TrulyMadly Report Vulnerability Program Terms
TrulyMadly’s top priority is security. If you believe you've found a security bug in our in-scope applications or infrastructure, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.
Your participation in our Report Vulnerability Program is voluntary. By participating in our Report Vulnerability Program, submitting a report or otherwise disclosing a vulnerability to us (“Submission”), you are indicating that you have read and agree to follow the rules set forth on this page (“Program Terms”).
If (i) you do not meet the eligibility requirements below; (ii) you breach any of these Program Terms or any other agreements you have with TrulyMadly or its affiliates; or (iii) we determine that your participation in our Report Vulnerability Program could adversely impact us, our affiliates or any of our members, employees or agents, we, in our sole and absolute discretion, may ban you from our Report Vulnerability Program and disqualify you from receiving any benefit of our Report Vulnerability Program.
If you have questions about the TrulyMadly service or are trying to get help with your own TrulyMadly account, please refer to trulymadly.com/contact for assistance.
Any information you receive, collect or otherwise obtain about us, our services, our affiliates or any of our members, employees or agents, in connection with our Report Vulnerability Program (whether after or before you participate in the Report Vulnerability Program, notably as a result of you finding and/or investigating a security bug in our in-scope applications or infrastructure) (“Confidential Information”) must be kept confidential, only used in connection with the Report Vulnerability Program and not disclosed to any third party. You may not use, disclose or distribute any such Confidential Information, including without limitation any information regarding your participation in our Report Vulnerability Program and any Submission.
By participating in our Report Vulnerability Program, you represent and warrant that you have not used and will not use Confidential Information for any purpose other than in connection with the Report Vulnerability Program and that you have not shared and will not share such Confidential Information with any third party.
Once a Submission is made, TrulyMadly reserves the right to request from you, and you already accept to abide by this request, to securely and irreversibly delete any data related to such Submission, including, without limitation, any data about us, our services, our affiliates or any of our members, employees or agents. Additionally, you agree to securely and irreversibly delete any data related to the Submission immediately upon it no longer being reasonably necessary to retain for the purposes of conveying the impact or scope of the reported issue, after verifying with TrulyMadly that it is no longer necessary, and/or if the Submission is closed, regardless of outcome.
To participate in our Report Vulnerability Program, you must:
- Be at least 18 years of age if you test using a TrulyMadly account, and otherwise be the age of majority in your jurisdiction of residence or have the consent of your parent or guardian to participate in our Report Vulnerability Program. In any event, you must be over the age of 13.
- Not be a resident of, or make a Submission to our Report Vulnerability Program from, a country against which the India has issued export sanctions or other trade restrictions.
- Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to our Report Vulnerability Program.
- Not be employed by TrulyMadly or any of its affiliates or an immediate family member of a person employed by TrulyMadly or any of its affiliates.
You are responsible for any tax implications of a reward from our Report Vulnerability Program depending on your country of residency and citizenship.
Program Ground Rules
- Don’t mass create accounts to perform testing against our applications and services.
- No destructive automated testing - under no circumstance should automated testing cause intentional damage to TrulyMadly’s systems.
- Don’t engage in social engineering (e.g. phishing, vishing, smishing).
- Don’t attempt to extort us.
- Don’t leave any system in a more vulnerable state than you found it.
- Don’t publicly disclose vulnerabilities without our explicit consent.
- Do respect our members’ privacy.
- Don't violate the privacy of other users, destroy data, disrupt our services, etc.
- Do research vulnerabilities and disclose vulnerabilities to us in good faith.
- Do be respectful when interacting with our team.
- Don't leak, manipulate, or destroy any user data. Please only test against accounts you own yourself or with explicit permission of the account holder.
TrulyMadly reserves the right to decide if the minimum severity threshold is met and whether it was previously reported.
To qualify for a reward under this program, you must:
- Send a clear textual vulnerability description of the bug along with the steps to reproduce the vulnerability.
- Include attachments such as screenshots and proof of concept code as necessary. A clear description and proof of concept helps you prove that the security bug is legitimate and speeds up the reward process.
- Be the first to report a specific vulnerability.
- Disclose the vulnerability report directly and exclusively to us.
Reminder: you are not permitted to disclose vulnerabilities to third parties - including vulnerability brokers.
- Stay in scope
- Do not attempt to elevate privileges, or explore a system beyond the minimum necessary to prove access or attempt to pivot in any way. This will disqualify you from receiving a bounty.
In general, the following would not meet the threshold for inclusion:
- Vulnerabilities on sites hosted by third-parties unless they lead to a vulnerability on the main website / application
- Denial of service
- Social engineering
- Homographs, RTLO, or other types of UI issues
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Click-jacking, or issues only exploitable via click-jacking
- Disclosure of known public files or directories (.htaccess, robots.txt, etc)
- Third-party vulnerabilities (e.g. Wordpress) that have recently become publicly known will generally be out of scope.
- Missing or misconfigured security headers which do not lead directly to a vulnerability
- Overly verbose responses (errors, banners, etc.), which cannot be directly used in an exploit
- Software version disclosure without proof of exploitability
- Reports from automated tools or scans
- Lack of certificate pinning, or HSTS
- TLS/SSL version, configuration, weak ciphers or expired certificates
- Lack of Secure, or HTTPOnly flags on cookies
- Lack of, or weak, Captcha, or rate-limiting
- SPF/DKIM/DMARC related issues, including missing SPF records on subdomains
- Scenarios that require unlikely user interaction and/or outdated OS or software version
- Login/Logout CSRF
- Unrestricted file uploads without a clear impact, beyond resource consumption, DoS, undesirable content, etc.
- Third-party API Keys/Secrets embedded in mobile applications, without a clear impact, as many third-parties require this for their own client attribution purposes.
- The ability to obtain multiple promotional items by opening multiple accounts
- Most GPS spoofing related issues
- Attacks against corporate IT infrastructure (e.g. firewalls and their software)
- Attacks against employees (phishing, stealing laptops, physical security issues, etc.)
- Host header injection without a clearly exploitable condition
- Mobile client issues requiring a rooted device and/or outdated OS version
- Attacks requiring MITM or physical access to a user's device.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Program Updates and Licenses
We may modify the Program Terms or cancel our Report Vulnerability Program at any time in our sole and absolute discretion.
As a condition of participation in the our Report Vulnerability Program, you hereby grant TrulyMadly and its affiliates a perpetual, irrevocable, worldwide, royalty-free, transferrable, sublicensable and exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work from, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to TrulyMadly in connection therewith, for any purpose. You should not send us any Submission that you do not wish to license to us. You hereby represent and warrant that the Submission is original to you and you own all right, title and interest in and to the Submission.
Thank you for doing your part in keeping the TrulyMadly community safe!
TrulyMadly recognizes and rewards security researchers who help us keep people safe by reporting vulnerabilities in our services
- Monetary bounties for such reports are entirely and solely at TrulyMadly’s discretion, based on risk, impact, and other factors.
- To potentially qualify a bounty, you first need to follow the requirements and adhere to Report Vulnerability Program.
- We investigate all valid reports. In case found qualified, we award a bounty to the first person to submit an issue.
- Bounty amounts are determined based on a variety of factors, including but not limited to impact, ease of exploitation, and quality of the report.
- If we pay a bounty, the minimum reward is 1000 INR. Note that extremely low-risk issues may not qualify for a bounty at all.