Pine Labs Bug Bounty Program

Pine Labs

Pine Labs is an Indian merchant platform company that provides financing and last-mile retail transaction technology, founded in 1998. It is one of the unicorn companies, with a valuation of over US$5 billion. It provides a merchant platform and makes software for point of sale machines.

Program Rules

At Pine Labs we recognize the important role that security researchers play in helping to keep Pine Labs and our customers secure.

By participating in this program you acknowledge that you have read and agreed to the Program Rules, which is defined as this entire document.

Testing Policy and Responsible Disclosure

Please adhere to the following rules while performing research on this program:

Denial of service (DoS) attacks on Pine Labs applications, servers, networks or infrastructure are strictly forbidden.
Avoid tests that could cause degradation or interruption of our services.
Do not use automated scanners or tools that generate large amount of network traffic.
Only perform tests against your own accounts to protect our users' privacy.
Do not leak, manipulate, or destroy any user data or files in any of our applications/servers.
Do not copy any files from our applications/servers and disclose them.
No vulnerability disclosure, full, partial or otherwise, is allowed.

Reward Eligibility and Amount

We are happy to thank everyone who submits valid reports which help us improve the security of Pine Labs, however only those that meet the following eligibility requirements may receive a monetary reward:

You must be the first reporter of a vulnerability.
The vulnerability must be a qualifying vulnerability (see below).
The report must contain the following elements:
- Clear textual description of the vulnerability, how it can be exploited, the security impact it has on the application, its users and Pine Labs, and remediation advice on fixing the vulnerability
- Proof of exploitation: screenshots and/or videos demonstrating the exploit was performed, and showing the final impact
- Provide complete steps with the necessary information to reproduce the exploit, including (if necessary) code snippets, payloads, commands etc
You must not break any of the testing policy rules listed above
You must not be a former or current employee of Pine Labs or one of its contractors.

Reward amounts are based on:

Reward grid of the report's scope
CVSS scoring and actual business impact of the vulnerability upon performing risk analysis

In Scope

Scope Type	Scope Name
android_application	https://play.google.com/store/apps/details?id=com.pinelabs.emicatalogue.pinelabs&hl=uz
api	https://api.pluralonline.com
api	https://api.pluralpay.in
api	https://pinepg.in/
api	https://pluralcheckout.pinepg.in
web_application	dashboard.pluralonline.com
web_application	analytics.pinelabs.com
web_application	trm.pinepaymentsolutions.com
web_application	https://www.letspaylater.ph/
web_application	https://www.pinelabs.ae/
web_application	https://billingserver.pinelabs.com/
web_application	https://lounge.pinelabs.com/loungeui/login
web_application	https://pinepgconsole.in:9099
web_application	https://myplutus.pinelabs.my/
web_application	https://trm.pinelabs.ae
web_application	https://credit.pinelabs.com
web_application	https://plmcixt.pinelabs.com/
web_application	https://emistores.pinelabs.com/
web_application	https://www.pinelabs.com/
web_application	https://www.pinelabs.my/
web_application	https://www.pinelabs.us/
web_application	https://board.pinelabs.com/
web_application	https://nbs.pinelabs.com/

Out of Scope

Scope Type	Scope Name
undefined	All other Pine Labs assets that are not listed above are to be treated as out of scope

This program crawled on the 2023-04-04 is sorted as bounty.