Bug Bounty Program
Welcome to Groww's Bug Bounty Program! We highly appreciate your efforts in helping us identify and address security vulnerabilities in our platform. Your involvement in this program actively helps in creating a more secure environment for every user on Groww.
Reporting Security Vulnerabilities
If you have discovered a potential security vulnerability, we encourage you to report it to us promptly. We take all reports seriously and will investigate and address any valid findings.
Rewards
Our security team assesses the severity of reported Vulnerabilities/Issues/Bugs individually to decide the appropriate reward. For exceptionally unique and challenging-to-find vulnerabilities vulnerabilities, we may offer higher rewards than the minimum bounty amount. On the other hand, issues with complex requirements and lower risk of impacting our platforms or that align with best practices might receive comparatively lower rewards.
| Severity |
Minimum Bounty Amount |
| Low |
$100 |
| Medium |
$250 |
| High |
$500 |
| Critical |
$1000 |
How to report a bug
- Visit our bug bounty submission page:
security.groww.in and click on Report a Vulnerability
- Fill out the necessary details, including a detailed description of the vulnerability, steps to reproduce it, and any supporting evidence and submit the issue.
- Upon submitting the issue, a confirmation email will be sent to claim the submission and begin the bug triage process.
- Our security team will review your submission and get back to you if additional information is required.
- We aim to provide a timely response and keep you informed about the progress of the investigation.
Targets In-scope
✅ groww.in
✅ Groww Android Application
✅ Groww iOS Application
✅ *.groww.in
In-scope vulnerability examples
Our bug bounty program covers security vulnerabilities found on the Groww platform, including but not limited to:
- Remote Code Execution
- Significant Authentication Bypass
- Significant Authorization Bypass
- Cross Instance Privilege Escalation
- Server Side Request Forgery
- Insecure Direct Object Reference
- SQL Injection
- Cross-Site Scripting (excluding self-XSS)
- Cross-Site Request Forgery (CSRF) on critical actions
- Insufficiently Protected Credentials / Credential Exposure
- Insecure/Open Redirect (which allows stealing secrets/tokens)
- (Sub)domain hijacking or DNS Hijacking
- Payment related issues
- Findings that reveal the sensitive data of our customers and staff
Targets Out of Scope
- All the sandbox and staging environments are out scope
- All external services/software which are not managed or controlled by Groww are considered as out of scope / ineligible for recognition.
- Newly acquired company websites/mobile apps are subject to a 12 month blackout period. Issues reported sooner in such websites/mobile apps won't qualify for any reward or recognition.
- DOMAIN/SUB-DOMAIN(S):
🚫 growwerp.groww.in
🚫 tech.groww.in
🚫 digest.groww.in
🚫 smallcases.groww.in
🚫 smallcases-release.groww.in
Out of Scope vulnerability examples -
- Missing HTTP security headers (e.g., X-Frame-Options, X-XSS-Protection, etc.)
- SSL/TLS issues (e.g., BEAST, BREACH, Weak/insecure cipher suites, etc.)
- Descriptive error messages (e.g., stack traces, application or server errors)
- Spamming (e.g., SMS/Email Bombing)
- HTTP 404 codes/pages or other HTTP non-200 codes/pages
- Fingerprinting/banner disclosure on common/public services
- Disclosure of known public files or directories (e.g., robots.txt, readme.txt, changes.txt)
- CSRF on forms that are available to anonymous users (e.g., the contact form)
- Login - Logout cross-site request forgery
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
- Lack of Secure and HTTPOnly cookie flags
- OPTIONS/TRACE HTTP method enabled
- HTTPS Mixed Content Scripts
- Any kind of vulnerabilities that require installation of software like web browser add-ons, etc., in victim’s machine
- (Distributed) Denial of Service attacks
- Any kind of vulnerability that requires physical device access, root/jailbroken access or third-party app installation in order to exploit the vulnerability.
- SSL Pinning bypass and bypassing root/jailbroken detection
- Tapjacking
- Reporting usage of known-vulnerable software/known CVEs without proving the exploitability on Groww’s infrastructure without providing proper proof of concept
- Bugs that Groww is already aware of or those already classified as ineligible
- Rate limiting (Unless it implies a severe threat to data, or business loss)
- Phishing attacks
Guidelines and Rules
To ensure a successful bug bounty program, we kindly request that you adhere to the following guidelines and rules:
- Do not violate the privacy of other users, destroy data, disrupt our services or Groww Platform, etc.
- Do not disclose or share any reported vulnerabilities before they are resolved.
- Only target the systems and assets within the defined scope.
- Provide clear and detailed reports, including steps to reproduce the vulnerability.
- Respect user privacy and confidentiality at all times.
- Do not perform any attack that could harm the reliability, integrity, and capacity of our services. DDoS/spam attached is not allowed
Legal Considerations
While we appreciate your participation, it is essential to respect and comply with all applicable laws and regulations. We will not take any legal action against security researchers who act responsibly and in good faith during their participation in the bug bounty program.
However, any unauthorised actions or attempts to exploit vulnerabilities beyond the defined scope will be handled according to the law.
If you have any questions or need further clarification regarding our bug bounty program, please reach out to our security team at [email protected].
Submissions are eligible for validation only when they are submitted through our official bug bounty platform. Any submissions via email or alternative communication sources will not be considered.
Happy bug hunting!