Info
Report Issue

Would you like to partner with tripportalbd.com (TRIPPORTAL) in creating an awesome and secure online travel booking experience for our customers? And also earn some money doing so!

Introducing TRIPPORTAL's Report Bug/Defect Reward program

If you believe you have found a serious security vulnerability on our site tripportalbd.com or application (Android/iOS), we appreciate your help in letting us know responsibly. We treat all security reports as urgent and commit to investigating & resolving the issue within a reasonable timeframe. As a token of our appreciation, we offer a monetary reward depending on the impact of the issue. Please review this page, especially the Responsible Disclosure policy and Reward Guidelines before reporting.

Responsible Disclosure

While conducting your research, we ask that

  • You will protect our users' privacy and data in good faith. You will not access or modify other user's data without our permission.

  • You will ensure that no disruption is caused to the production systems, degradation of user experience, and destruction of data during security testing.

  • If you inadvertently cause a privacy violation or disruption in the absence of any malicious intention (such as accessing account data, service configurations, or other confidential information) while investigating an issue, be sure to disclose this immediately in your communication with us.

  • You shall refrain from exploiting and/or proceeding with subsequent testing of a security issue you discover for any reason (including demonstrating additional risk etc).

  • You allow us a reasonable period of time to investigate and remediate the issue before you share it with others or disclose it publicly.

  • You do not violate any other applicable laws or regulations.

Our Commitment

In return, we commit to

  • Working with you to investigate and resolve the issue as quickly as possible

  • Working with you to investigate and resolve the issue as quickly as possible

  • Keeping you informed of the status of the issue reported

  • Suitably reward your efforts (see reward guidelines below)

  • Mention on Hall of Fame (we will seek your consent)

  • Not pursue or support any legal action related to your research/testing

Reporting Format

Report Bug/Defect you encountered, using "Report Issue" link available above and provide all required details.

Eligibility
  • You are a customer of TRIPPORTAL or a security researcher interested in making our sites and applications safe

  • If you are employed by TRIPPORTAL or are related to an employee of TRIPPORTAL (spouse, parent or sibling), you are NOT eligible for the bug reward program

Program Terms

Monetary rewards for security reports are entirely at TRIPPORTAL's sole discretion and will be decided based on risk, impact, and other factors. To qualify for a reward, you need to meet the following requirements:

  • Adhere to our Responsible Disclosure Policy.

  • Report a security bug: that is, identify a vulnerability in our services or infrastructure which creates a security or privacy risk.

  • Your report must describe a problem involving one the products or services listed under "Report Bug/Defect Program Scope".

  • You will render necessary assistance to tripportalbd.com to resolve the issue.

  • The reward will be paid only after the issue has been fully resolved by TRIPPORTAL.

  • We reserve the right to publish reports (and accompanying updates) without seeking your approval.

  • All payments will be made in Bangladeshi Taka (BDT).

  • If we pay a reward, the minimum reward is 1000BDT.

  • In the event of duplicate reports, we award a reward to the first person to submit an issue (TRIPPORTAL determines duplicates and may not share details on the other reports). A given reward is only paid to one individual.

  • We verify that all reward awards are permitted by applicable laws.

  • Note that extremely low-risk issues may not qualify for a reward at all. We will have the sole discretion to ascertain the risk category.

  • We seek to pay similar amounts for similar issues, but qualifying issues & amounts that are paid may change. Past rewards do not guarantee similar results in the future.

  • We specifically exclude certain types of potential security issues; these are listed under "Ineligible Reports".

  • A reward shall only be paid for bugs that have been unknown to tripportalbd.com. Already known bugs will not receive a reward. Note: Reference is our internal bug tracking system.

  • While we care about vulnerabilities affecting other services we use, we cannot guarantee that our disclosure policies apply to services from other companies. And in this case, you will NOT be eligible for the reward program.

  • Disclosure of the issue/report via other means (like sharing it publicly on social media etc.) will render you ineligible for this program.

  • You refrain from contacting any employee of TRIPPORTAL via any other means/channels regarding the program.

Scope for the Report Bug/Defect Program includes only these sites and apps
  • tripportalbd.com

  • Our Mobile Sites - on Android or iOS

  • Our Mobile Apps - on Android or iOS

Breach of Program Terms & Guidelines

​We expect you to respect all the terms and conditions of the program & responsible disclosure as stated above. Any breach will automatically disqualify you from the Report Bug/Defect Program and serious breaches of the guidelines might result in the suspension of your account and/or legal action.

Changes to Program Terms

The Report Bug/Defect Program, including its policies, are subject to change or cancellation by TRIPNOW at any time, without notice. As such, we may amend these Program Terms and/or its policies at any time by posting a revised version here.

