Security

Vulnerability Disclosure Program

System security is a top priority at Moving Tech. Regardless of the amount of effort any Company puts into its system security, no technology is perfect and there can still be vulnerabilities present. Moving Tech believes that working with skilled security researchers across the globe is crucial in identifying any weaknesses in its systems and to ensure that its security is maintained.

Moving Tech hence invites all skilled security researchers to participate in its Vulnerability Disclosure Program (the "Program"), which participation shall be subject to the terms and conditions hereunder:

I. Registration for the Program

  1. These terms govern the terms of your access and participation into the Moving Tech Vulnerability Disclosure Program, and you are deemed to agree and undertake to abide by these terms while participating in the Program and submitting your reports. By agreeing to participate in the Program, you agree to abide by the terms hereunder.
  2. By submitting the vulnerability through this Program, you affirm that you have not disclosed and agree that you will not disclose the bug or your submission to anyone other than to Moving Tech under this Program.
  3. Any information you receive or collect about Moving Tech by participating in this Program must be kept confidential and only used in connection with the Program and for getting the vulnerabilities cleared. You may not use, disclose or distribute any such confidential information, including, but not limited to, any information regarding your submission and information you obtain when researching the Moving Tech sites, without Moving Tech's prior written consent.
  4. Your testing activities must not negatively impact Moving Tech or Moving Tech's business or performance.
  5. You are responsible for notifying Moving Tech of any changes to your contact information, including but not limited to your email address.
  6. Only the products that have been developed by Moving Tech and are currently being operated and maintained by Moving Tech are within the scope of this policy.

II. Guidelines for Responsible Disclosure

  1. Researchers will need to comply with the below guidelines while disclosing the vulnerabilities detected.
  2. Researchers to notify us as soon as they find any potential security issue on the notified e-mail id.
  3. The researchers are advised to stick to this policy and shall not be allowed to disclose details of the vulnerability to any third party or expose it to any agencies.
  4. Researchers will be required to use official communication channels only. Do not use personal emails, social media accounts, or other private connections to contact a member of the security team in regard to vulnerabilities or any program related issues, unless you have been instructed to do so.
  5. Any unauthorized attempts of social engineering, phishing, or physical attacks against Moving Tech's employees, users, or impersonation of a Moving Tech employee through a third party, another hacker, or a security team will not be tolerated.
  6. Researchers should not gain unauthorized access or destroy any user's data.
  7. Any unauthorized attempts of social engineering, phishing, or physical attacks against Moving Tech's employees, users, or impersonation of a Moving Tech employee through a third party, another hacker, or a security team will not be tolerated.
  8. Researchers shall be strictly prohibited from exploiting any of the vulnerabilities found.
  9. Researchers will make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.

III. How to Report

  1. Once registered, you shall only use the official communication channels and the registered email Id (infosec@nammayatri.in) to interact with the Moving Tech security team. Do not use personal emails, social media accounts, or other private connections to contact a member of the security team in regard to vulnerabilities or any program related issues, unless you have been instructed to do so.
  2. Upon detection of a vulnerability/bug, you shall immediately report it to the Moving Tech team, and such bug/vulnerability report shall include:
    1. Details that must be included in the report.
    2. Description and potential impact of the vulnerability.
    3. Information about the researcher including organization name and contact name.
    4. Products or solutions and versions affected.
    5. Proof-of-Concept URL and the information of affected parameter.
    6. Supporting technical details (such as system configuration, traces, description of exploit/attack code).
    7. Information about known exploits/attack.
    8. Detailed steps of reproducing the vulnerability.
    9. Screenshots to show Proof-of-Concept.
    10. Details of the system where the tests were conducted.
    11. Video recording of the Proof-of-Concept (if possible).

However, Moving Tech reserves the right to refuse your request if any of the above-mentioned details are not provided by you to Moving Tech.

IV. Exclusions

While researching, you shall strictly refrain from indulging in:

  1. Social engineering (including phishing) with any Moving Tech staff or contractors;
  2. Any physical attempts against Moving Tech property, data centers or infrastructure;
  3. Denial of Service, Distributed-DoS;
  4. X-Frame-Options related, missing cookie flags on non-sensitive cookies;
  5. Missing security headers which do not lead directly to a vulnerability (unless you deliver a PoC);
  6. Version exposure (unless you deliver a PoC of working exploit);
  7. Directory listing with already public readable content;
  8. Content spoofing on error pages or text injection;
  9. Information disclosure not associated with a vulnerability, i.e.: stack traces, application or server errors, robots.txt etc;
  10. Use of known-vulnerable libraries without proof of exploitation such as OpenSSL;
  11. Vulnerabilities affecting end of life browsers or platforms;
  12. Login or forgotten password page brute forcing and account lockout not being enforced;
  13. Application denial of service by locking user accounts;
  14. Password or account recovery policies, such as reset link expiration or password complexity;
  15. Reports from automated scripts or scanners;
  16. Findings from physical testing such as office access (e.g. open doors, tailgating);
  17. Findings derived primarily from social engineering (e.g. phishing, vishing, smishing);
  18. Functional, UI and UX bugs and spelling mistakes;
  19. Logged out cross-site request forgery (logout CSRF);
  20. Presence of application or web browser 'autocomplete' or 'save password' functionality;
  21. Options / trace HTTP method being enabled (unless you deliver a PoC of working exploit);
  22. Modification of headers, URLs, POST body content, server responses by man-in-the-middle attacks;
  23. Fingerprinting / banner disclosure on common / public services;
  24. Clickjacking and issues only exploitable through clickjacking;
  25. No / weak captcha / captcha bypass;
  26. SSL issues such as BEAST, BREACH, renegotiation attack, forward secrecy not enabled, weak / insecure cipher suites.

Moving Tech reserves its right to expand this list and include additional exclusions when required.

V. Third Party Software

As part of providing services to its customers, Moving Tech uses integrations with various third-party software. This Program does not extend to any such third-party software and bugs or vulnerabilities detected in such third-party software will not be considered as a valid find. Notwithstanding the above, any such vulnerabilities communicated to Moving Tech may further be transmitted/informed to the third-party service provider.

VI. Additional Terms

  1. You must abide by the law and intimation of vulnerability shall be as per the law.
  2. Moving Tech reserves the right to discontinue the Program with prior intimation to registered researchers.
  3. By submitting information about a potential vulnerability, you are agreeing to these terms and conditions and granting Moving Tech a worldwide, royalty-free, non-exclusive license to use your submission for the purpose of addressing vulnerabilities.
  4. Moving Tech reserves the right to hold you responsible and liable for any consequences arising out of your breach of these terms or breach of confidentiality. You hereby undertake to indemnify and keep indemnified Moving Tech and its directors, officers, employees and consultants against all losses, damages, claims or liabilities that they incur due to any Fraud, Willful Misconduct, Gross Negligence, breach of confidentiality or due to breach of personal confidential information.

VII. Governing Law and Jurisdiction

These terms shall be governed by the Laws of India and the courts at Bangalore, India shall have exclusive jurisdiction to try any disputes that may arise out of this Program.