-of-Scope vulnerabilities for Android/iOS

• Exploits using runtime changes
• Absence of certificate pinning
• Snapshot/Pasteboard/Clipboard data leakage
• Lack of obfuscation
• Exploits reproducible only on rooted/jailbroken devices
• Android backup vulnerability
• Irrelevant activities/intents exported
• Application crashes

Rewards

Acknowledgement: By helping us continuously keep our data secure, once the security vulnerability is verified and fixed as a result of the report.

Bounty: Our bounty payouts are directly tied to security impact, But, If we think that for a particular bug, a researcher went an extra mile, we might add a bonus to the existing payout.