Xoxoday Navbar
Bug Bounty Program - EkRewards

EkRewards Bug Bounty Program

At EkRewards, protecting user data and QR rewards operations is a priority. We use robust systems and continuous monitoring to ensure 100% security. We deeply value the security community's contribution to keeping our platform and customers safe.

How It Works

  • To report potential security issues, contact us at .
  • Our security team will verify submitted bug reports for severity and authenticity within 90 days.
  • If confirmed, we will promptly resolve the issue and keep the reporter informed at every step.

Eligibility

  • Be the first to submit a specific vulnerability affecting any part of the EkRewards application.
  • The bug must qualify under our published categories.
  • Do not publish vulnerability details publicly until resolved—confidentiality is required.
  • Do not violate privacy or Indian data protection laws while testing.
  • Disruption to live systems, unauthorized data modification, or actions negatively affecting user experience are not permitted.
  • Any policy breaches can result in disqualification or removal from the program.

Rewarding Responsible Disclosure

EkRewards celebrates ethical hackers who help safeguard QR code rewards and digital engagement. Eligible security researchers will be rewarded for their effort and expertise.

Guidelines

  • Use only the designated channel to report any suspected security vulnerability.
  • Every ticket should include a clear description of the vulnerability and its potential impact.
  • Provide detailed, step-by-step instructions and a complete video proof-of-concept (POC) that demonstrates the issue.
  • Refer to the program's scope and qualifying criteria below.

Scope

  • Website: EkRewards ()
  • Out-of-Scope: Staging domains or any subdomain not directly associated with ekrewards.com.

Qualifying Vulnerabilities

Any issue that significantly affects the confidentiality or integrity of user data may qualify, including:

  • Cross-site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Server-Side Request Forgery (SSRF)
  • SQL Injection
  • Server-Side Remote Code Execution (RCE)
  • XML External Entity Attacks (XXE)
  • Access Control Issues (e.g., Privilege Escalation)
  • Unprotected administrative panels
  • Directory Traversal
  • File Disclosure or Inclusion bugs
  • Payment manipulation
  • Other major server-side code execution flaws

Non-Qualifying Vulnerabilities

These are generally not eligible for rewards:

  • Low-impact open redirects
  • Reports lacking a proof of concept
  • Findings that concern only outdated or unpatched software, weak headers, or speculative harm
  • Automated scan results with no manual validation
  • Denial of Service (DoS), brute force, or physical/social engineering attacks
  • Security recommendations or enhancements, banner grabbing, or missing cookie flags
  • Issues requiring physical access or impacting only outdated browsers
  • Fraud or theoretical vulnerabilities without practical demonstration

Reward

EkRewards expresses gratitude to ethical hackers with rewards in the form of popular gift cards:

Bug Severity Reward Value
High INR 5,000
Medium INR 2,500
Low INR 1,000

Note

The EkRewards security team's decision on bug eligibility and reward value is final. The program may be updated or canceled at the company's discretion.

Ready to Keep Customers Coming Back?

Connect with our rewards expert to power your business with our global rewards, incentives, and pre-paid infrastructure.

Schedule a demo ❯ Contact Us