Bug Bounty Program

Program Overview

GoComet is committed to maintaining the highest standards of security for our platform and users. We welcome the security research community to help us identify and responsibly disclose security vulnerabilities through our bug bounty program.

This program rewards security researchers who discover and report valid vulnerabilities in our systems. We value your efforts in making GoComet more secure and appreciate your responsible disclosure practices.

Severity Classification Model

GoComet follows the Common Vulnerability Scoring System (CVSS) v3.1 framework for assessing vulnerability severity. Each reported vulnerability will be evaluated based on CVSS metrics including:

  • Attack Vector (Network, Adjacent, Local, Physical)

  • Attack Complexity (Low, High)

  • Privileges Required (None, Low, High)

  • User Interaction (None, Required)

  • Impact on Confidentiality, Integrity, and Availability

Important Note: While we use CVSS as our baseline assessment model, GoComet reserves the right to adjust the severity rating up or down to reflect the actual business impact and risk to our users, systems, and operations. Factors such as exposure scope, data sensitivity, exploitability in real-world scenarios, and potential business disruption will be considered in our final severity determination.

Severity Ratings

  • Critical (9.0-10.0): Vulnerabilities with severe impact requiring immediate remediation

  • High (7.0-8.9): Serious vulnerabilities with significant security implications

  • Medium (4.0-6.9): Moderate vulnerabilities with limited scope or impact

  • Low (0.1-3.9): Minor vulnerabilities with minimal security impact

  • Informational: Security observations without direct exploitability

In-Scope Assets

The following assets are eligible for testing and vulnerability reporting:

Out-of-Scope Assets

The following assets are NOT eligible for testing:

  • Testing, QA, staging, development, or any non-production environments

  • Third-party services or infrastructure not directly controlled by GoComet

  • Physical security of GoComet offices or facilities

  • Social engineering attacks against GoComet employees

Important: Testing out-of-scope assets may result in disqualification from the program.

In-Scope Vulnerabilities

The following vulnerability types and severity levels are eligible for rewards in the GoComet bug bounty program:

  • Remote Code Execution (RCE): Unauthenticated or authenticated RCE on any production server or application

  • Authentication Bypass: Complete circumvention of authentication mechanisms allowing unauthorized access to user accounts or admin panels

  • Privilege Escalation: Ability to escalate from low-privilege user to admin or higher-privilege accounts

  • SQL Injection: Injection flaws leading to unauthorized database access, data exfiltration, or manipulation

  • Critical Business Logic Flaws: Vulnerabilities allowing complete bypass of critical security controls (e.g., payment processing, user verification)

  • Large-Scale Data Breach: Vulnerabilities exposing massive volumes of sensitive user data (PII, financial information, authentication credentials)

  • XXE (XML External Entity) Injection: Leading to RCE or large-scale data exfiltration

  • Cross-Site Scripting (XSS): Authenticated or unauthenticated XSS allowing session hijacking, account takeover, or malware distribution

  • Cross-Site Request Forgery (CSRF): Allowing state-changing operations (fund transfers, account modifications, admin actions) without user consent

  • Insecure Direct Object Reference (IDOR): Unauthorized access to other users' sensitive data or resources

  • Broken Access Control: Ability to access resources or perform actions beyond authorized privileges

  • Sensitive Data Exposure: Unencrypted transmission of sensitive data (passwords, API keys, PII)

  • Security Misconfiguration: Critical misconfigurations exposing sensitive information or functionality (e.g., exposed S3 buckets, default credentials)

  • Insecure Deserialization: Leading to code execution or privilege escalation

  • Path Traversal: Unauthorized file access outside intended directories

  • API Authentication/Authorization Flaws: Bypassing API security controls

  • Logic Vulnerabilities: Bypassing business logic controls with moderate security impact

Out-Of-Scope Vulnerabilities

The following vulnerability types, testing methods, and assets are NOT eligible for rewards:

These vulnerabilities will NOT receive rewards, regardless of discovery method:

  • Denial of Service (DoS/DDoS) Attacks: All forms of DoS/DDoS testing, including volumetric attacks, application-level DoS, or resource exhaustion

  • Self-XSS: Cross-site scripting vulnerabilities that require the victim to paste malicious code themselves or require significant social engineering to exploit. Self-XSS vulnerabilities that cannot be used to attack other users are not eligible

  • Broken Links: Defunct or non-functional links on marketing, documentation, or blog pages

  • Typos & Spelling Errors: Grammatical errors, misspellings, or minor text inconsistencies

  • Email Configuration Issues: SPF/DKIM/DMARC misconfigurations (unless directly enabling email spoofing attacks)

  • Outdated Software Library Mentions: References to outdated versions in documentation (without active vulnerability)

  • Automated Vulnerability Scanner Reports: Generic scan results without proof of exploitability or manual validation

  • Third-Party Security Issues: Vulnerabilities in third-party services or dependencies outside GoComet's control

  • Unconfirmed Vulnerabilities: Theoretical vulnerabilities without proof of concept or demonstration of exploitability

