Flyy Bug Bounty Policy


Reporter eligibility

  • You must NOT be an employee of Flyy within the last 6 months.

  • You must NOT be an immediate family member of a Flyy employee.

  • You must be a citizen of India with a valid PAN card (to receive bounty payments). Report eligibility

  • Only the first report for a given vulnerability will be eligible for a bounty reward. NOTE: You will receive a response from us even if the report is a duplicate.

  • The report format and details must meet all the requirements mentioned under the report requirements.

  • A report email should only contain a single vulnerability report.

Responsible disclosure

  • In case you find vulnerabilities that may negatively affect one or many of our merchants, please refrain from exploiting it. Instead, report to us immediately.

  • We expect you not to disclose the details or existence of the vulnerability until we fix the issue in production. NOTE: Issuing a bounty reward does not necessarily mean that the issue has been fixed in production. Sometimes fixing the issue might take more time.

  • Also do not disclose the existence or details of the vulnerability without explicit permission from Flyy, even after bounty payment or a fix.

  • Only use your own Flyy accounts for testing a vulnerability. The process should not negatively affect any of our merchant accounts.

  • Only test for vulnerabilities. Do not engage in activities that lead to destruction, copying and/or exposure of data or resources in our system.

  • Do not attempt a DoS or DDoS even if you find a related vulnerability. You may report the same for confirmation instead.

Report template

Individual Details:
- Full Name
- Email
- Any Publicly Identifiable profile (LinkedIn, Github, Personal website, etc.)

Bug Details:
- Vulnerability
- Flyy in-scope domain(s) or systems affected

Description and impact of the vulnerability:
- How to reproduce steps with accurate detail (even if u use scripts or tools, attach scripts/snippets if needed)
- Impact of the vulnerability to Flyy and its users (as you understand it)

Expected response timelines

Acknowledgment - Within 2 working days after submission.

Triage and bug validation - Within 7 working days after acknowledgment.

Bounty transfer - Within 14 working days after validation response.

Bug fix - depends on type and criticality of vulnerability.





Bounty reward

All valid bugs are awarded a bounty based on their impact. You will get a Bug Bounty Certificate and the exact amount of bounty to be given out will be at the discretion of Flyy. The reward will be remitted to Indian bank accounts via NEFT. We are not currently able to make international remittances at this time.