All researchers are expected to:

  • Report their finding by writing to us directly at [email protected] without making any information public.
  • We will acknowledge your submission within 72 working hours.
  • Keep the information about any vulnerability you’ve discovered confidential between us until we have resolved the problem.
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.

Perform research only within the scope below If you follow these guidelines when reporting an issue to us, we commit to:

  • Suitably reward you for your efforts. The bounty will be disclosed when you report the bug.
  • Recognize & acknowledge your contribution on our Security with a certificate from GYMPP.
  • Work with you to understand and resolve the issue quickly.
  • Not pursue or support any legal action related to your research

Reporting format

If you believe you’ve found security vulnerability in one of our products or platforms, please send it to us by emailing at [email protected]Please include the following details in your report:

  • Description of the location and potential impact of the vulnerability
  • A detailed description of the steps required to reproduce the vulnerability – POC scripts, screenshots, and compressed screen captures will all be helpful to us.
  • Your name/handle and a link for recognition.

Disclosure Policy

We request adherence to our simple Disclosure Policy:

  • Please avoid privacy violations, and do not destroy data/hinder our regular services.
    The vulnerability/bug must be original and previously un-reported.
  • The first reporter will have benefit of the program.
  • We reserve the right to change the rules or cancel this program at any time.
  • Consideration for other bugs with serious security implications will be on case-to-case basis.
  • An official letter from Gympp will be issued certifying the contribution. The letter will be generic, without mention of the vulnerability.
  • Bounties are awarded based on the severity, impact, complexity and the awesomeness of the vulnerability reported and it is at the discretion of the Gympp bug bounty panel.
  • We might not be able to reward you for each bounty you report, but we would make sure that you would be getting recognized.
  • Bug bounty is applicable only for individuals.
Don’t be evil. Practice safe checks. Some of these tools can be disruptive or cause sites to misbehave leading to suspension of your account.


On behalf of over a million users, we would like to thank the following people for making a responsible disclosure to us: