OYO Responsible Disclosure

OYO takes all the necessary efforts to mitigate all the bugs & vulnerabilities in our systems. We are open to receiving positive feedback from independent security groups and individual researchers to study it across all platforms and help make OYO technologically safer for our customers. If you discover any such shortfall, we would appreciate a responsible approach in responsibly investigating and reporting it to us so that we can address it as soon as possible. We would further urge you to refrain from any frivolous reporting. 

This Policy applies to all of OYO’s group companies/affiliates/subsidiaries (“OYO Group”) including but not limited to all of its domains subsisting worldwide. 

Reporting Guidelines

  1. Participating in OYO’s Responsible Disclosure program requires you to follow the below guidelines. Always use your accounts in the process of investigating any bugs/findings. Don’t target, attempt to access, or otherwise disrupt the accounts of other users.  
  2. A report must have enough information to reproduce the finding (a proof-of-concept video, code or screenshot etc) and it will only be considered eligible if it pertains to an item explicitly listed under our in-scope sections. 
  3. In case you find a severe vulnerability that allows system access, you must not proceed further. 
  4. Do not use scanners or automated tools to find vulnerabilities since they’re noisy and create unnecessary disturbance for the internal security team. Doing so will invalidate your submission and you will be completely banned from the Program. 
  5. You are obliged to share any additional information as and when requested, failing that will result in rejection of the submission. 
  6. You should agree to participate in the revalidation & testing of the effectiveness of the countermeasure applied to your report. 
  7. Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact. 
  8. Multiple vulnerabilities caused by one underlying issue will be treated as one valid report. 

In general, please investigate and report bugs in a way that makes a reasonable, good faith effort not to be disruptive or harmful to us or our users. Otherwise, your actions might be interpreted as an attack rather than an effort to be helpful.

Terms & Conditions

  • You shall abide by all the applicable laws of the land. OYO is not responsible for any non-adherence to applicable laws on your part. 
  • All communications during this program must remain fully confidential.  
  • Disclosing bugs to a party other than OYO is forbidden, all bug reports are to remain at the reporter and OYO’s discretion. 
  • You must not violate the rights and privacy of other users or engage in any confidentiality or privacy breaches, destruction, removal or tampering of data, disrupt or degrade our services or misuse the findings for personal benefits. 
  • Threatening of any kind will immediately ban you from participating in the program and call for strict actions. 
  • OYO decides to determine when and how bugs should be addressed and fixed. 
  • Researchers must destroy all artefacts collected to document vulnerabilities (POC code, videos, screenshots etc) after the bug report is closed. 
  • Don't target our physical security measures, or attempt to do social engineering, phishing, spam, denial of service (DoS) or distributed denial of service (DDOS) attacks etc. 
  • You will not intentionally compromise the intellectual property or other commercial or financial interests of any OYO personnel or entities, or any third parties. 
  • Any data, information, solutions or suggestions, including any intellectual property that you provide to OYO under this Program, will immediately be transferred to OYO without any limitations or exceptions, and you shall waive all rights, title, ownership and interest therein. If requested, you shall provide OYO with appropriate documentation to formalise any such transfer or assignment 

Changes to Program Terms 

OYO reserves the right to change or discontinue the responsible disclosure program including its policies at any time without any prior notice. OYO may amend this program’s Terms & Conditions and/or its policies at any time by posting a revised version on our website and by continuing your participation in the responsible disclosure program after any such changes, you implicitly agree to comply with the updated program terms. 

Termination & Penalties  

Violation of any of the given guidelines & T&Cs or any other terms that OYO releases, will immediately ban you from the program and will result in appropriate legal actions. It may also invalidate all your previous contributions and make you liable for penalties as necessary. 

