Application Security

NestAway values your privacy, and it is our goal to maintain the security of our platform. If you encounter or identify any security issues with NestAway, you may contact our Security Team directly by emailing at security@nestaway.com. Someone will be in touch, usually within 12 hours.

Targets

  • www.nestaway.com (All other subdomains are not in scope of bounty program.)

Out of scope

  • All other subdomains are not in scope of bounty program.
  • https://www.nestaway.com/blog
  • https://www.nestaway.com/m/

Ground rules.

  • Do not attempt to gain access to another user’s account or data.

  • Do not perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are not allowed.

  • Do not disclose a bug before it has been fixed.

  • Automated scanners or automated tools are strictly prohibited.

  • Account signup on NestAway platform is mandatory whithout which the report shall be considered invalid. Please refer to the NestAway’s terms and conditions and privacy policy before testing any feature.

  • Researcher should create an account with following format:- If you own user@mail.com then create an account with user+security@mail.com to submit any vulnerability.

  • While reporting an issue, please include these details in the mail as well without which report shall be considered invalid.
    • Name of the vulnerability.
    • Areas affected.
    • Reproduction steps.
    • Impace of vulnerability.
    • Account Details. (Email and Mobile used while creating account.)
  • Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

  • To test any live booking, please contact security@nestaway.com. Our team will give you an test environment to test booking.

  • Once the bug is acknowledged our team, please do not try to try to reproduce it again.

  • Please note that violating any rules mentioned above will result in a Legal action.

  • When in doubt, email us security@nestaway.com.

Focus areas.

  • XSS.
  • CSRF.
  • Authentication or authorization flaws.
  • Injection issues.
  • IDOR.

Issues excluded from bounty program.

  • Self Xss.
  • Descriptive error messages.
  • IDOR/CSRF on forms that are available to anonymous users.
  • SPF.
  • Lack of security headers.
  • Mail flooding.
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Username enumeration.

Disclaimer

NestAway reserves the right to ask the researcher to provide further clarification or a proof of concept exploit, before awarding any bounty. A reported vulnerability must clearly demonstrate the risk to the infrastructure or its users in order to receive a bounty.

Thanks

  • Raghavendra Reddy P - Reported a IDOR bug in a third party vendor which nestaway is using.

  • Severus - Reported a server misconfiguration issue

  • Gaurav Bahl - Reported a Broken authentication and session management issue.

  • Abhishek Upadhyay - Reported a Broken authentication and session management issue.

  • Maheep Kumar - Reported a known issue.

  • Parveen Pandey - Reported a known issue.