At Licious, we take security of our applications and our customer's data very seriously. We have taken countless measures to make sure that our applications are safe and secure for everyone to use. Hence, we encourage and appreciate the work of security researchers to identify, and responsibly disclose the vulnerabilities identified in our in-scope applications.

If you (security researcher) are committed to follow this responsible disclosure policy and report the identified security vulnerability to us, we commit to:
Swiftly acknowledge your report submission and connect with you to understand the vulnerability.

Any mobile and/or web applications (iOS & Android) including backend API’s which is owned by Licious is scope of this program.

We accept vulnerabilities which possess security risk such as compromise or leak of users’/Licious private data, bypass system protection, or enable access to our Infrastructure.

• The report must contain description of the identified vulnerability, steps to reproduce with a clear attack scenario and impact.
• Do not try to violate the privacy of other users, destroy data, disrupt any of our production services, or attempt to gain access to other users account or personal information.
• Do not exploit or misuse the vulnerability for your own or others' benefit. This will automatically disqualify the report.
• Limit the use of scanner or automated tools to find vulnerabilities as this may disrupt our services.
• You will not cause any harm to the brand or cause reputational loss to Licious and/or it's consumers.
• Access, download or modify (or attempt to access, download or modify) data from an account that does not belong to you is not permitted.
• Researchers must destroy all artifacts created to document vulnerabilities (POC code, videos, screenshots) after the acceptance email is communicated to the researcher marking the vulnerability as valid.
• We may modify the terms of this program or terminate this program at any time. Licious employees and their family members are not eligible for reward.
• We will not reward; in case the reported vulnerability is found to be duplicate or already reported by another security researcher prior to your submission.

• Any third-party hosted applications, websites, micro services that are integrated with Licious.
• Any report without proof of concept will not be considered.
• Any application or service which are not mentioned in Scope.
• DoS/DDoS attacks, social engineering attacks, attacks requiring physical access to a victim’s computer/device.
• Self XSS, clickjacking on pre-authenticated pages, Logout Cross-Site Request Forgery (logout CSRF), browser ‘autocomplete’ enabled and Tabnabbing.
• Misconfigured or lack of SPF records and Email spoofing, missing security headers, outdated server version.
• Fingerprinting/banner disclosure, descriptive error messages (e.g., stack traces, application or server errors) and disclosure of known public files (e.g. robots.txt)
• Issues without security impact or which do not possess any security risk.
• Recently disclosed zero-day vulnerabilities in commercial products where no patch or a recent patch (< 2 weeks) is available.
• Lack of secure and HttpOnly Flag on cookie other than session cookie.
• Lack of jailbreak or root detection.
• Exif metadata not stripped./
• Host header injection.
• Google maps API key exposed.
• Misconfigured to No DMARC Record Found.

The report should be submitted as per the below format.

• Name:
• Email:
• Contact No.
• Name:
• Email:
• Contact No.

• Vulnerability Title:
• Severity:
• Vulnerability Summary:
• Affected URL:
• Steps to Reproduce (with POC):
• How it can impact Licious?

• We determine reward based on a variety of factors, including (but not limited to) severity, likelihood, ease of exploitation and quality of the report.
• Once we receive report, we analyse and validate the vulnerability, once the security vulnerability is validated, we will determine the reward.
• All the reward will be paid in the form of e-vouchers and will be disbursed at the end of each month on your registered email Id.
• Our minimum reward is 500 INR

• We do not allow public disclosure of any vulnerability at any stage. Which means one should not release the information about vulnerabilities found in applications mentioned in scope, failing which shall be liable for legal penalties.
• Any Improper public disclosure/ misuse of information without consent will entitle Licious Management to take appropriate legal.
• The security researcher must not discuss reported vulnerabilities (even resolved ones) outside of the program without express consent from the organization.

Licious will not take legal action against the security researchers who identify and responsibly disclose the vulnerability and adhere to our Program Terms and Disclosure Policy.