Responsible Disclosure Policy - Meesho
At Fashnear Technologies Private Limited (including its affiliates) (hereinafter referred to as ‘Meesho’), we appreciate and encourage security researchers to contact us to report potential vulnerabilities identified in any product, system, or asset belonging to us.
In support, we have established a Responsible Disclosure Policy, also called a Vulnerability Disclosure Policy. This policy is designed to create a clear communication path around reporting and disclosing exploitable vulnerabilities in our systems.
We may modify and revise this policy at our sole discretion as we move forward into the future; please continue to check here for updates.
Rules of Engagement
- Researchers submitting a vulnerability to Meesho agree to be bound by the terms of the Responsible Disclosure Policy (hereinafter referred to as the ‘Terms’).
- What is in scope and out of scope when discovering vulnerabilities is clearly mentioned and specified in the sections below.
- Researchers shall ensure that they do not engage in privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Researchers should only use/exploit to the extent necessary to confirm a vulnerability. Researchers should not use or exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use/exploit to “pivot” to other systems.
- Once a researcher establishes that a vulnerability exists, or encounters any sensitive data, the researcher shall stop any further testing and notify Meesho immediately. Researchers are required to keep any information about discovered vulnerabilities confidential even after submitting the vulnerability report.
- Meesho discourages violation of applicable laws and breach of any agreements in order to discover vulnerabilities and reserves the right to pursue legal action when the terms of this policy are violated or when testing is performed outside the scope of this policy. The decision made by our security team regarding validity, severity & impact of a vulnerability will be considered final and cannot be contested.
- Meesho may share your vulnerability reports with any affected partners, vendors or open source projects.
- If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, will work with you to understand and resolve the issue quickly, and Meesho will not initiate or recommend legal action related to your research.
- If the identified vulnerability can be used to potentially extract information of our customers or systems, or impair our systems' ability to function normally, then please refrain from actually exploiting such a vulnerability. This is absolutely necessary for us to consider your disclosure a responsible one.
- While we appreciate the inputs of researchers, we may take legal recourse if the identified vulnerabilities are exploited for unlawful gains or getting access to restricted customer or system information, or impairing our systems. While we appreciate the inputs of researchers, we may take legal recourse if the identified vulnerabilities are exploited for unlawful gains or getting access to restricted customer or system information or impairing our systems.
Policy Coverage Area
- Following Mobile Apps and Websites under (or a sub-domain of) the domains are covered as part of this policy –
- Meesho Andriod App
- Meesho iOS App
- If you encounter any vulnerability on our systems while testing within the scope of this policy, stop your test and notify us immediately.
Out of Scope Vulnerabilities
- General software related bugs (like SSL, older versions etc.)
- Vulnerabilities related to SPF/DMARC/DKIM records, which do not result in demonstrated compromise
- Missing security headers etc. or other security best practices, which do not result in demonstrated compromise
- Vulnerabilities related to outdated app versions or browsers – exploits/vulnerabilities related to current versions and only in the latest browser versions are accepted
- Exploits that need MITM or physical access to the victim’s device
- Clickjacking related submissions
- Unauthenticated/logout/login CSRF
- Previously known vulnerable libraries without a working Proof of Concept
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Open redirect
- Missing CAA headers
- Stack traces, directory listings or path disclosure
- Self XSS
- Social engineering attacks, both against users or employees
- Issues on non-company assets like GitHub, Cloud Providers or others, which Meesho may be using
- Forgot Password page brute-force and account lockout not enforced
- Lack of Captcha
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
- Session Timeouts
- Host Header Injection
- Exposed API keys without clear demonstration of security impact
- Specifically, exposed Google Map APIs keys and keys in Android XML files are out of scope for now
General Rules - Do’s & Don’t
- Do not launch Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.
- Automated tools or scripts are strictly prohibited.
- Any POC submitted should have a proper step-by-step guide to reproduce the issue. As stated above, abuse of any vulnerability found shall be liable for legal penalties.
- Make every effort to avoid - privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
- Do not attempt to gain access to any other person’s account, data or personal information.
- Do use their real email address to report any vulnerability information to us.
- Keep information about any vulnerabilities you have discovered confidential between yourself and Meesho. The Researcher shall not publicly disclose the bug or vulnerability on any online or physical platform before it is fixed and prior written approval to publicly disclose obtained from Meesho.
- Do not use scanners or automated tools to find vulnerabilities.
- As a security researcher, you represent and warrant that you have the right, title and interest to disclose any vulnerability found and to submit any information, including documents, codes, among others, in connection therewith. Once you inform a vulnerability, you grant Meesho, its subsidiaries and affiliates an irrevocable, worldwide, royalty-free, transferable, sublicensable right to use in any way Meesho deems appropriate for any purpose. Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure accepted by Meesho.
- Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
How to report
- The identified vulnerability should be reported to us by sending us a mail to email@example.com (Subject: Suspected Vulnerability at Meesho App/Website). The mail should follow the format below:
- Full Name
- Mobile Number
- Any Public profile (Twitter, LinkedIn, Github etc.)
- Name of the Vulnerability
- Affected Application
- Vulnerable Endpoint & Parameter
- Detailed steps to reproduce
Please keep your vulnerability reports current by sending us any new information as it becomes available. We may share your vulnerability reports with any affected partners, vendors or open-source projects.
- By helping us continuously keep our data secure, once the security vulnerability is verified and fixed as a result of the report, we would like to put your name on our “Security Hall of Fame” page present at https://meesho.com/legal/hall-of-fame.
- We may at our sole discretion send out Meesho Swag in some cases.
Eligibility for Recognition
- Must be the first person to responsibly disclose the vulnerability.
- Vulnerability discovered must be found when testing within the scope of this policy.
- Reported vulnerability significantly impacts security and integrity of Meesho services or impacts the privacy of customer or partner data.
Meesho may at its sole discretion rate vulnerabilities as critical, high, medium and low. Only vulnerabilities rated critical and high are eligible for the Security Hall of Fame (https://meesho.com/legal/hall-of-fame).