At ixigo, the security of our systems and data is a top priority. We are committed to maintaining a safe environment for our valued customers. If you identify a bug, we greatly appreciate your time, effort, and cooperation in responsibly reporting it. We treat all security reports with urgency and are dedicated to investigating and resolving issues promptly.
The program allows users to submit vulnerabilities along with the methods used to exploit them. ixigo's decisions regarding rewards are final and binding.
This policy establishes a binding agreement between you and ixigo. By participating, you irrevocably, unconditionally, and unequivocally agree to adhere to the policy.
ixigo reserves the right to modify or terminate this program at any time and for any reason, at its sole discretion.
You should be the first to report any bugs. If your submission is identified as a duplicate, you will be notified.
Bugs must relate to items explicitly listed as accepted vulnerabilities in Annex A.
Participants must be individual researchers or employed by organizations that allow participation in the program.
You are not eligible to participate if your organization does not permit involvement in such programs, if you violate your employer's policies regarding participation or rewards in this program, or if you are or have been involved in the development, administration, or execution of this program.
Submission Process
If you believe you have discovered a vulnerability that meets the criteria outlined in our policy, you may submit it to us. Please use the form located at the bottom of this page to submit each vulnerability.
Ensure you provide all relevant details, including the versions of the tools you used in your submission.
All submissions must include a proper Proof of Concept (POC) and any necessary special configurations to help us validate your findings.
To be considered valid, submissions should have a significant impact and be exploitable.
Rules
Unauthorized attempts to access, modify, or delete other users' data are strictly prohibited. If you inadvertently access user data, immediately delete all relevant information and promptly report the incident to us.
Vulnerability disclosures should only be made after we have confirmed that a fix has been deployed or released. Findings obtained through automated tools that cause significant server load will not be considered.
Do not violate the privacy of other users, destroy data, or disrupt our services. Avoid requesting updates on an hourly basis; instead, you will receive a human acknowledgment of your report within five working days.
You must refrain from exploiting or conducting further testing of any security issues you discover for any reason, including demonstrating additional risks.
Do not target our physical security measures or attempt social engineering, spam, distributed denial-of-service (DDoS) attacks, or similar activities.
Any form of threat will result in automatic disqualification from the program and may lead to legal action against you.
Review Process
ixigo holds exclusive authority to determine the eligibility of submissions.
If multiple reports of the same issue or vulnerability are received from different sources, reward points will be awarded to the first qualifying submission.
Rewards
All decisions made by ixigo regarding reward points are final and binding.
If ixigo, at its sole discretion, determines that your submission qualifies for a reward point under the policy, we will notify you of the awarded reward point and provide the necessary paperwork or documentation to process your award.
The minimum reward value for eligible submissions will be monetary or other goodies, as determined by ixigo.
Miscellaneous
Please adhere to the established rules, as non-compliance may result in legal action.
When reporting a bug, ensure it is thoroughly documented with the following information:
A detailed description of the bug, its impact, and suggested fixes.
Step-by-step instructions to replicate the attack.
A video Proof of Concept (POC) and clear snapshots of the actions performed.
The IP address from which the requests were sent to our servers.
Scope
https://ixigo.com | https://*.ixigo.com
Latest release of ixigo mobile applications (both Trains and Flights) from Google Play Store and Apple App Store
Annexure
Accepted Vulnerabilities
All types of injections
Broken Access Control
Server-side injection
Cross Site Scripting (XSS) → Self XSS is out of scope
Remote Code Execution (RCE)
Authentication Bypass / Unauthorized Access
Payment parameter manipulation, Price manipulation with a successful transaction
Sensitive Data Exposure (PII)
Cross Site Request Forgery (CSRF) → Only with significant security impact
Unrestricted Upload Vulnerabilities
Open Redirects → Only with significant security impact
Cross Origin Resource Sharing → Only with significant security impact
Domain Takeover Vulnerabilities
Descriptive Error Messages
Any vulnerability that can affect the IXIGO Brand, user data and financial transactions
Out of Scope bugs for apps
Absence of certificate pinning
Sensitive data stored in the app's private directory
User data stored unencrypted on external storage
Lack of binary protection control in the Android app
Shared links leaked through the system clipboard
Any URIs leaked because a malicious app has permission to view opened URIs
Sensitive data in URLs/request bodies when protected by TLS
Lack of obfuscation
OAuth app secret hard-coded/recoverable in the APK
Crashes due to malformed intents sent to exported Activity/Service/BroadcastReceiver (exploiting these for sensitive data leakage is commonly in scope)
Report Issue
Note: ixigo retains the right to update or modify its security policy as necessary.
