Astra Security

Easy-to-use Web Security Suite

Amazon Voucher Per Bug

General Guidelines

The Submission Process

If you believe you have found a vulnerability, immediately create a submission through our platform. You can do so by submitting a report or directly writing to us at [email protected].

Each submission is carefully evaluated by our team of experts. Vulnerabilities deemed valid by our team are shared with the concerned company. If you directly try to contact the company via email/social media etc. and do not hear from them, it won’t be considered as a valid submission. Companies running a responsible disclosure program via our platform should only be contacted through the submission process given on

You will be recognized for your efforts if you were the first the report the vulnerability and if the submission is considered as a real vulnerability as per the rules of the program.

Guidelines for Responsible Disclosure

All the security researchers should strictly follow the guidelines given below:

  • Security research should be performed within the scope defined below
  • While performing the research there should not be any disruption of systems, privacy violations and degradation to user experience
  • Only the identified communication channel mentioned below under ‘Report a vulnerability’ heading should be used to communicate the vulnerability.
  • DO NOT report the security vulnerability to any other Astra Security partner, client, employee and email
  • Security vulnerability found in Astra Security’ widget and APIs utilized on our partner and customer website also fall under this responsible disclosure program
  • DDoS attacks DO NOT qualify under this program and website should not be tested against such attacks
  • Information about the vulnerability should not be disclosed publicly
  • Information about finding a vulnerability also should not be disclosed publicly
  • The researcher should not put the screenshots, videos, screen grabs or any other sensitive information regarding the vulnerability on any external websites like Imgur, Vimeo, YouTube, Dropbox etc.
  • If a security researcher wants to disclosure issues outside the scope of the program listed on {policy page}, please select the ‘Other’ option in the ‘Target Domain’ dropdown on the ‘Submit Vulnerability Report’ page. For such reports, Astra can assist in the communication but does not guarantee a response/reward.
  • Violation of program’s stated policy (both general guidelines and program policy) can result in enforcement of necessary legal actions.

Non-qualifying Bugs

  • UI and UX bugs and spelling mistakes;
  • TLS/SSL related issues;
  • Vulnerabilities due to out of date browsers or plugins;
  • Vulnerabilities relying highly on social engineering aspect
  • Content-Security Policies (CSP);
  • Lack of secure flag on cookies;
  • Username enumeration;
  • Vulnerabilities relying on the existence of plugins such as Flash;
  • Flaws affecting the users of out-of-date browsers and plugins;
  • Security headers missing such as, but not limited to “content-type-options”, “X-XSS-Protection”;
  • CAPTCHAs missing as a Security protection mechanism;
  • Issues that involve a malicious installed application on the device;
  • Vulnerabilities requiring a jailbroken device;
  • Vulnerabilities requiring a physical access to mobile devices;
  • Attacks theoretical in nature
  • Use of a known-vulnerable library without proof of exploitability;
  • Vulnerabilities in third-party softwares, libraries and code
  • Descriptive error messages (stack traces, server banners etc.)
  • Tap-jacking and UI-redressing attacks that involve tricking the user into tapping a UI element.
Hall of Fame
Recognition for your work
Amazon Voucher
500 INR Worth
Top Researchers