Zerodha Bug Bounty Program

Program Type: Public

Launched On: Feb. 21, 2025

Ongoing

At Zerodha Broking Limited, we prioritize the security and integrity of our services. As part of this commitment, we are excited to introduce the Zerodha Bug Bounty Program. This initiative invites security researchers to responsibly identify and disclose any vulnerabilities they may find in our platforms. Your valuable insights will help us continuously enhance the safety and robustness of our systems, ensuring a secure environment for all our users.

https://zerodha.com/

https://www.linkedin.com/company/zerodha

Total Submissions

114

Researchers

11127

Unique Visitors

925

Submission Rate

0.85%

Zerodha Broking Limited

Zerodha is an Indian financial services company member of NSE BSE MCX that offers brokerage free equity investments retail institutional broking currencies and commodities trading Founded in 2010 the company is headquartered in Bangalore and has a presence in nine Indian cities It is also an official member of NSEs consultative committee for growing business.

https://zerodha.com/

https://www.linkedin.com/company/zerodha

Scope of Systems

Target	URL	Last Ping	Type	IP Address
Zerodha Web Assets	*.zerodha.com	500 (April 25, 2025, 11:30 a.m.)	Wildcard	0.0.0.0
Coin by Zerodha	https://coin.zerodha.com	200 (April 25, 2025, 11:30 a.m.)	Web	0.0.0.0/32
Kite by Zerodha	https://kite.zerodha.com	200 (April 25, 2025, 11:31 a.m.)	Web	0.0.0.0/32
Console by Zerodha	https://console.zerodha.com	200 (April 25, 2025, 11:31 a.m.)	Web	0.0.0.0/32
Kite Connect APIs	https://api.kite.trade	200 (April 25, 2025, 11:31 a.m.)	API	0.0.0.0
Zerodha Support Portal	https://support.zerodha.com	502 (April 25, 2025, 11:31 a.m.)	Web	0.0.0.0/32
Kite by Zerodha (Android)	https://play.google.com/store/apps/details?id=com.zerodha.kite3&hl=en_IN&gl=US	200 (April 25, 2025, 11:31 a.m.)	Android: Play Store	0.0.0.0
Coin by Zerodha (Android)	https://play.google.com/store/apps/details?id=com.zerodha.coin&hl=en_IN&gl=US	200 (April 25, 2025, 11:31 a.m.)	Android: Play Store	0.0.0.0
Varsity by Zerodha (Android)	https://play.google.com/store/apps/details?id=com.zerodha.varsity&hl=en_IN&gl=US	200 (April 25, 2025, 11:31 a.m.)	Android: Play Store	0.0.0.0
Pulse by Zerodha (Android)	https://play.google.com/store/apps/details?id=com.zerodha.pulse&hl=en_IN&gl=US	200 (April 25, 2025, 11:31 a.m.)	Android: Play Store	0.0.0.0

Showing 1 to 10 out of 14 entries

Out of Scope Systems

Target	URL	Last Ping	Type	IP Address
Developer's Forum	https://kite.trade/forum/	200 (Feb. 21, 2025, 12:16 p.m.)	Web	0.0.0.0
Developer's Login Page	https://developers.kite.trade/login	200 (Feb. 21, 2025, 12:16 p.m.)	Web	0.0.0.0

Showing 1 to 2 out of 2 entries

Rewards Listing

Technical Severity	Created	Bounty Range
Critical (P1)	21 February 2025	40000.00 - 50000.00
Severe (P2)	21 February 2025	30000.00 - 40000.00
Moderate (P3)	21 February 2025	20000.00 - 30000.00
Low (P4)	21 February 2025	10000.00 - 20000.00
Informational (P5)	21 February 2025	Certificate of Appreciation

Certificate of Achievement

Earn Recognition for Your Contributions

This program awards certificates to researchers for their significant contributions and achievements. Researchers can be granted a certificate for their accepted reports by the organization, recognizing their effort and success.

Interested in earning a certificate? Contribute now and make your mark!

