Effective date: 8 July 2026

Responsible Disclosure Policy

Found a vulnerability? We take security seriously and we want to hear from you.

1. Our Commitment

If you report a vulnerability in good faith and follow this policy, here's what we promise:

  • We'll investigate every legitimate report promptly
  • We'll work to fix valid vulnerabilities as fast as we can
  • We won't take legal action against you for reporting
  • We'll keep you updated on our progress
  • We'll credit you in our hall of fame (if you want)

2. Scope

In scope:

  • dpdpashield.in and all subdomains (*.dpdpashield.in)
  • api.dpdpashield.in
  • The DPDPA Shield web application and dashboard
  • Public-facing portals (rights portal, consent widget, trust center)

Out of scope:

  • AWS infrastructure - report those to AWS directly
  • Social engineering attacks (phishing, pretexting)
  • Physical security attacks
  • Denial of service (DoS/DDoS)
  • Automated scanning without prior permission - please test manually or use a dedicated test account

3. How to Report

Email: hello@dpdpashield.in

Subject: “Responsible Disclosure: [brief description]”

Include in your report:

  • What you found and which component is affected
  • Steps to reproduce (the more specific, the faster we can fix it)
  • What an attacker could do with this
  • Any proof-of-concept (screenshots, request/response logs)

Please don't test against live customer data. If you can reproduce it against your own test account, that's enough.

4. What We Ask of Researchers

  • Give us time to respond - we acknowledge within 2 business days
  • Don't access, copy, modify, or delete data that isn't yours
  • No DoS attacks, spam, or social engineering
  • Don't go public before we've had 90 days to investigate and fix (coordinated disclosure)
  • Don't use findings for competitive intelligence

5. What We Offer

Hall of fame: With your permission, we'll publicly acknowledge your contribution.

Bug bounty: We don't currently run a monetary bug bounty. If that changes, we'll update this page.

Safe harbour: We won't pursue legal action against researchers who comply with this policy in good faith.

6. Response Timeline

MilestoneTarget
AcknowledgementWithin 2 business days
Initial assessment (valid / invalid / duplicate)Within 7 days
Fix timeline communicatedWithin 14 days
Coordinated disclosureAfter fix is live, by mutual agreement

Critical vulnerabilities (RCE, mass data exposure) get fast-tracked - we aim to deploy a fix within 24-48 hours.