At Paytm, we regularly engage with the developer community, organizing hackathons and bug bounty programmes to help us build smart solutions uniquely relevant for India. The idea is simple — constantly enhancing our products and services with great feedback from the huge and diverse developer community.

Fallible a cybersecurity research firm that specialises in API security & data breaches prevention, is working closely with us to enhance our systems. Fallible identified that one of our APIs could potentially affect some of our users’ data, while a separate checksum calculation process, a way to ensure integrity of our API requests could initiate false orders. The issues were reported in December and we worked upon and fixed it. We will continue to work with Fallible to ensure that our systems continues to be 100% secure.

Want to be a Paytm Bug Bounty Hunter?

We invite independent security groups or individual researchers to study our platforms and help us make it even safer for our customers. Please alert us to any potential security flaw you find and we will suitably reward you for your efforts. If reliability engineering interests you and you would be interested in working with Paytm, do let us know that as well, or drop us a line at devops@paytm.com.

All security researchers are expected to:

Report their finding by writing to us directly at bugbounty@paytm.com without making any information public. We will confirm receipt within 72 working hours of submission.

Keep the information about any vulnerability you’ve discovered confidential between Paytm & yourself until we have resolved the problem.

Based on the criticality level we might take 1 to 4 weeks to fix the vulnerability. However, all efforts would be made to provide periodic updates to the researcher until issue resolution / conclusion.

Disclosure of the vulnerability to public, social media or a third party will result in suspension from Paytm’s Bug Bounty Program.

Please make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.

Perform research only within the following limited scope. If you follow these guidelines when reporting an issue to us.

Scope:

Website: www.paytm.com

Mobile Apps: (Android, iOS)

Mobile Seller Apps: (Android)

Reporting format:

If you believe you’ve found security vulnerability in one of our products or platforms, please send it to us by emailing at bugbounty@paytm.com.

Please include the following details in your report:

Description of the location and potential impact of the vulnerability

A detailed description of the steps required to reproduce the vulnerability — POC scripts, screenshots, and compressed screen captures will all be helpful to us.

We commit to:

Work with you to understand and resolve the issue quickly Suitably reward your efforts Not pursue or support any legal action related to your research

Want to know more? Click here.