Organization image

Baazi Games Bug Bounty Program

Launched On: May 7, 2024
Ongoing

Baazi Games is committed to ensuring the security of the public by protecting their information from unwarranted disclosure. We are intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us. We describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities. 

We want security researchers to feel comfortable reporting vulnerabilities they’ve discovered – as set out in this policy – so we can fix them and keep our users safe. We have developed this policy to reflect our values and uphold our sense of responsibility to security researchers who share their expertise with us in good faith. 

http://baazigames.com/

https://www.linkedin.com/company/baazi-games/

Total Submissions

71

Researchers

8294

Unique Visitors

613

Submission Rate

0.73%

Baazi Games

PokerBaazi’s vision is to maximise the reach of the sport in Indian households. “Life is a game of Poker and not a game of Chess.” This quote from Annie Duke precisely summarises how Poker's skill game is also useful in learning so many essential life skills. Baazi Games is one of India’s leading gaming tech organisations. Having started in 2014, its flagship product PokerBaazi is today India’s biggest Poker platform. Baazi Games also operates other skill gaming brands, CardBaazi - a one-stop shop for multiple card games like Rummy, Call Break, Dehla Pakad, and more, & SportsBaazi - A leading spectator gaming platform.

http://baazigames.com/
https://www.linkedin.com/company/baazi-games/
Login Required

Please Log In

You need to be logged in to access this section. Please log in to your account to continue.

If you don't have an account, please sign up to participate.

Important Disclaimer

Feature access requests, including account whitelisting, should only be submitted if you are a registered user on the Baazi Games platform with the contact number provided. Requests made with unregistered numbers will not be processed. Please ensure your account is properly registered before submitting any requests to avoid delays or rejections.

Please adhere to the guidelines above to ensure the integrity and stability of our testing environment. Thank you for your cooperation.

Rewards Listing

Technical Severity Created Bounty Range Deadline
Critical (P1)
 07 May 2024 10000.00 - 20000.00 06 May 2025
Severe (P2)
 07 May 2024 5000.00 - 10000.00 06 May 2025
Moderate (P3)
 07 May 2024 2000.00 - 5000.00 06 May 2025
Low (P4)
 07 May 2024 Certificate of Appreciation 06 May 2025
Informational (P5)
 07 May 2024 Certificate of Appreciation 06 May 2025
Certificate of Achievement

Earn Recognition for Your Contributions

This program awards certificates to researchers for their significant contributions and achievements. Researchers can be granted a certificate for their accepted reports by the organization, recognizing their effort and success.

Interested in earning a certificate? Contribute now and make your mark!

SLA - Service Level Agreement
Severity Resolution (in days)
P1
7
P2
14
P3
30
P4
60
P5
0
Program Rules

Under this policy, “research” means activities in which you:

  • Notify us as soon as possible after you discover a real or potential security issue.
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
  • Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to “pivot” to other systems.
  • Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
  • You will not intentionally compromise the privacy or safety of Baazi Games personnel (e.g. civilian employees or military members), or any third parties.
  • You will not intentionally compromise the intellectual property or other commercial or financial interests of any Baazi Games personnel or entities, or any third parties.

Once you’ve established that a vulnerability exists or encountered any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately (within 24 hrs), and not disclose this data to anyone else.

In order to help us triage and prioritise submissions, we recommend that your reports:

  • Adhere to all legal terms and conditions outlined in the policy and the Baazi Games Responsible Disclosure Terms of Service.
  • Describe the vulnerability, where it was discovered, and the potential impact of exploitation.
  • Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
Eligibility to Participate

Security researchers must not:

  • Test any system other than the systems set forth in the ‘Scope’ section above,
  • Disclose vulnerability information except as set forth in the ‘Reporting a Vulnerability’ and ‘Disclosure’ sections below
  • engage in physical testing of facilities or resources,
  • engage in social engineering,
  • send unsolicited electronic mail to Baazi Games users, including “phishing” messages,
  • execute or attempt to execute “Denial of Service” or “Resource Exhaustion” attacks,
  • introduce malicious software,
  • test in a manner which could degrade the operation of Baazi Games systems; or intentionally impair, disrupt, or disable Baazi Games systems,
  • test third-party applications, websites, or services that integrate with or link to or from Baazi Games systems, Baazi Gamesdata, or render Baazi Games data inaccessible, or,
  • use an exploit to exfiltrate data, establish command line access, establish a persistent presence on Baazi Games systems, or “pivot” to other Baazi Games systems.

Security researchers may:

  • View or store Baazi Games nonpublic data only to the extent necessary to document the presence of a potential vulnerability.

Security researchers must:

  • cease testing and notify us immediately upon discovery of a vulnerability,
  • cease testing and notify us immediately upon discovery of an exposure of nonpublic data, and,
  • purge any stored Baazi Games nonpublic data upon reporting a vulnerability.
Out of Scope

All systems and services associated with domains listed below are in scope. Likewise, subdomains of each listing, unless explicitly excluded, are always in scope.  Additionally, any website published with a link to this policy shall be considered in scope. Vulnerabilities found in non-federal systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any).

  • Denial of Service (DoS/DDoS) Attacks: Any attempts to disrupt the service is strictly prohibited.
  • Physical Security: Physical attacks against offices, data centers, or any other physical assets.
  • Third-party Platforms: Vulnerabilities in third-party components or services used by Baazi Games but not under our direct control.
  • Social Engineering: This includes spear-phishing, pretexting, baiting, and any other form of obtaining information through deception.
  • Clickjacking on pages with no sensitive actions.
  • Issues related to software or protocols not under Baazi Games control.
  • Unconfirmed Reports: Reports without a clear proof-of-concept or lacking detailed steps to reproduce.
Follow the Rules and Scope

Carefully review and understand the rules and scope of the bug bounty program. Each program has specific guidelines, eligibility criteria, and a defined scope of systems, applications, or services that are in-scope for testing. Focus your efforts on these areas to ensure your findings are eligible for rewards.


Provide Detailed Reports

When reporting a vulnerability, commit to providing clear and comprehensive details to help the organization reproduce and validate your findings. Include step-by-step instructions, proof-of-concept code if applicable, and any other relevant information that can assist the organization's security team in understanding and verifying the issue.


Collaborate Professionally

Engage in professional communication with the organization's security team. Be responsive to any requests for clarification, additional information, or coordination during the vulnerability verification process. Maintain open and respectful communication throughout the entire process, understanding that both parties are working together to improve security.


Responsible Disclosure

Always adhere to responsible disclosure practices. When you discover a vulnerability, avoid exploiting it for malicious purposes or sharing it with unauthorized parties. Instead, immediately report the vulnerability to the program organizers following the reporting process outlined in the program guidelines. This allows the organization to address the issue before potential harm can occur.


Safe Harbor

Researchers participating in our programs are expected to adhere to specific Safe Harbor provisions. They are assured Legal Protection; by complying with all program terms, they're granted a legal safe harbor, ensuring they won't face lawsuits or legal actions for their reported findings. Participants also commit to Responsible Disclosure, providing ample time to address and rectify vulnerabilities and doesn't disclose any findings publically what so ever. Testing should be confined only to systems they have explicit authorization to assess. Furthermore, during the assessment, data access should be minimized, focusing only on what's necessary to validate a vulnerability, and retaining no user data beyond what is absolutely required.