At Practo, we take safety and security of our customers’ data very seriously and stand guard to the trust put in us by our
We understand the importance and value of the role played by security researchers and ethical hackers in keeping the
internet safe. Therefore, we support their responsible efforts in not only identifying potential vulnerabilities but
also reporting them responsibly.
We urge you to review the Responsible Disclosure Policy before you test and/or report an issue with any of our applications.
We assure you that Practo will never pursue any legal action against users who report the issues, as long as they follow
Who can participate in the program?
Anyone who doesn't work for Practo or partners of Practo who reports a unique security issue in scope and does not disclose
it to a third party before we have patched and updated will be eligible to take part in this program.
Responsible Disclosure policy:
- - Report your finding by writing to us directly at email@example.com without making any information public.
- - We will respond as quickly as possible, generally takes 24-48 hours.
- - In best interest of our customers and their data, please do not publicly disclose the issue until it has been addressed
by Practo within a reasonable timeframe.
- - In order to keep everyone safe, please act in good faith towards our users' privacy and data during your disclosure.
We won't take legal action against you or administrative action against your account if you act accordingly.
- - Make every effort to avoid privacy violations, disruption to production systems, degradation of user experience and
destruction of data during security testing. This would include Brute Force, DoS, Spamming, Scraping, Social Engineering
Please include the following information when sending us the details:
- - Operating System name and version.
- - Client name and version.
- - Plugin names and version installed in the client.
- - Steps necessary to reproduce the vulnerability including any specific settings required to be reproduced (If this contains
more than a few steps, please create a video so we can attempt to perform the same steps).
- - A copy of the source code following your successful test.
- - What is the impact of the issue.
- - What are some scenarios where an attacker would be able to leverage this vulnerability?
- - What would be your suggested fix?
- - All subdomains of practo.com i.e. *.practo.com
- - Practo mobile apps -- Android, iOS
Not in Scope
Wordpress Users Disclosure
Wordpress DoS CVE-2018-6389
Wordpress CORS in wp-json
Once we receive the details from you, we will ensure to acknowledge the issue within 24-48 hours. We’ll assess the issue
and provide you with an estimated timeframe for addressing the reported vulnerability.
We will notify you once the vulnerability is fixed. And last but not least, our gratitude and sincerest thanks to you
for helping us keep user data and services safe and secure by featuring you in our security hall of fame 🗗.
By participating in Practo’s Responsible Disclosure program (the “Program”), you acknowledge that you have read and
agree to Practo’s Terms of Service as well as the following:
- Your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.
- You are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation
in the Program, including from any bounty payments when we run bug bounty programs in the future.
- Practo reserves the right to terminate or discontinue the Program at its discretion.