DigitalRakshak LogoSecurity & Ethics

Responsible Disclosure Policy

Together we keep DigitalRakshak secure. Report vulnerabilities responsibly and help us protect our ecosystem.

Version: 2.0 | Last Updated: 15th March 2025 Report to: support@DigitalRakshak.com

1. Purpose

At DigitalRakshak, the security of our systems and data is a top priority across all our service offerings and products. We recognise that undiscovered vulnerabilities may exist, and this is where the security-research community comes in. If you discover a vulnerability, please let us know immediately so we can fix it responsibly.

We value collaboration with the security community and believe that coordinated disclosure of vulnerabilities helps ensure the safety and privacy of our clients and their customers. This Policy sets out how to report a vulnerability and what you can expect from us.

2. Versioning & Contact

This document supersedes all prior versions and was last updated on 15th March 2025.

Submit reports to: support@DigitalRakshak.com

3. Safe-Harbour for Good-Faith Research

We will not pursue legal action or law enforcement investigations against security researchers who:

  • Follow this Policy in good faith;
  • Do not exploit the vulnerability beyond what is necessary to prove its existence to cause harm, data loss, data manipulation or disruption/degradation;
  • Do not violate any laws or breach any agreements to discover vulnerabilities;
  • Avoid violating the privacy of our users, disrupting/degrading our services, or destroying our data;
  • Promptly report the vulnerability with sufficient details for us to reproduce and validate it;
  • Do not access, download, or modify data residing in any other account that does not belong to them or attempt to perform any such actions;
  • Do not share the vulnerability information publicly or with others unless DigitalRakshak provides a written consent to do so.

While we deeply appreciate the contributions of the security research community, this Policy does not grant any form of legal immunity, nor does it authorize or permit any activity that would otherwise be illegal, lead to service disruption/degradation or breach third-party agreements/rights.

4. Disclaimer & Conduct Expectations

Researchers must act in good faith, avoid exceeding the scope defined in this Policy, and ensure that their actions do not violate user privacy, disrupt/degrade services, or compromise system integrity. This Policy is intended to support coordinated vulnerability disclosure, not unauthorized access or abuse.

DigitalRakshak reserves the right to take legal action if:

  • Vulnerabilities are exploited for unlawful gain, competitive advantage, or to access restricted client information or internal systems, or
  • Actions result in the disruption/degradation or impairment of DigitalRakshak's operations, or
  • The researcher violates this Policy or applicable laws in the course of their investigation.

This Policy does not constitute a waiver of DigitalRakshak's legal rights or obligations in any jurisdiction.

5. Permitted Scope Systems

Only the following domains are included in the scope of the program, and researchers are recommended to limit their scope only to these:

DigitalRakshak.comDigitalRakshak.inDigitalRakshak.aiDigitalRakshak.ioDigitalRakshak.blogDigitalRakshak.store

6. Out of Scope Systems (expressly voids safe harbour)

Any attempt to exploit the following systems/entities may result in legal action by the respective entities and the Policy's scope is not extended to the following cases:

  • Physical attacks or access
  • Spam or brute force attack
  • Third-party services not operated by DigitalRakshak
  • Attempts to intentionally physically damage any DigitalRakshak hardware or service

    Out of Scope Exploits:

  • Rate limiting
  • RTL ambiguity
  • Content injection
  • Content spoofing
  • Reporting viruses
  • IDN homograph attacks
  • User email enumeration
  • EXIF data not stripped on images
  • Formula injection or CSV injection
  • Full path disclosure on any property
  • Bugs that do not pose a security risk
  • Email issues related to SPF/DKIM/DMARC
  • Open ports without Proof of Concept of exploit
  • HTTP TRACE or OPTIONS method enabled
  • Login/Logout Cross Site Request Forgery (CSRF)
  • Subdomain takeover without supporting evidence
  • Application denial of service by locking user accounts
  • Information disclosure not associated with a vulnerability
  • Hyperlink injection in emails, HTML injection, or self-XSS
  • Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks
  • X-Frame-Options related, missing cookie flags on non-sensitive cookies
  • Vulnerabilities found through automated testing or scanner-generated reports
  • Use of known-vulnerable libraries without proof of exploitation such as OpenSSL
  • Clickjacking/tapjacking and/or issues only exploitable through clickjacking/tapjacking
  • Publicly released CVEs or Zero Day Vulnerability Exploits performed within 90 days of their disclosure
  • Vulnerability requiring a rooted or jailbroken device and/or outdated OS version or SSL pinning issues
  • Missing security headers that do not lead to a vulnerability (unless you can provide a Proof of Concept)
  • Social Engineering (including phishing, smishing, vishing, and all other variants) with any DigitalRakshak staff, contractors, clients or third parties
  • Vulnerabilities that leverage illicit Man-in-the-Middle (MITM) attack or require physical access to a target's device
  • SSL issues such as BEAST, BREACH, renegotiation attack, forward secrecy not enabled, weak/insecure cipher suites, or any such lack of leading practices
  • Uploading, transmitting, linking to, sending, storing, or otherwise distributing any malicious code or software (malware)
  • Cross Site Request Forgery actions that do not require authentication (or a session) to exploit reports related to the following security headers:
    • HTTP Strict Transport Security (HSTS)
    • XSS Mitigation Headers (X-Content-Type and X-XSS-Protection)
    • X-Content-Type-Options
    • Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario)

7. Qualifying Vulnerabilities

We are specifically interested in:

SQL InjectionPrivilege EscalationCross Site Scripting (XSS)Remote Code Execution (RCE)Domain Take Over VulnerabilitiesCross Site Request Forgery (CSRF)Server Side Request Forgery (SSRF)Authentication/Authorization flaws/bypassInsecure Direct Object References (IDOR)Misconfigurations Leading to Data Leakage

8. Reporting Guidelines

For a report to be deemed as a complete report for the purposes of this Policy it needs to contain each of these parameters:

  • Timestamp of discovery
  • A clear, concise description of the vulnerability
  • Impact assessment and all affected services
  • Any relevant logs, screenshots, or video recordings
  • Steps to reproduce the issue (Proof of Concept is preferred)
  • Contact information of the researcher to enable the team to reach out for further correspondence as applicable

Send your report to: support@DigitalRakshak.Com

9. Confidentiality

Any logs, screenshots, sample payloads, personal data, or other information ("Investigation Data") that you obtain while conducting authorised testing under this Policy must be treated as strictly confidential. You may not disclose, publish, or share any Investigation Data with any third party without DigitalRakshak's prior written consent. Upon DigitalRakshak's written request, made at any time during or after the investigation, you must promptly and securely delete or destroy all copies of the Investigation Data in your possession or control and confirm such deletion in writing.

In all cases, you must securely delete or destroy every copy of the Investigation Data no later than thirty (30) days after DigitalRakshak confirms that the vulnerability has been fixed, even if no deletion request is issued.

10. What You Can Expect From Us

Acknowledgement of receiving your report within two (2) business days

We investigate and respond to all valid reports. However, depending on the volume of reports we receive, we prioritize evaluation based on risk and impact factors, and it may take some time before we respond.

Under our Responsible Disclosure Policy we offer no monetary or non-monetary rewards. Please ensure all reports are genuine ethical disclosures.

Thank you for helping us keep DigitalRakshak, and the wider ecosystem secure. We tip our hats in gratitude to every security researcher for helping us and several other organizations keep themselves safe and thus securing the entire IT ecosystem….!

11. Governing Law and Dispute Resolution

This Policy, and any dispute or claim (whether in contract, tort, or otherwise) arising out of or in connection with it, shall be governed by and construed in accordance with the laws of India, without regard to its conflict-of-laws principles.

Any dispute shall be finally resolved by arbitration seated in Gandhinagar, Gujarat, India, in accordance with the Arbitration and Conciliation Act, 1996, as amended. The arbitration shall be conducted on an ad-hoc basis by a sole arbitrator agreed upon by the Parties. The courts located in Gandhinagar, Gujarat shall have exclusive jurisdiction for the limited purpose of (i) granting interim or conservatory relief and (ii) enforcing any arbitral award. Each Party irrevocably waives any objection to venue or forum non Conveniens with respect to such courts.