• Unauthorised attempts to access, modify, or delete other users' data are strictly prohibited. If you inadvertently access user data, immediately delete all relevant information and promptly report the incident to us.
• Vulnerability disclosures should only be made after we have confirmed that a fix has been deployed or released. Findings obtained through automated tools that cause significant server load will not be considered.
• Do not violate the privacy of other users, destroy data, or disrupt our services.
• Avoid requesting updates on an hourly basis; instead, you will receive a human acknowledgement of your report within the mentioned timelines.
• You must refrain from exploiting or conducting further testing of any security issues you discover, including demonstrating additional risks.
• Do not engage in social engineering, send unsolicited electronic mail to ixigo users, including “phishing” messages.
• Do not test third-party applications, websites, or services that integrate with or link to or from ixigo systems, Ixigo data, or render ixigo data inaccessible, or use an exploit to exfiltrate data, establish command line access, establish a persistent presence on ixigo systems, or “pivot” to other Ixigo systems.
• Do not target our physical security measures or attempt social engineering, spam, distributed denial-of-service (DDoS) attacks, or similar activities.
• Any form of threat will result in automatic disqualification from the program and may lead to legal action against you.
• If you believe you have discovered a vulnerability that meets the criteria outlined in our policy, notify us as soon as possible after you discover a real or potential security issue.
• Ensure you provide all relevant details, including the versions of the tools you used in your submission.
• All submissions must include a proper Proof of Concept (POC) and any necessary special configurations to help us validate your findings.
• To be considered valid, submissions should have a significant impact and be exploitable.
• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
• Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to “pivot” to other systems.
• Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
• You will not intentionally compromise the privacy or safety of ixigo personnel (e.g. civilian employees or military members), or any third parties.
• You will not intentionally compromise the intellectual property or other commercial or financial interests of any ixigo personnel or entities, or any third parties.

• Age: Participants must be 18 years or older at the time of entry.
• Affiliation: Individuals affiliated with ixigo, including employees, contractors, and their immediate families, are not eligible to participate.
• Country of Residence: While we accept submissions globally.
• Compliance: Researchers must be in full compliance with all terms and conditions of the ixigo Bounty Initiative.

• Zero-day vulnerabilities or recently disclosed CVEs will not be considered eligible until more than 90 days have passed since patch availability.
• Clickjacking/UI Redressing
• Duplicates / Internally Known Issues
• Vulnerabilities found using automated tools (unless possible impact is demonstrated)
• Vulnerabilities requiring MITM or physical access to the victim's unlocked device.
• No Rate Limiting (unless it can lead to a serious issue, e.g., account hijacking)
• Incomplete or missing SPF/DMARC/DKIM records
• Low-impact information disclosures, such as software version disclosure
• Missing cookie flags
• Vulnerabilities requiring outdated browsers, plugins, or platforms
• Vulnerabilities having low or no security implications
• Vulnerabilities that require the user/victim to perform extremely unlikely actions (e.g., Self-XSS)
• IIS Tilde File and Directory Disclosure
• CSV Injection
• PHP Info
• Social Engineering / Phishing Attacks
• Content Injection / Content Spoofing
• Reports related to the disclosure of Exif metadata from uploaded files

Out of Scope Bugs for Android App:

• Absence of certificate pinning
• Sensitive data stored in the app's private directory
• User data stored unencrypted on external storage
• Lack of binary protection control in the Android app
• Shared links leaked through the system clipboard
• Any URIs leaked because a malicious app has permission to view opened URIs
• Sensitive data in URLs/request bodies when protected by TLS
• Lack of obfuscation
• OAuth app secret hard-coded/recoverable in the APK
• Crashes due to malformed intents sent to exported Activity/Service/BroadcastReceiver (exploiting these for sensitive data leakage is commonly in scope)

Out of Scope Bugs for iOS App:

• Absence of certificate pinning
• Lack of exploit mitigations (e.g., PIE, ARC, or Stack Canaries)
• Path disclosure in the binary
• User data stored unencrypted on the file system
• Lack of binary protection (anti-debugging) controls
• Lack of obfuscation
• Lack of jailbreak detection
• Runtime hacking exploits (exploits only possible in a jailbroken environment)
• OAuth app secret hard-coded/recoverable in the IPA
• Snapshot/pasteboard leakage
• Crashes due to malformed URL schemes

Carefully review and understand the rules and scope of the bug bounty program. Each program has specific guidelines, eligibility criteria, and a defined scope of systems, applications, or services that are in-scope for testing. Focus your efforts on these areas to ensure your findings are eligible for rewards.

When reporting a vulnerability, commit to providing clear and comprehensive details to help the organization reproduce and validate your findings. Include step-by-step instructions, proof-of-concept code if applicable, and any other relevant information that can assist the organization's security team in understanding and verifying the issue.

Engage in professional communication with the organization's security team. Be responsive to any requests for clarification, additional information, or coordination during the vulnerability verification process. Maintain open and respectful communication throughout the entire process, understanding that both parties are working together to improve security.

Always adhere to responsible disclosure practices. When you discover a vulnerability, avoid exploiting it for malicious purposes or sharing it with unauthorized parties. Instead, immediately report the vulnerability to the program organizers following the reporting process outlined in the program guidelines. This allows the organization to address the issue before potential harm can occur.

Researchers participating in our programs are expected to adhere to specific Safe Harbor provisions. They are assured Legal Protection; by complying with all program terms, they're granted a legal safe harbor, ensuring they won't face lawsuits or legal actions for their reported findings. Participants also commit to Responsible Disclosure, providing ample time to address and rectify vulnerabilities and doesn't disclose any findings publically what so ever. Testing should be confined only to systems they have explicit authorization to assess. Furthermore, during the assessment, data access should be minimized, focusing only on what's necessary to validate a vulnerability, and retaining no user data beyond what is absolutely required.