Responsible Disclosure Policy

Version 1.0 – Effective 24th June 2025

1. Purpose

At HyperVerge, the security of our systems and data is a top priority across all our service offerings and products. We recognise that undiscovered vulnerabilities may exist, and this is where the security-research community comes in. If you discover a vulnerability, please let us know immediately so we can fix it responsibly.

We value collaboration with the security community and believe that coordinated disclosure of vulnerabilities helps ensure the safety and privacy of our clients and their customers. This Policy sets out how to report a vulnerability and what you can expect from us.

2. Versioning & Contact

  • This document supersedes all prior versions and was last updated on 24th June 2025.
  • Submit reports to security[at]HyperVerge.co.

3. Safe-Harbour for Good-Faith Research

We will not pursue legal action or law enforcement investigations against security researchers who:

  • Follow this Policy in good faith;
  • Do not exploit the vulnerability beyond what is necessary to prove its existence to cause harm, data loss, data manipulation or disruption/degradation;
  • Avoid violating the privacy of our users, disrupting/degrading our services, or destroying our data;
  • Promptly report the vulnerability with sufficient details for us to reproduce and validate it;
  • Do not access, download, or modify data residing in any other account that does not belong to them or attempt to perform any such actions;
  • Do not violate any laws or breach any agreements to discover vulnerabilities;
  • Do not share the vulnerability information publicly or with others unless HyperVerge provides a written consent to do so.

While we deeply appreciate the contributions of the security research community, this Policy does not grant any form of legal immunity, nor does it authorize or permit any activity that would otherwise be illegal, lead to service disruption/degradation or breach third-party agreements/rights.

4. Disclaimer & Conduct Expectations

Researchers must act in good faith, avoid exceeding the scope defined in this Policy, and ensure that their actions do not violate user privacy, disrupt/degrade services, or compromise system integrity. This Policy is intended to support coordinated vulnerability disclosure, not unauthorized access or abuse.

HyperVerge reserves the right to take legal action if:

  • Vulnerabilities are exploited for unlawful gain, competitive advantage, or to access restricted client information or internal systems, or
  • Actions result in the disruption/degradation or impairment of HyperVerge’s operations, or
  • The researcher violates this Policy or applicable laws in the course of their investigation.
  • This Policy does not constitute a waiver of HyperVerge’s legal rights or obligations in any jurisdiction.

5. Permitted Scope Systems

Only the following domains are included in the scope of the program, and researchers are recommended to limit their scope only to these:

6. Out of Scope Systems (expressly voids safe harbour)

Any attempt to exploit the following systems/entities may result in legal action by the respective entities and the Policy’s scope is not extended to the following cases:

  • Third-party services not operated by HyperVerge
  • Physical attacks or access
  • Spam or brute force attack
  • Attempts to intentionally physically damage any HyperVerge hardware or service

Out of Scope Exploits:

  • Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks
  • Social Engineering (including phishing, smishing, vishing, and all other variants) with any HyperVerge staff, contractors, clients or third parties
  • Publicly released CVEs or Zero Day Vulnerability Exploits performed within 90 days of their disclosure
  • Bugs that do not pose a security risk
  • Vulnerability requiring a rooted or jailbroken device and/or outdated OS version or SSL pinning issues
  • Vulnerabilities that leverage illicit Man-in-the-Middle (MITM) attack or require physical access to a target’s device
  • Email issues related to SPF/DKIM/DMARC
  • Vulnerabilities found through automated testing or scanner-generated reports
  • Information disclosure not associated with a vulnerability
  • Content injection
  • Content spoofing
  • Hyperlink injection in emails, HTML injection, or self-XSS
  • Missing security headers that do not lead to a vulnerability (unless you can provide a Proof of Concept)
  • X-Frame-Options related, missing cookie flags on non-sensitive cookies
  • IDN homograph attacks
  • RTL ambiguity
  • Full path disclosure on any property
  • Clickjacking/tapjacking and/or issues only exploitable through clickjacking/tapjacking
  • Use of known-vulnerable libraries without proof of exploitation such as OpenSSL
  • Application denial of service by locking user accounts
  • HTTP TRACE or OPTIONS method enabled
  • SSL issues such as BEAST, BREACH, renegotiation attack, forward secrecy not enabled, weak/insecure cipher suites, or any such lack of leading practices
  • Open ports without Proof of Concept of exploit
  • Uploading, transmitting, linking to, sending, storing, or otherwise distributing any malicious code or software (malware)
  • Login/Logout Cross Site Request Forgery (CSRF)
  • Formula injection or CSV injection
  • Rate limiting
  • EXIF data not stripped on images
  • User email enumeration
  • Cross Site Request Forgery actions that do not require authentication (or a session) to exploit reports related to the following security headers:
    • HTTP Strict Transport Security (HSTS)
    • XSS Mitigation Headers (X-Content-Type and X-XSS-Protection)
    • X-Content-Type-Options
    • Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario)
  • Subdomain takeover without supporting evidence
  • Reporting viruses

7. Qualifying Vulnerabilities

We are specifically interested in:

  • Authentication/Authorization flaws/bypass
  • Privilege Escalation
  • Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • Server Side Request Forgery (SSRF)
  • SQL Injection
  • Remote Code Execution (RCE)
  • Domain Take Over Vulnerabilities
  • Insecure Direct Object References (IDOR)
  • Misconfigurations Leading to Data Leakage

8. Reporting Guidelines

For a report to be deemed as a complete report for the purposes of this Policy it needs to contain each of these parameters:

  • A clear, concise description of the vulnerability
  • Steps to reproduce the issue (Proof of Concept is preferred)
  • Impact assessment and all affected services
  • Any relevant logs, screenshots, or video recordings
  • Timestamp of discovery
  • Contact information of the researcher to enable the team to reach out for further correspondence as applicable

Send your report to: security[at]HyperVerge.co

9. Confidentiality

Any logs, screenshots, sample payloads, personal data, or other information (“Investigation Data”) that you obtain while conducting authorised testing under this Policy must be treated as strictly confidential. You may not disclose, publish, or share any Investigation Data with any third party without HyperVerge’s prior written consent. Upon HyperVerge’s written request, made at any time during or after the investigation, you must promptly and securely delete or destroy all copies of the Investigation Data in your possession or control and confirm such deletion in writing.In all cases, you must securely delete or destroy every copy of the Investigation Data no later than thirty (30) days after HyperVerge confirms that the vulnerability has been fixed, even if no deletion request is issued.

10. What You Can Expect From Us

  • Acknowledgement of receiving your report within three (3) business days
  • We investigate and respond to all valid reports. However, depending on the volume of reports we receive, we prioritize evaluation based on risk and impact factors, and it may take some time before we respond.

Under our Responsible Disclosure Policy we offer no monetary or non-monetary rewards. Please ensure all reports are genuine ethical disclosures.

Thank you for helping us keep HyperVerge, and the wider ecosystem secure. We tip our hats in gratitude to every security researcher for helping us and several other organizations keep themselves safe and thus securing the entire IT ecosystem!

11. Governing Law and Dispute Resolution

This Policy, and any dispute or claim (whether in contract, tort, or otherwise) arising out of or in connection with it, shall be governed by and construed in accordance with the laws of India, without regard to its conflict-of-laws principles.

Any dispute shall be finally resolved by arbitration seated in Bengaluru, Karnataka, India, in accordance with the Arbitration and Conciliation Act, 1996, as amended.The arbitration shall be conducted on an ad-hoc basis by a sole arbitrator agreed upon by the Parties.The courts located in Bengaluru, Karnataka shall have exclusive jurisdiction for the limited purpose of (i) granting interim or conservatory relief and (ii) enforcing any arbitral award. Each Party irrevocably waives any objection to venue or forum non conveniens with respect to such courts.