So, you think you found a bug? Good. That's literally what this page is for. We built a platform called hack.adityasec.com — the name isn't subtle, and neither are we.
We believe security researchers are the unsung heroes of the internet. You find what automated scanners miss, you think like attackers so defenders don't have to, and you make the digital world a little less broken. We appreciate you.
Found something? Report it. We won't sue you — we'll send you cool swags instead.
Scope
Yes, the domain name is literally telling you to hack it. But let's be specific:
Asset
Type
Severity
hack.adityasec.com
Web Application
Critical – Info
API endpoints (hack.adityasec.com)
REST API
Critical – Info
Everything else — adityasec.com, mailer.adityasec.com, your neighbor's WiFi — is out of scope. Stay in your lane.
In-Scope Vulnerabilities
The juicy stuff we actually care about:
Remote Code Execution (RCE) — if you pop a shell, we definitely want to know
SQL Injection (SQLi) — our queries are parameterized, but prove us wrong
Cross-Site Scripting (XSS) — we run strict CSP with nonce-based scripts. Break it? Legend.
Server-Side Request Forgery (SSRF) — making our server talk to things it shouldn't
Insecure Direct Object Reference (IDOR) — accessing someone else's data without permission
Authentication / Authorization bypass — getting in where you shouldn't be
Information disclosure — sensitive data leaking where it shouldn't
CSRF on critical actions — making authenticated users do things they didn't mean to
Directory traversal / LFI — reading files you weren't supposed to read
Privilege escalation — going from "user" to "admin" without the password
Out of Scope
Please don't waste your time (or ours) on these:
Denial of Service (DoS/DDoS) — we know our servers are tempting, but please resist
Social engineering / phishing — our team knows not to click shady links (probably)
Rate limiting issues — unless you can actually exploit them for something meaningful
CSRF on logout — oh no, someone logged me out. Anyway...
Missing best practices — without demonstrated impact, it's just a suggestion
Automated scanner dumps — we'll file those right next to our spam folder. Show us real impact.
Clickjacking on non-sensitive pages — framing our marketing page isn't a vuln
Open redirect — unless you can chain it into something actually dangerous
Missing security headers — without exploitable impact, it's a nice-to-have, not a finding
Issues requiring physical access — if you're in our server room, we have bigger problems
Safe Harbor
This part is serious. We will not take legal action against security researchers who:
Make a good faith effort to avoid privacy violations, data destruction, or service disruption
Do not access or modify data belonging to other users
Report vulnerabilities promptly and provide sufficient detail for remediation
Do not publicly disclose the vulnerability before we've had reasonable time to fix it
TL;DR: Hack responsibly, report honestly, and we'll treat you with respect. That's a promise.
Testing Guidelines
We strongly encourage manual testing over automated scanner dumps. Anyone can run Nuclei and paste the output — that's not security research, that's copy-paste. Take the time to understand the application, craft meaningful payloads, and demonstrate real impact.
Show us you actually understand the vulnerability. A well-written report with clear reproduction steps will always be valued over a 47-page automated scan report that nobody reads.
Need authenticated access for deeper testing? We've got you covered:
Rewards
Let's be upfront: this is not a bug bounty program. We're not throwing cash at every finding. But we do appreciate valid security reports, and researchers who submit impactful, well-documented findings will receive cool swags as a token of our gratitude.
What counts as "cool swags"? That's for us to know and you to find out. Submit a valid report and see for yourself. 😎
Rate Limits
OTP send: 10 per 5 min per IP (60s cooldown between sends). OTP verify: 10 per min. Report submission: 5 per 5 min. Codes valid for 5 minutes. Email changes: 2 max per session. Please be patient — the rate limits exist for a reason.
// Submit a Report
Found something interesting? Drop the details below. Be specific, be thorough, and show us the impact.
🎉
Report Submitted Successfully!
Thank you for helping us improve our security. We'll review your report and get back to you via email.
Expect cool swags if the report is valid! 😎
// Request Testing Credentials
Want to perform authenticated security testing? We'll review your request and send credentials to your verified email if approved.
Rate limits: OTP send 10 per 5 min per IP · OTP verify 10 per min · Credential request submit 5 per 5 min · 60-second cooldown between OTP sends.
We'll whitelist this so you can access the platform for testing. Leave blank if unsure.
📧
Request Submitted!
We'll review your request and send credentials to your verified email if approved.
Thank you for your interest in helping us improve security!