Banner object (1)

Hack and Take the Cash !

846 bounties in database
  Back Link to program      
Paytm Bug Bounty - Help us secure Paytm further logo
Hall of Fame

Paytm Bug Bounty - Help us secure Paytm further

Although our team of experts has made every effort to mitigate all the bugs in

our systems, Paytm invites independent security groups and individual

researchers to study it across all platforms and help us make it even safer

for our customers. If you discover a bug, we appreciate your cooperation in

responsibly investigating and reporting it to us so that we can address it as

soon as possible. For Security related bugs/vulnerabilities, we offer reward

and recognitions (below).

Though we welcome reporting of non-security issues at, please note that only genuine security issues are

eligible for rewards.

In case of any issues related to fraud, please report them to:


Participating in Paytm’s bug bounty program requires you to follow our

guidelines. Responsible investigation and reporting includes, but not limited

to the following:

  • Don't violate the privacy of other users, destroy data, disrupt our services, etc.

  • Only target your own accounts in the process of investigating any bugs/findings. Don't target, attempt to access, or otherwise disrupt the accounts of other users.

  • Don't target our physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDOS) attacks, etc.

  • Incase you find a severe vulnerability that allows system access, you must not proceed further.

  • It is Paytm’s decision to determine when and how bugs should be addressed and fixed.

  • Disclosing bugs to a party other than Paytm is forbidden, all bug reports are to remain at the reporter and Paytm’s discretion.

  • Threatening of any kind will automatically disqualify you from participating in the program.

  • Exploiting or mis-using the vulnerability for own or others benefit will automatically disqualify the report.

In general, please investigate and report bugs in a way that makes a

reasonable, good faith effort not to be disruptive or harmful to us or our

users. Otherwise your actions might be interpreted as an attack rather than an

effort to be helpful.


Generally speaking, any bug that poses a significant vulnerability could be

eligible for reward. But it's entirely at our discretion to decide whether a

bug is significant enough to be eligible for reward.

Security issues that typically would be eligible (though not necessarily in

all cases) include:

  • Cross-Site Request Forgery (CSRF)

  • Cross-Site Scripting (XSS)

  • Code Executions

  • SQL injections

  • Server Side Request Forgery (SSRF)

  • Privilege Escalations

  • Authentication Bypasses

  • File inclusions (Local & Remote)

  • Protection Mechanism bypasses (CSRF bypass, etc.)

  • Leakage of sensitive data

  • Directory Traversal

  • Payment manipulation

  • Administration portals without authentication mechanism

  • Open redirects which allow stealing tokens/secrets


Things that are not eligible for reward include:

  • Application stack traces (Path disclosures, etc.)

  • Self-type Cross Site Scripting

  • Denial of Service attacks

  • CSRF issues on actions with minimal impact

  • Brute force attacks

  • Security practices (banner revealing a software version, etc.)

  • Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.

  • Vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack, etc.

  • Vulnerabilities affecting outdated or unpatched browsers / Operating Systems.

  • Vulnerabilities in third party applications that make use of Kraken's API.

  • Bugs that have not been responsibly investigated and reported.

  • Bugs already known to us, or already reported by someone else (reward goes to first reporter).

  • Issues that aren't reproducible.

  • Issues that we can't reasonably be expected to do anything about.

  • Reports of current or previous employees of One97, Paytm and subsidies and partners


  • All monetary rewards can ONLY be credited to a Paytm wallet, KYC required.

  • The minimum reward for eligible bugs is the equivalent of 1000 INR.

  • Only one reward per bug.

  • Rewards over the minimum are at our discretion, but we will pay significantly more for particularly serious issues. We will also issue Certificate of recognition to distinguished individuals.

  • Multiple reports over time can be eligible for Hall of Fame.

  • Depending on the report, reports may be eligible for a digital certificate rather than a bounty.

How to Report a Bug ?

  • Fill the form (Findings reported by other ways will not be acknowledged).

  • Include as much information in your report as you can. Ideally, a description of your findings, the steps needed to reproduce it, and the vulnerable component (i.e. API endpoint, etc.)

  • If you need to share screenshots / videos for PoC, please upload to your own Google Drive or any other upload service and share with us the links to those files in the form.

  • Include your correct name and email address so we can reach out to you.

  • Include your Paytm Wallet phone number for payment (optional).

Allow us up to 7 days to respond before sending another email on the matter.

To report a Security vulnerability in our systems, please fill out this form

below. Note: fields marked * are mandatory.

Reporter Name *

Reporter Email *

Reporter Paytm Wallet Number

Bug Type * -- Please select an option -- Cross-Site Request Forgery (CSRF)

Cross-Site Scripting (XSS) SQL Injection (SQLi) Code Injection Remote Code

Execution Privilege Escalation Authentication Bypass Clickjacking Leakage of

Sensitive Data Other Security Issue

If other bug type, please specify

Bug Title *

Bug Description *

Steps to Reproduce *



Captcha *


On behalf of over a million users, we would like to thank the following people

for making a responsible disclosure to us:



This program crawled on the 2015-06-30 is sorted as bounty.

FireBounty © 2015-2019

Legal notices