🔒 Responsible Disclosure Program

Swiggy Bug Bounty
Program

We work hard to keep Swiggy secure and make every effort to keep on top of the latest threats. If you think we've made a security mistake or have a vulnerability, please share with us right away.

🐛 Report a Bug
5 days
Response time
4
Severity tiers
20+
In-scope targets
About

What is the Security Bug Bounty
Responsible Disclosure Program?

Swiggy's Bug Bounty Program invites security researchers to responsibly disclose vulnerabilities in our systems. We collaborate with our in-house security team and the broader community to keep our platform safe for millions of users.

🔍

Discover a Bug

Find a security vulnerability in any of our in-scope targets and document your findings with clear reproduction steps.

📩

Responsible Disclosure

The identified bug shall have to be reported to our security team by sending us a mail from your registered email address to security@swiggy.in with subject prefix "Bug Bounty". The mail should strictly follow the format below.

💰

Get Rewarded

If you're the first to report and it leads to a fix, we'll pay you a reward based on the criticality of the bug. Bounties are awarded after stakeholder review.

Program Scope

Our Targets

The following assets are in scope for the Swiggy Bug Bounty Program. Bugs found on out-of-scope assets are ineligible for rewards.

✓ In-Scope
✕ Out-of-Scope
  • Vendor Endpoints
  • Delivery App Endpoints
  • 3rd Party Applications
  • DoS and DDoS testing (strictly prohibited)
  • Automated tools or scripts
  • Attacks using other users' accounts
  • Social Engineering attacks
  • Physical security testing
Rewards

Reward Categorisation

Bounty rewards are determined by the Swiggy security team in discussion with stakeholder leadership. Vulnerabilities are grouped by impact into the four severity tiers below. This list is non-exhaustive and may be updated at any time.

Vulnerability severity classifications are subject to change at any time.

Critical ★★★★
  • SQL Injection (access & manipulation of sensitive / PII data)
  • Remote Code Execution (RCE)
  • Shell Upload vulnerabilities
  • Vertical Privilege Escalation (gaining admin access)
  • Bulk user sensitive information leak
  • Business logic vulnerabilities critically impacting Swiggy brand, user data, or financial transactions
  • Account Takeover (without user interaction)
High ★★★
  • Authentication Bypass
  • Non-Blind SSRFs
  • Stored XSS
  • Subdomain Takeover (active domains)
  • IDOR (access & modify sensitive / PII data)
  • Horizontal Privilege Escalation
  • Deserialization vulnerabilities
  • Path Traversal (access to sensitive information)
  • Mobile vulnerability (no root, sensitive data exposed)
Medium ★★
  • SQL Injection (non-sensitive data)
  • Account Takeover (with user interaction)
  • IDOR (non-sensitive data access/modify)
  • Reflected / DOM XSS (steal user cookies)
  • Subdomain Takeover (non-active domains)
  • Injection attacks (Formula, Host header injection)
  • Mobile vulnerability (requires root, sensitive data)
Low
  • Path Traversal (non-sensitive data)
  • IDOR (non-sensitive information disclosure)
  • Mobile vulnerability (root + non-sensitive data)
  • Mobile vulnerability (no root + non-sensitive data)
  • Captcha Bypass
Exclusions

Out-of-Scope Vulnerability Classes

The following issue types will not be considered for bounty rewards. Submitting them may result in disqualification from the program.

General
IDOR for objects you have permission to Duplicate / known issues Rate limiting (non-severe) Multiple reports for same vuln type Clickjacking Session cookies without http/secure flags Social engineering attacks
System & Network
Patches released within 30 days Networking issues / industry standards Password complexity
Email
SPF or DMARC records Gmail dot trick Email bombs Unsubscribing from marketing emails
Information Leakage
Descriptive error messages (stack traces) HTTP 404 / non-200 codes Fingerprinting / banner disclosure Known public files (robots.txt) Cacheable SSL pages SSL/TLS best practices
CSRF
CSRF on anonymous forms (login, sign-up) Logout CSRF Weak CSRF in APIs
Login & Session
Forgot password brute force / no lockout Lack of CAPTCHA Sessions not expiring after email change Autocomplete / save password Session timeouts
Legal

Non-Disclosure Terms

By participating in the Swiggy Bug Bounty Program, you agree to the following confidentiality obligations.

Definition of Confidential Information
"Confidential Information" means all information supplied in confidence by Swiggy to the participant, including — technical information, intellectual property, know-how, source code, databases, marketing strategies, financial information, business plans, customer or supplier lists, and any other information communicated in connection with this program.
Obligation of Confidentiality
For a period of 5 years, the participant shall not publish, disseminate, or disclose any Confidential Information. The participant shall use the information only in connection with the bug bounty program. Confidential Information shall not be copied or reproduced. The participant shall not independently develop products or systems that compete with or are similar to those described in the Confidential Information. Any breach shall result in the participant indemnifying Swiggy against all resulting losses and damages.
Ownership
All Confidential Information furnished to the participant remains the exclusive property of Swiggy. Swiggy retains sole and exclusive ownership of all right, title, and interest, including copyrights, patents, and trade secrets. Upon request, the participant must promptly return all materials and provide written certification of destruction.
Remedies
Any disclosure or misappropriation of Confidential Information shall cause Swiggy irreparable harm. Swiggy reserves the right to seek specific performance, injunctions, or any other equitable relief without posting a bond. These rights are in addition to any other remedies available at law.
Governing Law & Jurisdiction
These Terms shall be governed by the laws of the Republic of India. The courts in Bangalore shall have exclusive jurisdiction over any disputes arising out of or relating to these Terms.
Responsible Disclosure

Report Format

Send your report from your registered email address to security@swiggy.in. The mail should strictly follow the format below.

Subject: Bug Bounty: <Vulnerability Category> – <Bounty Hunter Full Name>

Vulnerability Information:

  • Name of Vulnerability:
  • Vulnerability Category:
  • Description:
    • Vulnerable Instances:
    • Steps to Reproduce:
    • Proof of Concept:
    • Impact:
    • Recommendation:

Bounty Hunter details:

  • Full Name:
  • Email Address:
  • Mobile Number:
  • Any Publicly Identifiable profile:
Note: For <Vulnerability Category> in subject line, please try to select vulnerability category closely matched with defined in Reward categorisations. The Swiggy security team will review the submission and revert back within 5 working days.