Licious
Bug Bounty Program
Our Vision @ Licious
Bug Bounty Program Overview
Program Exclusions / Out of Scope
Reporting Guidelines
Rewards & Recognition
Disclosure Policy
Legal Terms
Our Vision @ Licious

Our vision is to revolutionise the way people buy and consume meat and seafood by providing high-quality, fresh, and hygienic products through a seamless online ordering experience.


Bug Bounty Program Overview

At Licious, we take security of our applications and our customer's data very seriously. We have taken countless measures to make sure that our applications are safe and secure for everyone to use. Hence, we encourage and appreciate the work of security researchers to identify, and responsibly disclose the vulnerabilities identified in our in-scope applications.

If you (security researcher) are committed to follow this responsible disclosure policy and report the identified security vulnerability to us, we commit to: Swiftly acknowledge your report submission and connect with you to understand the vulnerability


How to report the issues discovered?

If you believe that you have identified a potential security vulnerability in any application or asset that comes within the scope of the program, please submit your report at : security@licious.com

SLA for triaging of issues according to the severity
Type of issueSLA in working days
Critical< 1 day
High2-3 days
Medium< 1 week
Low< 4 weeks
Required Fields:
  • Reporter Name:
  • Email:
  • Vulnerability Name:
  • Vulnerability Description
  • Affected scope:
  • Steps to Reproduce:
  • Severity:
  • Impact:
  • PoC Attachment(s)
  • Remediation:
NOTE: To expedite triaging, please attach a detailed video proof of concept (PoC) demonstrating the vulnerability, as comprehensive reports with clear evidence may qualify for higher bounties.
Program Scope

The following applications/system will be in the scope of the program:

  1. Licious Web Application
  2. Licious Mobile Application – Android / iOS
  3. Licious API's

Reward & Recognition

At Licious, we value the contributions of security researchers in enhancing our security. Here's how our reward system works:

✅ Eligibility & Reward Criteria

First Reporter: Only the first valid report of a vulnerability is eligible for a reward.

Scope Compliance: The vulnerability must fall within our defined scope and adhere to our responsible disclosure guidelines.

Evaluation Factors: Rewards are determined based on:

  • Severity of the issue
  • Likelihood of exploitation
  • Ease of exploitation
  • Quality of the report, including clarity, reproducibility, and supporting evidence.
💰 Reward Process
  1. Report Submission: Submit your findings through our designated reporting channels.
  2. Analysis & Validation: Our security team will review and validate the reported vulnerability.
  3. Reward Determination: Upon validation, we will assess the reward based on the criteria mentioned above
Minimum Reward

We value the contributions of security researchers in helping us maintain a secure environment. All valid submissions will be reviewed by our internal team. Based on the severity, impact, and quality of the report, rewards will be determined in accordance with our internal evaluation process.

✅ Do's: Best Practices for Effective Reporting

To help us understand and address vulnerabilities efficiently, please follow these guidelines:

  1. Review the Scope: Ensure the issue you're reporting falls within the defined scope of our program. This helps in prioritizing and validating your submission.
  2. Provide a Clear Proof of Concept (PoC): Include detailed steps to reproduce the issue, along with screenshots or a video PoC when applicable. This enables our team to verify and validate the vulnerability without needing follow-up questions.
  3. Assess and Communicate the Security Impact:Clearly describe the potential consequences of the vulnerability. Our bounty payouts are directly tied to security impact, so the more detail you can provide, the better.
  4. Submit Detailed Reports Even When Unsure:If you're uncertain about the direct impact but believe you've found something interesting, feel free to submit a detailed report and ask.
❌ Don's: Actions to Avoid

To maintain the integrity of our program and ensure a safe and secure environment, please refrain from the following:

  1. Unauthorized Access: Do not use or interact with accounts you do not own.
  2. Brute Force Attacks: Do not brute force credentials or guess credentials to gain access to systems or accounts.
  3. Changing Unauthorized Passwords: Do not change passwords of any account that is not yours or that you do not have explicit permission to change.
  4. Denial of Service (DoS) Attacks: Do not perform DoS attacks or related tests that would cause availability interruptions or degradation of our services.
  5. Premature Disclosure: Do not disclose a vulnerability submission, as our bug bounty program prohibits both public and private disclosures.
  6. Social Engineering: Do not engage in any form of social engineering of our employees, customers, or partners.
  7. Targeting Individuals: Do not engage or target any specific employees, customers, or partners during your testing.
  8. Accessing Sensitive Data: Do not access, extract, or download personal or business information beyond that which is minimally necessary for your PoC purposes.
  9. Data Destruction: Do not do anything that would cause destruction of our data or systems.
  10. Privacy Violations: Respect user privacy and confidentiality; refrain from accessing or tampering with sensitive data.
  11. Legal Compliance: Comply with all applicable laws and regulations during the research process.
Out-Of-Scope

