1. Responsible Disclosure Policy
Effective disclosure policy requires mutual trust, respect, and transparency between the security researchers and our security team.
- We request you to report any bug as soon as you discover. We request you not to do any public disclosure before it has been fixed. We will confirm acknowledgment within 48 working hours of submission.
- Keep the information about the vulnerability discovered confidential till we have resolved the problem.
- Avoid any privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
- Avoid using testcases or vulnerability testing tools that generates significant volume of traffic or disrupt our services.
- Refrain from accessing other user’s account or data without permission.
- Use only Test accounts to produce vulnerability and do not attempt on Live accounts.
- Submit a bug only if you have exploited a real vulnerability (refer Scope Exclusion below)
- Do not use scanners or automated tools to find vulnerabilities. They’re noisy and might result in suspension of your user account / IP Address.
- We also request you not to attempt attacks such as social engineering, phishing. These kind of bugs will not be considered as valid ones, and if caught, might result in suspension of your account.
- The vulnerability must be original and previously unreported. The first reporter will have the benefit of the reward.
- Any Improper public disclosure/ misuse of information will entitle us to take appropriate legal action.