Ineligible Reports and Fake Positives

Some submission types are excluded because they are dangerous to assess, and/or because they have a low impact on us. This section contains issues that are not accepted under this program, will be immediately marked as invalid, and are not rewardable.

  • Security issues in third-party services that integrate with TRIPPORTAL. These are not managed by TRIPPORTAL and do not qualify under our guidelines for security testing.

  • Findings from physical testing such as office access (e.g. open doors, tailgating).

  • Findings derived primarily from social engineering (e.g. phishing, vishing).

  • Functional, UI, and UX bugs and spelling mistakes.

  • Refrain from running automated tools.

  • Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.

  • Issues that require physical access to a victim's computer.

  • Network or application-level Denial of Service (DoS/DDoS) vulnerabilities.

  • Website scraping.

  • Bugs requiring exceedingly unlikely user interaction.

  • Flaws affecting the users of out-of-date browsers and plugins.

The following finding types are specifically excluded from the reward:

  • Descriptive error messages (e.g. Stack Traces, application or server errors).

  • HTTP codes/pages or other HTTP non- codes/pages.

  • Disclosure of known public files or directories, (e.g. robots.txt).

  • Clickjacking and issues only exploitable through clickjacking.

  • CSRF in forms that are available to anonymous users.

  • CSRF with minimal security implications (Logout CSRF, etc.).

  • Presence of application or web browser 'autocomplete' or 'save password' functionality.

  • Lack of Secure/HTTP only flags on non-sensitive Cookies.

  • Lack of Security Speed Bump when leaving the site.

  • Weak Captcha/Captcha Bypass.

  • Most brute-force issues or issues that can be exploited using brute-force.

  • Opening of re-directs.

  • HTTPS Mixed Content Scripts.

  • Self-XSS.

  • Username/email enumeration.

  • Publicly accessible login panels.

  • Reports that state that software is out of date/vulnerable without a proof of concept.

  • Host header issues without an accompanying proof-of-concept demonstrating vulnerability.

  • Stack traces that disclose information.

  • Best practices concerns.

  • Internal IP disclosure.

  • Lack of enforcement of HTTPS via redirection.

  • Fingerprinting issues (e.g. open ports without an accompanying proof-of-concept demonstrating vulnerability, banner grabbing).

  • Sensitive data in URLs/request bodies when protected by SSL/TLS.

  • Issues reported in microsites with minimal or no user data.

  • Issues that affect singular users and require interaction or significant prerequisites (MITM) to trigger.

  • Missing security headers that do not present an immediate security vulnerability.

Out of Scope bugs for Android apps (App to be launched soon)
  • Absence of certificate pinning

  • Sensitive data stored in-app private directory

  • User data stored unencrypted on external storage

  • Lack of binary protection control in android app

  • Shared links leaked through the system clipboard.

  • Any URIs leaked because a malicious app has permission to view URIs opened

  • Sensitive data in URLs/request bodies when protected by TLS

  • Lack of obfuscation

  • Crashes due to malformed Intents sent to exported Activity/Service/Broadcast Receive (exploiting these for sensitive data leakage is commonly in scope)

Out of Scope bugs for iOS apps (App to be launched soon)
  • Absence of certificate pinning

  • Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries

  • Path disclosure in the binary

  • User data stored unencrypted on the file system

  • Lack of binary protection (anti-debugging) controls

  • Lack of obfuscation

  • Lack of jailbreak detection

  • Runtime hacking exploits (exploits only possible in a jailbroken environment)

  • Snapshot/Pasteboard leakage

  • Crashes due to malformed URL Schemes

If you find an issue that you would like to report to us, please use following form with the required details so that we can look into it. Please give us reasonable time to investigate and mitigate the issue before sharing information with others, and note that we reserve the right to publish your report. (See "Info" for more details.)​

Title of the Issue

URL (link of the page you faced a bug/defect)

Description of the Bug/Defect

Reproduction Instruction

This is an important section, we would like you to provide the ways to reproduce the bug/defect for ourselves. Please provide what browser you were using and if you are unclear as to how you encountered the bug/defect, please describe in details about what happened so we can narrow down the issue.

Did the issue occurred more than once?

Screenshots of the issue

Please provide some screenshots, so that we can look into the matter thoroughly and keep the screenshots to the point.

You can upload up to 4 screenshots.

Choose File
Choose File
Choose File
Choose File

Your Information

Your Name

Phone Number

Email

By submitting you are agreeing to the debugger program terms & conditions mentioned in the info section.

We will get back to you soon!!

Thank you for taking part in the betterment of our website

and creating our way to upscale the user experience for you as well as other people