Contact: security-saas[AT]abhibus[DOT]com Preferred-Language: en # Security Policy Unauthorized attempts to access, modify, or delete other users' data are strictly prohibited. If you inadvertently access user data, delete all relevant information immediately and report the incident to us without delay. Disclose any reproducible security issues to us as soon as possible. Vulnerability disclosures should only occur after we have confirmed the deployment or release of a fix. Findings obtained through automated tools that cause significant server load will not be considered. # Scope https://www.apsrtconline.in Latest Release of APSRTC Web, WAP and mobile applications (Bus Booking) from Google Play Store and Apple App Store # Qualifying Vulnerabilities Any design or implementation issue that is reproducible and substantially affects the security of APSRTC users/Platform is likely to be in scope for the program. Common examples include: Injections Cross Site Scripting (XSS) Cross Site Request Forgery (CSRF) Remote Code Execution (RCE) Authentication/Authorisation flaws Domain take-over vulnerabilities Able to take-over other APSRTC user accounts (while testing, use your own another test account to validate) Any vulnerability that can affect the APSRTC Brand, user data and financial transactions # Non-Qualifying Vulnerabilities Clickjacking/ UI redressing Duplicates / Internally Known Issues Vulnerabilities found using automated tools(Unless possible impact is demonstrated) Vulnerabilities requiring MITM or physical access to the victim’s unlocked device. No Rate Limiting (Unless it can lead to some serious issue for eg: Account hijacking) Incomplete or missing SPF/DMARC/DKIM records Low impact information disclosures such as software version disclosure Missing Cookie flags Vulnerabilities requiring the use of outdated browsers, plugins or platforms Vulnerabilities having low or no security implications. Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS) IIS Tilde File and Directory Disclosure CSV Injection PHP Info Feel free to report security issues at security-saas[AT]abhibus[DOT]com, but note that issues falling into the "Non-Qualifying" category may not be addressed. #Miscellaneous Please adhere to the stated rules; non-compliance may result in legal action. When reporting a bug, ensure it is thoroughly documented, including the following details: A comprehensive description of the bug, its impact, and recommended fixes. Step by step instructions to replicate the attack. A video proof of concept (POC) and clear snapshots of the actions performed. The IP address from which the requests were sent to our servers. #Rewards (if applicable) Unique bugs will be eligible for rewards. We do not offer monetary compensation for bug reports aimed at improving the security of APSRTC. In case of duplicate reports, the original reporter(s) will be notified. #Note Abhibus reserves the right to change or modify its security policy as needed.