Bug Bounty Policy

NOTE: As of January 1st, 2021, we are no longer accepting bug reports until further notice. We want to thank all of you independent researchers for your reports and insights as we take the time to upgrade our systems.

No technology is without errors and without the help of highly skilled and experienced security experts and researchers critical weaknesses and vulnerabilities remain undiscovered. If you believe you’ve found an important security issue in our service, we are very interested to hear from you and eager to work with you to fix the issue promptly.

Bounty Eligibility

Pathao reserves the right to decide if the minimum severity threshold is met and whether it was previously reported. To qualify for a reward under this program, you should:

  • Be the first to report a specific vulnerability.
  • Send a clear textual description of the report along with steps to reproduce the vulnerability. Include attachments such as screenshots or proof of concept code as necessary.
  • Disclose the vulnerability report responsibly to us. Public disclosure or disclosure to other third parties – including vulnerability brokers – before we addressed your report forfeit the reward.
  • Demonstrate care in reproducing the vulnerability. In particular, test only on accounts you own and do not attempt to view or tamper with data belonging to others.


Participation in our Bug Bounty Program is voluntary. By submitting a report to us, you are indicating that you have read and agree to follow the rules.

  • Research and disclose in good faith.
  • Respect our users’ privacy.
  • No extortion, shakedowns, or duress.
  • Don’t leave any system in a more vulnerable state than you found it.
  • Don’t publicly disclose a vulnerability without our consent.
  • Do not test using social engineering techniques (phishing, vishing, etc.)
  • Do not perform DoS or DDoS attacks.
  • In any way attack our end users, or engage in the trade of stolen user credentials.
  • Be respectful when interacting with our team, and our team will do the same.


We will reward reports according to their severity on a case-by-case basis as determined by our security team. We may pay more for unique, hard-to-find bugs; we may also pay less for bugs with complex prerequisites that lower risk of exploitation. Our minimum reward is $50 USD. For some cases, we will only reward with company merchandise.

Severity ScaleMinimum Reward Amount (TK)Minimum Reward Amount (USD)

In-Scope Vulnerabilities

  • Anything which is not in Out-of-Scope Vulnerabilities (listed below) will be considered as In-Scope Vulnerability that includes
  • Descriptive error messages that expose credentials

Out-Of-Scope Vulnerabilities

This section contains issues that are not accepted under this program.

The Following Findings Are Specifically Excluded From The Bounty:

  • Descriptive error messages (e.g. Stack Traces, application or server errors)
  • Open redirects
  • Host header
  • Fingerprinting/banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Lack of CSRF in forms intended for unauthenticated users.
  • Lack of rate-limits on authentication endpoints.
  • Content Spoofing without embedded links/HTML
  • Reflected File Download (RFD).
  • Best practices concerns.
  • HTML Injection
  • window.opener-related issues.
  • Highly speculative reports about theoretical damage. Be concrete.
  • Missing HTTP security headers
  • Infrastructure vulnerabilities, including:
    • DNS issues (i.e. MX records, SPF records, etc.)
    • Certificates/TLS/SSL related issues
  • Attacks that require social engineering
  • 0day vulnerabilities recently disclosed
  • DDoS

Out-Of-Scope Vulnerabilities For Android Apps

  • Lack of certificate pinning
  • Lack of obfuscation
  • App secret hard-coded/recoverable in APK
  • Any kind of sensitive data stored in app private directory
  • Lack of binary protection control in an android app
  • Runtime hacking exploits

Out Of Scope Vulnerabilities For IOS Apps

  • Lack of certificate pinning
  • Path disclosure in the binary
  • User data stored unencrypted on the file system
  • Lack of jailbreak detection
  • Lack of obfuscation
  • App secret hard-coded in IPA
  • Runtime hacking exploits

In Scope

Note: Severity shown here only indicates the maximum severity possible for reports submitted to the Asset.


**Any other domain or subdomain under Pathao’s ownership is also considered in scope.

Out Of Scope

Domainbusiness.pathao.com (UAT)
courier.pathao.com (obsolete)

How To Report Security Issue?

If you find any security issue, please send the report to [email protected] with the following information

  • Summary
  • Description
  • Impacts
  • Steps to reproduce
  • Recommended Fix (Optional)