Namshi Bug Bounty Program

Rewards

Namshi may, at its sole discretion, provide rewards to eligible reports of qualifying vulnerabilities. Our minimum reward is $150 USD.

Critical ➡ $2,000 - $5,000
High ➡ $1000
Medium ➡ $350
Low ➡ $150

The pricing varies depending on the severity of the reported vulnerability.

Focus

The focus of Namshi’s bug bounty program is to identify security vulnerabilities and attacks that can affect the security of our customers. If you believe you've found a security issue, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Security researchers can privately share details of suspected vulnerabilities with us by submitting a report or by sending an email to security@namshi.com.

Please provide full details of the suspected vulnerability so that our security team may validate and reproduce the issue: screenshots, code and reproduction steps are always welcome.

Disclosure Policy

  • Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve it.
  • Do not escalate issues in order to look for a “bigger fish”: for example, if you gain access to an S3 bucket, please report it to us and we’ll evaluate how critical the issue is and how it could be used to escalate further. If you could get access to other sensitive information from there, you would be rewarded accordingly.
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. Please note that, depending on the severity of the issue, it might take a few days for us to fully get back to you with feedback.
  • Do not share the report details with third-parties and external entities while the issue affects the company, without obtaining permission from us.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Report Eligbility

  • You must be the first reporter of the vulnerability.
  • The report should be demonstrating an actual security vulnerability.
  • The reporter follows applicable local and international laws during the testing.

Exclusions

The following issues are excluded from the bug bounty program (unless causing a significant impact):

  • Missing rate-limits.
  • Open redirects.
  • Theoretical issues that are not exploitable, or can not be demonstrated as exploitable.
  • Scanner-generated reports that are not validated to be true-positive.
  • Unreproducible issues.
  • Missing cookie flags.
  • SSL/TLS best practices.
  • Mixed content warnings.
  • Clickjacking / UI redressing.
  • Software version disclosure.
  • Account / E-mail enumeration.
  • Old session tokens valid after a logout / password change.
  • Login / Logout / Unauthenticated / Low-impact CSRF.
  • Use of a known-vulnerable library without proof of exploitability.
  • Vulnerabilites affecting users of outdated browsers or platforms.
  • Self-exploitation issues (i.e. password reset links, self-XSS, cookie reuse).
  • Descriptive / Verobe / Unique error pages (without proof of exploitability).
  • Missing security-related HTTP headers which do not lead directly to a vulnerability.
  • Low-impact secrets leaked by the native apps (for exmaple, ad4push or kahuna keys) - unless a significant impact can be caused by the issues.
  • Content / Text-injection - such as reflected searches being displayed to the user (e.g. https://en-ae.namshi.com/catalog/?q=no+results+found.+Try+shopping+on+other.com).
The following tests are excluded from our bug bounty program:
  • Denial of service.
  • Spamming.
  • Social engineering (including phishing) of Namshi staff or contractors.
  • Any physical attempts against Namshi property or data centers.
  • 3rd-party websites / entities that include content from Namshi, as these could be operated by our vendors or partners. We can’t authorize you to test these systems on behalf of their owners and will not reward such reports. Please read the fine print on the page and examine domain and IP WHOIS records to confirm. If in doubt, talk to us first!
  • Black-hat SEO techniques
Known issues for the program:
  • CSP issues in websites.
  • SPF issues.

Examples of Non-Valid Reports

The following examples are a number of reported that does not matches the bug bounty program criteria:

  • Ability to subscribe an email address to newsletter without confirmation via the API.
  • Flash + 307 redirect CSRF attacks - unless a full PoC is provided.

Scope

  • All Namshi's domains, subdomains, and Namshi's owned services (Namshi's domains/subdomains that points to third-party services are out of scope).
  • *.namshi.com.
  • All Namshi's apps and services.
  • Namshi Android App.
  • Nmashi iOS App.
  • Projects at https://github.com/namshi.

Legal

We are unable to issue rewards to individuals who are in countries on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter the bug bounty program depending upon your local law.

This is not a competition, but rather a rewards program. You should understand that Namshi can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at Namshi’s discretion.

Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own.

By participating in this program, you agree to adhere to the above rules and conditions. All rules must be followed to be eligible for rewards.

Safe Harbour

To encourage vulnerability research and to avoid any confusion between good-faith hacking and malicious attack, you must:

  • Play by the rules. This includes following this policy, as well as any other relevant agreements. If there is any inconsistency between this policy and any other relevant terms, the terms of this policy will prevail;
  • Report any vulnerability you’ve discovered promptly;
  • Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
  • Use only the official channels to discuss vulnerability information with us;
  • Keep the details of any discovered vulnerabilities confidential until they are fixed, according to the Disclosure Policy;
  • Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
  • If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;
  • You should only interact with test accounts you own or with explicit permission from the account holder; and
  • Do not engage in extortion.

When conducting vulnerability research according to this policy, we consider this research to be authorized, lawful, and helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws at all times.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our official channels before going any further.