Responsible Disclosure Program Policy

Program Intention

The Good Glamm Group (G3) is the largest content to commerce group in South Asia. At G3, we aim to maintain secure services & we value the hard work that goes into security research.

If you happen to discover a valid security vulnerability in our app or website, we recognize and appreciate your help in disclosing it to us in a responsible way.

How To Report a Bug?

  • Please use security@goodglamm.com to communicate your research results.
  • Please note that only genuine security issues are eligible for recognition by this program.
  • After the initial triaging and realization of the issue as valid & non-duplicate, we will reach the researcher accordingly.

Engagement Principles

  • Report vulnerabilities expediently: to help us reduce the risk of malicious actors finding and exploiting.
  • Don’t attempt to access another user’s account Only user accounts that you own control.
  • Do not impact other users with your testing: Includes impacting an account you do not own.
  • Never attempt non-technical attacks: Social engineering, phishing, or physical attacks against Good Glamm Group employees, users, or the network infrastructure is not allowed.
  • Please provide detailed reports with reproducible steps: Help us verify your claim.
  • Duplicates: 1st report wins.
  • Multiple vulnerabilities caused by an underlying issue: Chaining vulnerabilities to yield high impact. i.e., High impact = Higher bounty or Hall of Fame.
  • Submit vulnerability-wise report: 1 report. = 1 vulnerability, unless they are connected.
  • Privacy violations, destruction of data, and network interruption: Big NO..!!

Note: In case, if your security research includes other organizational frameworks/services that we use at Good Glamm Group, it doesn’t fall under the scope of this program. Any such security research or investigation should be deemed as not authorized by our Organization, in any way.

Program Scope

  • The bug must be on one of the production websites / services / mobile apps part of the Good Glamm Group’s online assets.

Out of Scope Vulnerabilities

  • Browser cache-related issues.
  • Clickjacking-related issues.
  • Issues that aren’t reproducible.
  • Missing SPF / DMARC records.
  • Missing Headers / SSL issues / HSTS.
  • Open redirects without a severe impact.
  • Denial of Service (DoS, DDOS) attacks.
  • Self-type Cross-Site Scripting / Self-XSS.
  • CSRF issues on actions with minimal impact.
  • Brute force attacks or Lack of rate-limiting mechanisms.
  • Security bugs impacting WordPress of our in scoped websites.
  • Bugs that have not been responsibly investigated and reported.
  • Vulnerabilities that require Man in the Middle (MiTM) attacks.
  • Issues that we can’t reasonably be expected to do anything about.
  • Reports of current or previous employees of Good Glamm Group.
  • Vulnerabilities affecting outdated or unpatched browsers / Operating Systems.
  • Captcha-related concerns – If this leads to account takeover it’s a valid bug.
  • Security practices (banner revealing a software version, missing security headers, etc.)
  • Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.
  • Vulnerabilities contingent on physical attack, social engineering, spamming, etc.
  • Bugs already known to us, or already reported by someone else (reward goes to the first reporter).
  • Application stack traces (path disclosures, etc.); If it is leaking the application’s secrets in response then it is a valid bug.
  • Bugs in products or websites related to an acquisition for a period of 365 days following any public announcement.
  • For Mobile device (Android/iOS) Apps
    • Application crashes
    • Lack of obfuscation
    • Android backup vulnerability.
    • Absence of certificate pinning
    • Exploits using runtime changes.
    • Irrelevant activities/intents exported.
    • Snapshot/Pasteboard/Clipboard data leakage.
    • Exploits reproducible only on rooted/jailbroken devices.

Public Disclosure Guidelines

  • By default, this program is in “Public Nondisclosure” mode which means:
    • “This program does not allow public disclosure. one should not release information about vulnerabilities found in this program to the public. Failing that will warrant legal proceedings!”
  • As this is a private program, please do not discuss found/reported vulnerabilities (even resolved ones) outside of the program without a clear consent from the Organization.
  • Failing to adhere to any of these guidelines may result in not receiving a reward for the bug’s discovery or can be dispelled from the program.

Note: We expect you to have familiarity with the industry’s standard guidelines for this kind of research done by any Bug Bounty Hunter, in general.

Security Hall of Fame

Sumit Sahoo
Vishwas Reddy