Paytm Bug Bounty

Paytm is commited to security. We reward reporters for the responsible

disclosure of in-scope issues and exploitation techniques.



If you discover a bug, we appreciate your cooperation in responsibly investigating

and reporting it to us so that we can address it as soon as possible.

Rewards Paytm Bug Bounty Program offers bounties for security software bugs which meet the following criteria.

The bug has a direct security impact and falls under one of our Vulnerability Categories.

Rewards can only be credited to a Paytm wallet, KYC is mandatory .

be credited to a Paytm wallet, . The minimum reward for eligible bugs is 1000 INR, Bounty amounts are not negotiable.

1 valid bug equals 1 reward.

Multiple reports over time can be eligible for Hall of Fame or a digital certificate.

In situations where a bug does not warrant a bounty, we may issue a digital certificate. Our certification process is multi-leveled:



Standard

Bronze

Silver

Gold

Platinum

Our Hall of Fame page recognizes the contributions of reporters who have demonstrated a high level of dedication to our program.

Acceptance requires multiple valid reports and remains at the discretion of our team.

Eligibility Be the first to report the issue to us.

Must pertain to an item explicitly listed under Vulnerability Categories.

Must contain sufficient information including a proof of concept screenshot, video, or code snippet where needed.

You agree to participate in testing the effectiveness of the countermeasure applied to your report.

You agree to keep any communication with Paytm private.

Vulnerability Categories # Vulnerability Type Comment 1. Cross-Site Request Forgery ** With significant security impact 2. Cross-Site Scripting ** Self-XSS is out of scope 3. Open Redirects ** With significant security impact 4. Cross Origin Resource Sharing ** With significant security impact 5. SQL injections 6. Server Side Request Forgery 7. Privilege Escalation 8. Local File Inclusion 9. Remote File Inclusion 10. Leakage of Sensitive Data 11. Authentication Bypass 12. Directory Traversal 13. Payment Manipulation 14. Remote Code Execution We will pay significantly (4 times) more for vulnerabilities which would ultimately result in data leakages, authentication bypasses, code execution or payment manipulations.