Effective date: 8 July 2026
Responsible Disclosure Policy
Found a vulnerability? We take security seriously and we want to hear from you.
1. Our Commitment
If you report a vulnerability in good faith and follow this policy, here's what we promise:
- We'll investigate every legitimate report promptly
- We'll work to fix valid vulnerabilities as fast as we can
- We won't take legal action against you for reporting
- We'll keep you updated on our progress
- We'll credit you in our hall of fame (if you want)
2. Scope
In scope:
- dpdpashield.in and all subdomains (*.dpdpashield.in)
- api.dpdpashield.in
- The DPDPA Shield web application and dashboard
- Public-facing portals (rights portal, consent widget, trust center)
Out of scope:
- AWS infrastructure - report those to AWS directly
- Social engineering attacks (phishing, pretexting)
- Physical security attacks
- Denial of service (DoS/DDoS)
- Automated scanning without prior permission - please test manually or use a dedicated test account
3. How to Report
Email: hello@dpdpashield.in
Subject: “Responsible Disclosure: [brief description]”
Include in your report:
- What you found and which component is affected
- Steps to reproduce (the more specific, the faster we can fix it)
- What an attacker could do with this
- Any proof-of-concept (screenshots, request/response logs)
Please don't test against live customer data. If you can reproduce it against your own test account, that's enough.
4. What We Ask of Researchers
- Give us time to respond - we acknowledge within 2 business days
- Don't access, copy, modify, or delete data that isn't yours
- No DoS attacks, spam, or social engineering
- Don't go public before we've had 90 days to investigate and fix (coordinated disclosure)
- Don't use findings for competitive intelligence
5. What We Offer
Hall of fame: With your permission, we'll publicly acknowledge your contribution.
Bug bounty: We don't currently run a monetary bug bounty. If that changes, we'll update this page.
Safe harbour: We won't pursue legal action against researchers who comply with this policy in good faith.
6. Response Timeline
| Milestone | Target |
|---|---|
| Acknowledgement | Within 2 business days |
| Initial assessment (valid / invalid / duplicate) | Within 7 days |
| Fix timeline communicated | Within 14 days |
| Coordinated disclosure | After fix is live, by mutual agreement |
Critical vulnerabilities (RCE, mass data exposure) get fast-tracked - we aim to deploy a fix within 24-48 hours.