Flipkart Responsible Disclosure Program
Flipkart Responsible Disclosure Program is unwavering in its commitment to the security and integrity of our services. To further this mission, we are proud to introduce the Flipkart Responsible Disclosure Program. We invite security researchers to responsibly identify and report any potential vulnerabilities on our platforms. Your contributions will play a crucial role in strengthening the safety and security of our systems.
Total Submissions
79
Researchers
11545
Unique Visitors
784
Submission Rate
0.56%
Flipkart
At Flipkart, we are driven by our purpose of empowering every Indians dream by delivering value through innovation in technology and commerce. With a customer base of over 350 million, product coverage of over 150 million across 80+ categories, a focus on generating direct and indirect employment and a commitment to empowering generations of entrepreneurs and MSMEs, all driven by a sustainable growth strategy – Flipkart is maximising for customers, stakeholders, and the planet at large! At Flipkart, our promise to every Flipster is - getting an opportunity to leave a mark and create their own legacy, the freedom to experiment, learn and grow, work with the industry’s brightest minds as part of a diverse team and we will extend our culture of care to them to ensure that they can focus on doing their best work. Driven by audacity, bias for action, customer first, integrity and inclusion – Flipsters have pioneered solutions that have transformed digital commerce in India. From the industry-first introduction of cash-on-delivery in 2010 to the launch of voice search and multiple vernacular interfaces in 2021 that have made e-commerce a very inclusive experience, Flipkart continues the exciting journey of solving for the Indian customer. We understand that your own aspirations and journeys are unique. So you choose what you want to maximise, and we provide you the platform for it - because when you maximise, we maximise. Flipkart is a part of the Walmart-owned Flipkart Group, which also includes group companies Flipkart Wholesale, Flipkart Health+, Cleartrip, and Myntra.
Scope of Systems
| Target | URL | Last Ping | Type | IP Address |
|---|---|---|---|---|
| Flipkart | https://*.flipkart.com/ | 500 (May 14, 2025, 8:20 p.m.) | Wildcard | 163.53.76.86 |
| Myntra | https://*.myntra.com/ | 500 (May 14, 2025, 8:20 p.m.) | Wildcard | 23.45.137.3 |
Showing 1 to 2 out of 2 entries
Earn Recognition for Your Contributions
This program awards certificates to researchers for their significant contributions and achievements. Researchers can be granted a certificate for their accepted reports by the organization, recognizing their effort and success.
| Severity | Resolution (in days) |
|---|---|
|
P1
|
1 |
|
P2
|
3 |
|
P3
|
7 |
|
P4
|
14 |
|
P5
|
0 |
- Always conduct testing ethically and legally.
- Do not publicly disclose the vulnerability without obtaining explicit consent from Flipkart.
- Never attempt to access, modify, delete, or store user data.
- If using automated tools or scripts, ensure they do not cause harm or excessive traffic to our platforms.
- Use only your own accounts for testing. Do not interact with or exploit other real users' accounts.
- If you find multiple vulnerabilities, report them sequentially and not simultaneously, giving us time to respond.
- Do not conduct tests that may degrade our services or impact our users.
- Age: Participants must be 18 years or older at the time of entry.
- Affiliation: Individuals affiliated with Com Olho, including employees, contractors, and their immediate families, are not eligible to participate.
- Country of Residence: While we accept submissions globally, individuals residing in countries under sanctions by the United Nations are not eligible for monetary rewards.
- Compliance: Researchers must be in full compliance with all terms and conditions of the Com Olho Bounty Initiative.
- Must demonstrate security impact for the report to be considered - general software bugs(like SSL, older versions etc.) are not in scope for this program.
- Server version disclosure is out of scope.
- Username Enumeration via signup and account recovery forms
- Vulnerabilities regarding SPF/DMARC/DKIM records without verifiable proof of spoofing to a major mail client
- Best practice concerns like cookie is not marked secure and http only, missing HSTS, SSL/TLS configuration, missing security headers, etc.
- Vulnerabilities reported by automated tools and scanners without additional proof of concept
- Vulnerabilities that only affect outdated app versions or browsers - we consider vulnerabilities only in the versions of our applications that are currently in the app store and exploits only in the latest browser versions
- Denial of Service(DoS) and Distributed Denial of Service(DDoS) attacks
- Exploits that need MITM or physical access to the victim’s device
- Clickjacking on pages with no sensitive actions.
- Unauthenticated/logout/login CSRF
- Previously known vulnerable libraries without a working Proof of Concept
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Most of the open redirect vulnerabilities have low security impact. In case, the impact is high, do let us know.
- Stack traces, directory listings or path disclosures
- Self XSS
- Social engineering attacks, both against users or Flipkart employees
- Issues related to delivery charges exception on return
- Issues on non-flipkart assets like careers.flipkart.com, flipkart.atlassian.net
Out-of-Scope vulnerabilities for android/ios
- Exploits reproducible only on rooted/jailbroken devices
- Absence of certificate pinning
- Snapshot/Pasteboard/Clipboard data leakage
- Lack of obfuscation
- Exploits using runtime changes
- Application crashes
- Irrelevant activities/intents exported
- Android backup vulnerability
Carefully review and understand the rules and scope of the bug bounty program. Each program has specific guidelines, eligibility criteria, and a defined scope of systems, applications, or services that are in-scope for testing. Focus your efforts on these areas to ensure your findings are eligible for rewards.
When reporting a vulnerability, commit to providing clear and comprehensive details to help the organization reproduce and validate your findings. Include step-by-step instructions, proof-of-concept code if applicable, and any other relevant information that can assist the organization's security team in understanding and verifying the issue.
Engage in professional communication with the organization's security team. Be responsive to any requests for clarification, additional information, or coordination during the vulnerability verification process. Maintain open and respectful communication throughout the entire process, understanding that both parties are working together to improve security.
Always adhere to responsible disclosure practices. When you discover a vulnerability, avoid exploiting it for malicious purposes or sharing it with unauthorized parties. Instead, immediately report the vulnerability to the program organizers following the reporting process outlined in the program guidelines. This allows the organization to address the issue before potential harm can occur.
Researchers participating in our programs are expected to adhere to specific Safe Harbor provisions. They are assured Legal Protection; by complying with all program terms, they're granted a legal safe harbor, ensuring they won't face lawsuits or legal actions for their reported findings. Participants also commit to Responsible Disclosure, providing ample time to address and rectify vulnerabilities and doesn't disclose any findings publically what so ever. Testing should be confined only to systems they have explicit authorization to assess. Furthermore, during the assessment, data access should be minimized, focusing only on what's necessary to validate a vulnerability, and retaining no user data beyond what is absolutely required.