SLA - Service Level Agreement

Severity	Resolution (in days)
P1	7
P2	14
P3	30
P4	60
P5	90

Program Rules

Always conduct testing ethically and legally.
Do not publicly disclose the vulnerability without obtaining explicit consent from Zerodha Broking Limited.
Never attempt to access, modify, delete, or store user data.
If using automated tools or scripts, ensure they do not cause harm or excessive traffic to our platforms.
Use only your own accounts for testing. Do not interact with or exploit other real users' accounts.
If you find multiple vulnerabilities, report them sequentially and not simultaneously, giving us time to respond.
Do not conduct tests that may degrade our services or impact our users.

Eligibility to Participate

Age: Participants must be 18 years or older at the time of entry.
Affiliation: Individuals affiliated with Zerodha Broking Limited, including employees, contractors, and their immediate families, are not eligible to participate.
Country of Residence: We accept submissions globally.
Compliance: Researchers must be in full compliance with all terms and conditions of the Zerodha Broking Limited Bounty Initiative.

Out of Scope

Rate limits bounties are only considered if it causes a loss to business or customer data.
Email Spoofing (SPF/DKIM/DMARC misconfiguration on domains which we do not use for sending mails)
Content-Security-Policy configuration opinions
Clickjacking on pages with no sensitive actions.
Wordpress related reports including WP-JSON on Varsity or Z-connect.
SSL Pinning bypass and bypassing root/jailbroken detection
Known CVE vulnerabilities without proper proof of exploitability
Cookie handling (e.g., missing HttpOnly/Secure flags) unless clear impact is demonstrated
Missing HTTP security headers without actual impact POC
Kite forum (We would soon be moving this portal to Discourse)
https://developers.kite.trade (Any reports with respect to developers.kite.trade shall not be included, as we are currently undergoing changes on the website & it would only include Kite account based logins.)

Denial of Service (DoS/DDoS) Attacks: Any attempts to disrupt the service is strictly prohibited.
Physical Security: Physical attacks against offices, data centers, or any other physical assets.
Third-party Platforms: Vulnerabilities in third-party components or services used by Zerodha Broking Limited but not under our direct control.
Unconfirmed Reports: Reports without a clear proof-of-concept or lacking detailed steps to reproduce.
Social Engineering: This includes spear-phishing, pretexting, baiting, and any other form of obtaining information through deception.
Issues related to software or protocols not under Zerodha Broking Limited control.

Follow the Rules and Scope

Carefully review and understand the rules and scope of the bug bounty program. Each program has specific guidelines, eligibility criteria, and a defined scope of systems, applications, or services that are in-scope for testing. Focus your efforts on these areas to ensure your findings are eligible for rewards.

Provide Detailed Reports

When reporting a vulnerability, commit to providing clear and comprehensive details to help the organization reproduce and validate your findings. Include step-by-step instructions, proof-of-concept code if applicable, and any other relevant information that can assist the organization's security team in understanding and verifying the issue.

Collaborate Professionally

Engage in professional communication with the organization's security team. Be responsive to any requests for clarification, additional information, or coordination during the vulnerability verification process. Maintain open and respectful communication throughout the entire process, understanding that both parties are working together to improve security.

Responsible Disclosure

Always adhere to responsible disclosure practices. When you discover a vulnerability, avoid exploiting it for malicious purposes or sharing it with unauthorized parties. Instead, immediately report the vulnerability to the program organizers following the reporting process outlined in the program guidelines. This allows the organization to address the issue before potential harm can occur.

Safe Harbor

Researchers participating in our programs are expected to adhere to specific Safe Harbor provisions. They are assured Legal Protection; by complying with all program terms, they're granted a legal safe harbor, ensuring they won't face lawsuits or legal actions for their reported findings. Participants also commit to Responsible Disclosure, providing ample time to address and rectify vulnerabilities and doesn't disclose any findings publically what so ever. Testing should be confined only to systems they have explicit authorization to assess. Furthermore, during the assessment, data access should be minimized, focusing only on what's necessary to validate a vulnerability, and retaining no user data beyond what is absolutely required.