Swiggy Bug Bounty
Program
We work hard to keep Swiggy secure and make every effort to keep on top of the latest threats. If you think we've made a security mistake or have a vulnerability, please share with us right away.
🐛 Report a BugWhat is the Security Bug Bounty
Responsible Disclosure Program?
Swiggy's Bug Bounty Program invites security researchers to responsibly disclose vulnerabilities in our systems. We collaborate with our in-house security team and the broader community to keep our platform safe for millions of users.
Discover a Bug
Find a security vulnerability in any of our in-scope targets and document your findings with clear reproduction steps.
Responsible Disclosure
The identified bug shall have to be reported to our security team by sending us a mail from your registered email address to security@swiggy.in with subject prefix "Bug Bounty". The mail should strictly follow the format below.
Get Rewarded
If you're the first to report and it leads to a fix, we'll pay you a reward based on the criticality of the bug. Bounties are awarded after stakeholder review.
Our Targets
The following assets are in scope for the Swiggy Bug Bounty Program. Bugs found on out-of-scope assets are ineligible for rewards.
- Vendor Endpoints
- Delivery App Endpoints
- 3rd Party Applications
- DoS and DDoS testing (strictly prohibited)
- Automated tools or scripts
- Attacks using other users' accounts
- Social Engineering attacks
- Physical security testing
Reward Categorisation
Bounty rewards are determined by the Swiggy security team in discussion with stakeholder leadership. Vulnerabilities are grouped by impact into the four severity tiers below. This list is non-exhaustive and may be updated at any time.
Vulnerability severity classifications are subject to change at any time.
- SQL Injection (access & manipulation of sensitive / PII data)
- Remote Code Execution (RCE)
- Shell Upload vulnerabilities
- Vertical Privilege Escalation (gaining admin access)
- Bulk user sensitive information leak
- Business logic vulnerabilities critically impacting Swiggy brand, user data, or financial transactions
- Account Takeover (without user interaction)
- Authentication Bypass
- Non-Blind SSRFs
- Stored XSS
- Subdomain Takeover (active domains)
- IDOR (access & modify sensitive / PII data)
- Horizontal Privilege Escalation
- Deserialization vulnerabilities
- Path Traversal (access to sensitive information)
- Mobile vulnerability (no root, sensitive data exposed)
- SQL Injection (non-sensitive data)
- Account Takeover (with user interaction)
- IDOR (non-sensitive data access/modify)
- Reflected / DOM XSS (steal user cookies)
- Subdomain Takeover (non-active domains)
- Injection attacks (Formula, Host header injection)
- Mobile vulnerability (requires root, sensitive data)
- Path Traversal (non-sensitive data)
- IDOR (non-sensitive information disclosure)
- Mobile vulnerability (root + non-sensitive data)
- Mobile vulnerability (no root + non-sensitive data)
- Captcha Bypass
Out-of-Scope Vulnerability Classes
The following issue types will not be considered for bounty rewards. Submitting them may result in disqualification from the program.
Non-Disclosure Terms
By participating in the Swiggy Bug Bounty Program, you agree to the following confidentiality obligations.
Definition of Confidential Information
Obligation of Confidentiality
Ownership
Remedies
Governing Law & Jurisdiction
Report Format
Send your report from your registered email address to security@swiggy.in. The mail should strictly follow the format below.
Vulnerability Information:
- Name of Vulnerability:
- Vulnerability Category:
- Description:
- Vulnerable Instances:
- Steps to Reproduce:
- Proof of Concept:
- Impact:
- Recommendation:
Bounty Hunter details:
- Full Name:
- Email Address:
- Mobile Number:
- Any Publicly Identifiable profile: