Effective date: 1 March 2026

Responsible Disclosure Policy

We take security seriously. If you've found a vulnerability in DPDPA Shield, we want to hear from you.

1. Our Commitment

If you report a security vulnerability to us in good faith and follow this policy, we commit to:

  • Investigate all legitimate reports promptly
  • Work to fix valid vulnerabilities as quickly as practicable
  • Not take legal action against you for the act of reporting
  • Keep you informed of our progress
  • Credit you in our hall of fame (with your permission)

2. Scope

In scope:

  • dpdpashield.in and all subdomains (*.dpdpashield.in)
  • api.dpdpashield.in
  • The DPDPA Shield web application and dashboard
  • The DPDPA Shield public-facing portals (rights portal, consent widget)

Out of scope:

  • Third-party infrastructure (Vercel, Render, Supabase, Cloudflare, Upstash) — report these to the respective provider
  • Social engineering attacks (phishing, pretexting)
  • Physical security attacks
  • Denial of service (DoS/DDoS) attacks
  • Automated scanning without prior permission — please test manually or against a dedicated test account

3. How to Report

Email: hello@dpdpashield.in

Subject: “Responsible Disclosure: [brief description]”

Please include in your report:

  • Description of the vulnerability and affected component
  • Steps to reproduce (the more specific, the better)
  • Potential impact — what could an attacker do with this?
  • Any proof-of-concept (screenshots, request/response logs)

Please do not: demonstrate the vulnerability against live customer data. If you can reproduce it against your own test account, that is sufficient evidence.

4. What We Ask of Researchers

  • Give us a reasonable time to respond — we acknowledge within 2 business days
  • Do not access, copy, modify, or delete data that is not yours
  • Do not perform DoS attacks, spam, or social engineering
  • Do not disclose the vulnerability publicly before we have had 90 days to investigate and remediate (coordinated disclosure)
  • Do not use findings for competitive intelligence or to gain commercial advantage

5. What We Offer

Hall of fame: With your permission, we will acknowledge your contribution on our security hall of fame page.

Bug bounty: We do not currently operate a monetary bug bounty programme. If this changes, we will update this policy.

Safe harbour: We will not pursue civil or criminal action against researchers who comply with this policy in good faith.

6. Response Timeline

MilestoneTarget
Acknowledgement of reportWithin 2 business days
Initial assessment (valid / invalid / duplicate)Within 7 days
Fix timeline communicatedWithin 14 days
Coordinated disclosure (after fix deployed)After fix is live, per agreement

For critical vulnerabilities (e.g. remote code execution, mass data exposure), we will prioritise the fix and aim to deploy within 24–48 hours.