Bug bounty program

Please note that the Bug bounty program is only for reporting valid security bugs. For reporting any application related issues, please visit our Support portal and create a ticket.

We try our best to keep all platforms of Zerodha secure, and make every effort to keep on top of the latest threats by working with our inhouse security team and external security consultants. If you are able to spot any security issues or vulnerabilities, please report here.

We would like to continuously build relationships and work with as many security technology enthusiasts as possible, and fairly reward any such issues spotted as well.

Rewards

We will reward reports according to the severity of their impact on a case-by-case basis as determined by our security team. We may reward more for unique, hard-to-find bugs; we may also reward less for bugs with complex prerequisites that have lower risk of exploitation of our platforms or are more seen to be as good practices to be implemented.

How to report a bug

To participate in Zerodha’s Bug Bounty Program, report the bug here.

All accepted bug reports would be required to accept a non-disclosure agreement, and share their PAN, bank account details & their address (for tax and compliance purposes), to further receive any bug bounty rewards. All reward payments are also subject to tax deducted as source.

Responsible disclosure

The identified bug can be reported here.

Program scope

Our platforms, applications & website URLs, that belong to Zerodha:

In-Scope:

Android applications:

iOS applications:

Exclusions:

  • Kite forum (We would soon be moving this portal to Discourse)
  • Rate limits bounties are only considered if it causes a loss to business or customer data.
  • Clickjacking of pages.
  • https://developers.kite.trade (Any reports with respect to developers.kite.trade shall not be included, as we are currently undergoing changes on the website & it would only include Kite account based logins.)
  • WP JSON related reports on Varsity or Z-connect.

Infra and network security

Open network ports, open services other than public HTTP Endpoints etc. DoS and DDoS tests ARE PROHIBITED.

All the bounty rewards will be paid based on an internal assessment by our security team. Based on the severity, we will revert within 1-7 business days, and communicate whether the bug report was accepted/declined and the steps forward including the payment of the reward.