  • Feature Requests: Missing features, UI/UX improvements, or product suggestions

  • Best Practice Recommendations: General security recommendations not representing actual vulnerabilities

  • Duplicate Reports: Duplicate submissions of previously reported vulnerabilities

  • Malware Distribution: Uploading or distributing malware, exploits, or harmful payloads

  • Missing Security Headers (in isolation): When not combined with actual security exploitation vectors

Reporting Requirements

To ensure efficient triage and validation of your vulnerability report, please include the following information:

1. Report Title and Summary

  • Clear, descriptive title indicating the vulnerability type and affected component

  • Brief summary explaining the vulnerability and its significance

2. Affected Assets

  • Specific URL(s), API endpoint(s), or application components where the vulnerability exists

  • Application version or platform details if applicable

3. Vulnerability Classification

  • Vulnerability type (SQL Injection, XSS, IDOR, etc.)

  • Your severity assessment (optional)

  • CVSS vector string if calculated (optional)

4. Detailed Reproduction Steps

  • Prerequisites: Required setup, accounts, permissions, or tools

  • Step-by-step instructions to reproduce the vulnerability

  • Expected vs. actual results

5. Proof of Concept (PoC)

  • Screenshots or screen recordings demonstrating exploitation

  • HTTP requests and responses (sanitized)

  • Exploit code or scripts if applicable

  • Video demonstration for complex exploits (optional)

Important: Redact any real user data, credentials, or sensitive information from your PoC.

6. Impact Analysis

  • What can an attacker achieve?

  • Who is affected?

  • Attack prerequisites and authentication requirements

  • Ease of exploitation

  • Potential business impact

7. Suggested Remediation (Optional)

  • Technical mitigation steps or recommended fixes

  • Security controls that should be implemented

8. Additional Information

  • Discovery timeline

  • Public disclosure status or CVE information

  • Related vulnerabilities in other components

  • Browser/client details if relevant

9. Contact Information

  • Your name or handle for credit

  • Email address for follow-up communication

  • Disclosure preferences

Submission Process

  1. Prepare your report following the requirements above

  2. Submit via our security portal at [[email protected]

  3. Await acknowledgement: We'll confirm receipt within 2-3 business days

  4. Cooperate with our team: Be available to provide additional information or clarification

  5. Maintain confidentiality: Do not publicly disclose the vulnerability until we've issued a fix and provided written approval

Response Timeline

  • Initial Response: Within 2-3 business days of submission

  • Triage and Validation: 5-7 business days

  • Severity Assessment: Communicated after validation

  • Remediation: Timeline depends on severity (Critical: 7-14 days, High: 14-30 days, Medium: 30-60 days)

  • Reward Distribution: After successful remediation and verification

  • Reward Amount: $30 to $100 based on severity.

Responsible Disclosure Policy

We ask that security researchers:

  • Provide reasonable time for us to remediate before public disclosure

  • Do not exploit vulnerabilities beyond what's necessary for proof of concept

  • Avoid privacy violations, data destruction, or service disruption

  • Act in good faith to avoid violating privacy laws and disrupting our services

In return, we commit to:

  • Acknowledge your report promptly

  • Provide status updates throughout the remediation process

  • Credit you publicly (if desired) after the vulnerability is resolved

  • Work with you fairly to understand and validate the vulnerability

  • Not pursue legal action against researchers who follow these guidelines

Questions or Concerns?

If you have questions about the program, scope, or reporting process, please contact us at [email protected] before testing.

Submission Process

  1. Prepare your report following the requirements above

  2. Submit via our security portal at [[email protected]

  3. Await acknowledgement: We'll confirm receipt within 2-3 business days

  4. Cooperate with our team: Be available to provide additional information or clarification

  5. Maintain confidentiality: Do not publicly disclose the vulnerability until we've issued a fix and provided written approval

Response Timeline

  • Initial Response: Within 2-3 business days of submission

  • Triage and Validation: 5-7 business days

  • Severity Assessment: Communicated after validation

  • Remediation: Timeline depends on severity (Critical: 7-14 days, High: 14-30 days, Medium: 30-60 days)

  • Reward Distribution: After successful remediation and verification

  • Reward Amount: $30 to $100 based on severity.

Responsible Disclosure Policy

We ask that security researchers:

  • Provide reasonable time for us to remediate before public disclosure

  • Do not exploit vulnerabilities beyond what's necessary for proof of concept

  • Avoid privacy violations, data destruction, or service disruption

  • Act in good faith to avoid violating privacy laws and disrupting our services

In return, we commit to:

  • Acknowledge your report promptly

  • Provide status updates throughout the remediation process

  • Credit you publicly (if desired) after the vulnerability is resolved

  • Work with you fairly to understand and validate the vulnerability

  • Not pursue legal action against researchers who follow these guidelines

Questions or Concerns?

If you have questions about the program, scope, or reporting process, please contact us at [email protected] before testing.

GoComet India Private Limited