Welcome to the Hike Bug Bounty Policy 👋

At Hike Private Limited (including its affiliates) (hereinafter referred to as ‘Hike’ or ‘We’), we are committed to the safety and security of our services and to the integrity of its data. We appreciate and encourage security researchers/analysts to contact us to report potential vulnerabilities in respect of the services offered on www.getrushapp.com and related mobile application ("Rush Platform").

Disclosure Policy:

• We request that you inform us promptly upon discovering a potential security vulnerability.
• Our team will work quickly to resolve the issue. We ask for a reasonable time period to resolve the issue before it is disclosed to the public or any third-party.
• We kindly request that you make a sincere effort to avoid violating privacy, damaging data, or disrupting our services in any way.

Reporting Guidelines

• Please provide detailed reports with clear textual description of the report along with steps to reproduce the vulnerability.
• You must include attachments such as screenshots or PoC code as necessary.
• Include a clear attack scenario. How will this affect us exactly?
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

Eligibility

• Must be the first person to responsibly report the vulnerability to us.
• Vulnerability discovered must be found when testing within the scope of this policy.
• Reported vulnerability significantly impacts security and integrity of Rush Platform services or impacts the privacy of customer or partner data.
• You agree to participate in testing the effectiveness of the countermeasure applied to your report.
• You agree to keep any communication with us private.
• Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to your participation in the Program.

Rules of Engagement

• Do not perform any attack that could harm the reliability, integrity, and capacity of our services. DDoS/spam attached is not allowed;
• Do not violate the privacy of other users, destroy data, disrupt our services or Rush Platform, etc.
• Do not violate any laws or breach any agreements in order to discover vulnerabilities.
• You must comply with this Policy when discovering the vulnerability and submitting the vulnerability report.
• Keep information in relation to any vulnerabilities you have discovered confidential. The Researcher shall not publicly disclose the bug or vulnerability on any online or physical platform before it is fixed and prior approval/consent to publicly disclose is obtained from Hike.
• Do not in any way try to abuse any vulnerability found, it shall be liable for legal penalties.
• Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.

Areas of Focus:

• Game server entry point
• Run time gaming hacks and score manipulation across games on the platform
• Horizontal or vertical privilege escalation
• Data exfiltration
• Influencing game payouts

Exclusions

Reports falling into the categories listed below are considered out of scope for our Bug Bounty program :

• Physical or social engineering attempts (this includes phishing attacks against Hike employees)
• Ability to send push notifications/SMS messages/emails without the ability to change content
• Ability to take over social media pages (Twitter, Facebook, Linkedin, etc)
• Mail configuration issues including SPF, DKIM, DMARC settings
• Best practice concerns like cookie is not marked secure and http only, missing HSTS, SSL/TLS configuration, missing security headers, etc.
• Negligible security impact
• Reports that state that software is out of date/vulnerable without a proof-of-concept
• Highly speculative reports about theoretical damage
• Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue
• Open ports without an accompanying proof-of-concept demonstrating vulnerability
• Subdomain takeovers - please demonstrate that you are able to take over the page by leaving a non-offensive message, such as your username
• CSV injection
• Protocol mismatch
• Rate limiting
• Vulnerabilities that cannot be used to exploit other users or Hike -- e.g. self-xss or having a user paste JavaScript into the browser console
• Content injection issues
• Clickjacking on pages with no sensitive actions
• Missing cookie flags on non-authentication cookies
• Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)
• Issues that require physical access to a victim’s computer/device
• Stack traces, Path disclosure or Directory listings
• Denial of Service(DoS) and Distributed Denial of Service(DDoS) attacks
• Assets with DNS entries for Test, Stag, Staging, and Dev environments are not eligible for testing in our bug bounty program.
• Issues on non-hike assets like hikeapp.atlassian.net, hikeapp.notion.site

Out of scope for Rush android application:

• Exploits using runtime changes
• Absence of certificate pinning
• Snapshot/Pasteboard/Clipboard data leakage
• Lack of obfuscation
• Exploits reproducible only on rooted/jailbroken devices
• Android backup vulnerability
• Irrelevant activities/intents exported
• Application crashes
• Discovery of hardcoded keys in mobile applications without a feasible attack scenario.
• Storage of sensitive data in the in-app private directory
• Any exploit that requires tricking the user into installing a malicious app