1. Web applications and APIs

  • a. Host header injection without proven business impact
  • b. API key disclosure without proven business impact
  • c. Blind SSRF without proven business impact (pingbacks are not sufficient)
  • d. HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • e. Fingerprinting/banner disclosure on common/public services.
  • f. Disclosure of known public files or directories (e.g., robots.txt).
  • g. Getting OTPs is expected behaviour for countries other than India.
  • h. Issues that require non-simple user interaction, such as Self-XSS, clickjacking, that require the victim to install a certain application and interact with it, and issues that require MITM or access to physical devices.
  • i. Clickjacking on pages with no sensitive actions.
  • j. CSRF on forms that are available to anonymous users (e.g., login or contact form).
  • k. Logout / Login Cross-Site Request Forgery (logout CSRF).
  • l. Presence of application or web browser 'autocomplete' or 'save password' functionality.
  • m. Lack of Security Speed Bump when leaving the site.
  • n. No Captcha / Weak Captcha / Captcha Bypass.
  • o. Login or Forgot Password page brute force and account lockout not enforced.
  • p. HTTP method enabled OPTIONS, PUT, GET, DELETE, INFO.
  • q. WebServer Type disclosures.
  • r. Social engineering of our service desk, employees, or contractors.
  • s. Physical attacks against Licious's offices and data centers.
  • t. Error messages with non-sensitive data.
  • u. Non-application layer Denial of Service or DDoS.
  • v. Lack of HTTP Only / SECURE flag for cookies.
  • w. Username / email enumeration: via Login Page error message | via Forgot Password error message.
  • x. Missing HTTP security headers.
  • y. CSV Issues.
  • z. AV Scanning.
  • aa. SSL Issues.
  • ab. Cookie Issues:
    • HTTPONLY
    • SECURE
    • Multiple cookie setting
    • Anything to do with JSESSIONID
  • ac. Service Rate Limiting.
  • ad. User or Org enumeration.
  • ae. Security Image Issues.
  • af. Homograph attacks.

2. For Mobile Applications

  • a. Crashes due to malformed URL Schemes.
  • b. Shared links leaked through the system clipboard.
  • c. No or ineffective jailbreak / root detection.
  • d. Snapshot/Pasteboard leakage.
  • e. Sensitive data in URLs/request bodies when protected by TLS.
  • f. No or ineffective anti-reversing controls (e.g. obfuscation, runtime tampering, debugging, emulator detection).
  • g. No or ineffective certificate validation and pinning.
  • h. Disclosure of paths in binary (such as file system paths of the system where the app was compiled).
  • i. Disclosure of API keys for non-sensitive uses.
  • j. Runtime hacking exploits that are only possible on jailbroken or rooted end-user devices.

Disclosure Policy

Licious strictly prohibits the public disclosure of any vulnerabilities at any stage of the disclosure process. Security researchers must not share, publish, or publicly discuss any information related to vulnerabilities in systems within scope — whether discovered, reported, or resolved — without explicit written consent from Licious.

Any unauthorized disclosure, publication, or misuse of such information may result in legal action, including but not limited to civil or criminal penalties, as deemed appropriate by Licious management.

By participating in this program, you agree to maintain confidentiality and only communicate vulnerability details through Liciousʼs official disclosure channels.


Legal Terms

Licious commits not to pursue legal action against security researchers who:

  1. Conduct testing within the defined scope.
  2. Avoid privacy violations, data destruction, or service disruption.
  3. Promptly report vulnerabilities with sufficient detail.
  4. Act in good faith to avoid harm to Licious and its users.
  5. Fully comply with this Disclosure Policy and all Program Terms.

However, Licious reserves the right to take appropriate legal measures against individuals who do not follow these guidelines or act maliciously.

Licious