We try our best to keep all platforms of Zerodha secure, and make every effort to keep on top of the latest threats by working with our inhouse security team and external security consultants. If you are able to spot any security issues or vulnerabilities, please do share with us right away at [email protected].
We would like to continuously build relationships and work with as many security technology enthusiasts as possible, and fairly reward any such issues spotted as well.
We will reward reports according to the severity of their impact on a case-by-case basis as determined by our security team. We may reward more for unique, hard-to-find bugs; we may also reward less for bugs with complex prerequisites that have lower risk of exploitation of our platforms or are more seen to be as good practices to be implemented.
How to report a bug
To participate in Zerodha’s Bug Bounty Program, share an email with us in the prescribed format of reporting a bug below with [email protected].
All accepted bug reports would be required to accept a non-disclosure agreement, and share their PAN, bank account details & their address (for tax and compliance purposes), to further receive any bug bounty rewards. All reward payments are also subject to tax deducted as source.
The identified bug can be reported to our security team by emailing [email protected] Kindly format the mail as described below:
Subject: Bug bounty: <Vulnerability category>
- Proposed vulnerability category and severity.
- Vulnerable instances (apps, URLs etc.)
- Steps to reproduce.
- Proof of concept.
- Proposed impact.
- Recommendations for mitigation (optional).
- Sender details including: Name, E-mail address, Phone number.
Our platforms, applications & website URLs, that belong to Zerodha:
Infra and network security
Open network ports, open services other than public HTTP Endpoints etc. DoS and DDoS tests ARE PROHIBITED.
All the bounty rewards will be paid based on an internal assessment by our security team. Based on the severity, we will revert within 1-5 days, and communicate whether the bug report was accepted/declined and the steps forward including the payment of the reward.