Contact: security[AT]ixigo[DOT]com
Preferred-Languages: en

# Security Policy

# - Attempts to access, change or delete other users' data is strongly advised against
# - If you manage to access user data, remove all relevant data and immediately report the access to us
# - Disclose reproducible security issues immediately to us
# - Vulnerability disclosure should only happen after we have confirmed that a fix has been deployed or released
# - Any findings obtained through automatic tools that result in high server load will not be considered

# Areas of interest

# - https://ixigo.com
# - Latest Release of Ixigo mobile applications (Both Trains and Flights) from Google Play Store and Apple App Store

# Renumeration

# - You must be the first to report an issue to us
# - The decision on severity, and the reward amounts is made solely by us

# The following issues are unlikely to receive a bounty on report

# - Clickjacking/ UI redressing
# - Incomplete or missing SPF/DMARC/DKIM records
# - Low impact information disclosures such as software version disclosure
# - Missing Cookie flags
# - Vulnerabilities requiring the use of outdated browsers, plugins or platforms
# - Vulnerabilities having low or no security implications.
# - Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS)
# - IIS Tilde File and Directory Disclosure
# - CSV Injection
# - PHP Info