In Scope Domains/Apps


























Out of Scope Vulnerabilities

Things that are not eligible: 

  • Captcha-related concerns, Lack of rate limiting mechanisms, Account lockout or Brute force attacks. 
  • Open redirects without a severe impact  
  • Common security misconfiguration: 
  1. Cache related issues 
  2. Issues related to CMS (WordPress, Joomla etc) misconfiguration without a severe impact 
  3. Emails (SPF, DMARC, DKIM etc) 
  4. Banner revealing a software version etc 
  5. Missing HTTP security headers (Click jacking, HSTS, CSP etc) 
  6. HTTP methods enabled (OPTIONS / TRACE etc)  
  7. Missing Cookie Flags (HttpOnly, secure etc) 
  8. SSL/TLS Versions (BREACH, POODLE etc) or SSL Pinning related 
  9. Broken Links/Orphan domains - if it doesn’t lead to subdomain takeover 
  10. Error messages, application stack traces or path disclosures that do not leak sensitive information like credentials or secret tokens etc 
  11. Kiosk mode / Screen pinning bypass
  12. Clipboard data access. 
  13. Lack of obfuscation or binary protection (anti-debugging) controls 
  14. Lack of Exploit mitigations i.e. PIE, ARC, or Stack Canaries 
  15. Tabnabbing
  • Host Header Injection 
  • Self-type Cross Site Scripting / Self-XSS  
  • Vulnerabilities that require Man in the Middle (MiTM) attacks or installation of software like web browser add-ons, etc in victim's machine 
  • Denial of Service attacks – DOS/DDOS  
  • CSRF issues on Login & Logout or on actions that do not change the state of data/application  
  • Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.  
  • Vulnerabilities contingent on physical attack, social engineering, phishing, spamming (SMS/Email Bombing) etc. 
  • Vulnerabilities affecting outdated or unpatched browsers / Operating Systems. 
  • Any kind of vulnerabilities that requires physical device access (e.g. USB debugging), root/jailbroken access or third-party app installation in order to exploit the vulnerability 
  • Bugs that have not been responsibly investigated and reported or aren't reproducible 
  • Bugs in products or websites related to an acquisition for a period of 180 days following any public announcement. 
  • Bugs already known to us, or already reported by someone else (credit goes to first reporter). 
  • Reports of current or previous employees of OYO Group(Oravel Stays private limited or other subsidiaries)  
  • Application crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) 
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability. 
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS 
  • Issues that require unlikely user interaction

Public Disclosure Policy

  • Follow HackerOne's disclosure guidelines.


Researcher shall fully indemnify, hold harmless and defend (collectively “indemnify” and “indemnification”) OYO, its subsidiaries and affiliates, its directors, officers, employees, agents, and shareholders, representatives and third party service providers (collectively, “Indemnified Parties”) from and against all claims, demands, actions, suits, damages, liabilities, losses, settlements, judgments, costs and expenses (including but not limited to reasonable attorney’s fees and costs), whether or not involving a third party claim, which arise out of or relate to: 

  • Any breach or violation of the terms of this Responsible Disclosure Policy or any obligation or duty of the Researcher referred therein or under applicable law. 
  • Any breach of the confidentiality. 
  • Any misuse of data, including personal data. 
  • Any breach of any waiver granted. 
  • Any attempt to contact OYO’s clients, merchants, partners, users or third parties to inform the existence of the vulnerability. It includes any reference or message in social media making reference to the finding. 
  • Any attempt to bring direct or indirectly claims, lawsuits, demands, actions judgments against OYO or any other Indemnified Party, in each case whether or not caused by the negligence of OYO or any other Indemnified Party and whether or not the relevant claim has merit. 

OYO holds the benefit of this indemnity and all other rights under this as trustee for each Indemnified Party benefiting from it. OYO’s failure to act with respect to a breach by you or a cause of indemnity as stated above does not waive its right to act with respect to same, subsequent or similar breaches. These indemnification obligations under shall survive any termination or expiration of Policy against you or your exit from Platform. 


By participating in OYO’s Responsible Disclosure Program, you acknowledge that you have read and agree to OYO’s Terms of Service as well as your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.

Response Targets

Type of Response

SLA in business days

        First response 


3 days


7 days

                                                 Second response

                                                 Time to resolution


depends on severity and complexity

 We’ll try to keep you informed about our progress throughout the process. 

Hall of Fame

We would like to formally and sincerely express our gratitude for the contribution of the security researchers who have responsibly disclosed one or more security vulnerabilities and helped to improve the security of our products or services.

List of Security Researchers can be viewed here.

Copyright © 2022. All rights reserved.