FITNESS

SPORTS

CARE

MIND

STORE

cart-image

violet-circle

bug bounty banner

Identifing vulnerability on our web and reporting

new program where people from all around the world are welcome to identify bugs and report to us, and we will work closely with them to address such issues with urgency, and publicly acknowledge their contribution over our Hall of Fame.

Step by step

If it happens that you have identified a vulnerability on our web or mobile portal, we request you to follow the following

https://static.cure.fit/assets/images/Steps_Card_1.png

1. Identify the impact

Vulnerability it’s severity and impact as per you

2. Recreate the scenario

Process to recreate the scenario an reach out to you if further inputs are needed to identify or close the problem.

https://static.cure.fit/assets/images/Steps_Card_3.png

3. Share screenshot/video

share screenshots/ videos related to the issue that could help us inspect further

4. Get intouch with us

share your contact details (email, phone number), so that our security team can reach out to you if further inputs are needed.

Contact us immediately by sending an email over to

security@curefit.com

resolution icon

What will we do

Once we receive your submission, the team will investigate your report and work with you to understand and remediate the vulnerability. Meantime, please don’t discuss or disclose the vulnerability details until we close the report

security@curefit.com

Out-of-Scope vulnerabilities

Exploits using runtime changes
Application crashes
Irrelevant activities/intents exported
Android backup vulnerability
Exploits reproducible only on rooted/jailbroken devices
Lack of obfuscation
Denial of service attacks
Phishing attacks
Social engineering attacks
Reflected file download
Software version disclosure
Issues requiring direct physical access
Issues requiring exceedingly unlikely user interaction
Flaws affecting out-of-date browsers and plugins
CSV injection
Email enumeration
Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)
Missing cookie flags on non-authentication cookies
CSP Weaknesses
Email Spoofing
Broken links or unclaimed social media accounts (unless chained with an impactful exploit)

In Scope Domains

*.cult.fit
*.curefit.co
*.cultsport.com
*.curefit.com

Rewards Awaiting

Rewards and awards are complete based on the severity and impact of the issue reported and will be at the discretion of the Security Team.

Gold

-2019-

-2021-

-2022-

Jaikishan Tulswani

Sachin Kumar

Mohsin Khan

Udhaya Praveen

Vaibhav KT

-2023-

Swapnil Sharma

-2024-

Silver

-2019-

Navoneel Jana

-2021-

-2022-

Simranjeet Singh Gill

-2023-

Mohsin Khan

Vaibhav KT

Yash Vardhan

-2024-

Suraj Bisht

Bronze

-2019-

-2021-

Pratik Yadav

-2022-

Sachin Kumar

Ritu Sardiwal

Jitaksh Kapoor

Krutika Vinayak Thakur

-2023-

Sachin

-2024-

Thanks

-2019-

Madhuri Deb

-2021-

Mohsin Khan

-2022-

Jaikishan Tulswani

Ritu Sardiwal

Mohsin Khan

Chaitanya Surabhi

-2023-

Ananya Pandey

Suraj Singh Bisht

Piyush

G kranthi kumar

Niraj Kumar

Jaikishan Tulswani

-2024-

Pradeep Jhuriya

Akshay Adak

Shivasai Pasham

Joy Bapuly

Deepeshwar

Disclaimer

If the identified vulnerability can be used to potentially extract information of our customers or systems, or impair our systems' ability to function normally, then please refrain from actually exploiting such a vulnerability. This is absolutely necessary for us to consider your disclosure a responsible one. While we appreciate the inputs of Whitehat hackers, we may take legal recourse if the identified vulnerabilities are exploited for unlawful gains or getting access to restricted customers. Appreciate your help in keeping Cultfit and our customers' data safe.