OYO Responsible Disclosure
OYO takes all the necessary efforts to mitigate all the bugs & shortfalls in our systems. We are open to receiving positive feedback from independent security groups and individual researchers to study it across all platforms and help make OYO technologically safer for our customers. If you discover any such shortfall, we would appreciate a responsible approach in responsibly investigating and reporting it to us so that we can address it as soon as possible. We would further urge you to refrain
from any frivolous reporting. For Security related bugs/vulnerabilities, we offer reward and recognitions after due review and validation. Though we welcome reporting of non-security issues at https://www.oyorooms.com/support/home, please note that only genuine security issues are eligible for recognition program.
This Policy applies to all of OYO’s group companies/affiliates/subsidiaries (“OYO Group”) including but not limited to all of its domains subsisting worldwide.
In scope vulnerabilities
Security issues that typically would be eligible (though not necessarily in all cases) include:
- Cross-Site Request Forgery (CSRF)
- Cross-Site Scripting (XSS)
- Code Executions
- SQL injection
- Server Side Request Forgery (SSRF)
- Privilege Escalations
- Authentication Bypasses
- File inclusions (Local & Remote)
- Protection Mechanism bypasses (CSRF bypass, etc.)
- Leakage of sensitive data
- Directory Traversal
- Payment manipulation
- Administration portals without authentication mechanism
- Open redirects which allow stealing tokens/secrets
- XXE Injection
Out of scope vulnerabilities
Things that are not eligible for reward include:
- Lack of rate limiting mechanisms - If this is leading to account takeover it's a valid bug.
- Captcha related concerns - If this is leading to account takeover it's a valid bug.
- Open redirects without a severe impact
- Security bugs impacting wordpress of OYO
- Application stack traces (path disclosures, etc.) - If this is leaking application secret in response it's a valid bug.
- Self-type Cross Site Scripting / Self-XSS
- Vulnerabilities that require Man in the Middle (MiTM) attacks
- Denial of Service attacks
- CSRF issues on actions with minimal impact
- Cache Poisoning
- Click jacking
- Missing SPF records
- Brute force attacks - If this is leading to account takeover it's a valid bug.
- Security practices (banner revealing a software version, missing security headers, etc.)
- Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.
- Vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack, etc.
- Vulnerabilities affecting outdated or unpatched browsers / Operating Systems.
- Bugs that have not been responsibly investigated and reported.
- Bugs in products or websites related to an acquisition for a period of 180 days following any public announcement.
- Bugs already known to us, or already reported by someone else (reward goes to first reporter).
- Issues that aren't reproducible.
- Issues that we can't reasonably be expected to do anything about.
- Reports of current or previous employees of OYO (Oravel Stays private limited)
Guidelines & Rules
Participating in OYO’s Responsible Disclosure program requires you to follow our guidelines. Responsible investigation and reporting includes, but not limited to the following:
- Don't violate the privacy of other users, destroy data, disrupt our services, etc.
- Don't request updates on hourly basis. We are handling dozens of reporters daily and spam impacts OYO's Responsible Disclosure Program efficiency.
- Only target your own accounts in the process of investigating any bugs/findings. Don't target, attempt to access, or otherwise disrupt the accounts of other users.
- Don't target our physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDOS) attacks, etc.
- In case you find a severe vulnerability that allows system access, you must not proceed further.
- It is OYO’s decision to determine when and how bugs should be addressed and fixed.
- Disclosing bugs to a party other than OYO is forbidden, all bug reports are to remain at the reporter and OYO’s discretion.
- Threatening of any kind will automatically disqualify you from participating in the program.
- Exploiting or misusing the vulnerability for own or others benefit will automatically disqualify the report.
- Bug disclosure communications with OYO’s Security Team are to remain confidential. Researchers must destroy all artefacts created to document vulnerabilities (POC code, videos, screenshots) after the bug report is closed.
In general, please investigate and report bugs in a way that makes a reasonable, good faith effort not to be disruptive or harmful to us or our users. Otherwise your actions might be interpreted as an attack rather than an effort to be helpful.
- Must pertain to an item explicitly listed under our in-scope vulnerabilities section.
- Must contain enough information and a proof of concept code or screenshot.
- You agree to participate in testing the effectiveness of the countermeasure applied to your report.
- You agree to keep any communication with OYO private. This is a Responsible Disclosure. If you want to publish the bug to a public platform, you need to take prior permission from OYO before doing that.
- We duely recognise all the relevant responsible disclosures by means of “Certificate of Recognition” and “Hall of Fame”
- Monetary rewards may be considered in some exceptional cases on the sole discretion of Oyo. Requests or demands for monetary compensation in connection with any identified or alleged vulnerability are non-compliant with this Responsible Disclosure Policy.
How to report a bug?
- Send an email to email@example.com, referring to the Report Template below.
- Include as much information in your report as you can. Ideally, a description of your findings, the steps needed to reproduce it, and the vulnerable component (i.e. API endpoint, etc.)
- If you need to share screenshots / videos for PoC, please upload to your own Google Drive or any other upload service and share with us the links to those files in the form.
- Include your correct name and contact details so we can reach out to you.
Allow us up to 7 days to respond before sending another email on the matter.
The identified bug shall have to be reported to our security team by sending us a mail from their registered email address to firstname.lastname@example.org (SUBJECT: SUSPECTED VULNERABILITY ON OYO) (without changing the subject line else the mail shall be ignored). The mail should strictly follow the format below:
Reporter Full Name:
Any Publicly Identifiable profile(LinkedIn, Github etc.):
- Detailed Description:
- Steps to Reproduce:
Public Disclosure Policy
By default, this program is in “PUBLIC NONDISCLOSURE” mode which means:
"THIS PROGRAM DOES NOT ALLOW PUBLIC DISCLOSURE. ONE SHOULD NOT RELEASE THE INFORMATION ABOUT VULNERABILITIES FOUND IN THIS PROGRAM TO PUBLIC, FAILING WHICH SHALL BE LIABLE FOR LEGAL PENALTIES!”