Responsible Disclosure Policy

CREDVUE PAYMENT SOLUTION PRIVATE LIMITED (hereinafter referred to as "Credvue") considers the security of its products and services an essential aspect of business practice. To maintain this practice, we encourage security researchers (“Participants”) to make responsible disclosures of any vulnerabilities they identify in Credvue systems.

Purpose

This Responsible Disclosure Policy ("Policy") guides Participants in conducting responsible vulnerability discovery and reporting vulnerabilities to Credvue to strengthen security and protect users.

Reporting a Vulnerability

If a Participant believes to have found a real or potential security vulnerability in any Credvue-owned systems or software, they should report it via email to info@credvue.in. Subject line should be prefixed with "Bug Bounty".

Required Report Details

  • Vulnerability Name
  • Vulnerability Type
  • Description & Steps to Reproduce
  • Proof of Concept
  • Impact & Recommendation
  • Participant Details: Full Name, Email, Mobile, Public Profile (if any)

Program Rules

  • One report per vulnerability unless related issues need to be clubbed.
  • Only the first reproducible report will be rewarded.
  • Social engineering attacks are prohibited.
  • Automated tools or scripts are strictly prohibited; manual step-by-step PoC required.
  • Good faith effort must be made to avoid privacy violations or service disruptions.

Response Targets

  • Credvue will acknowledge the receipt of vulnerability reports promptly.
  • Validation and resolution will follow Credvue’s commitment to security.
  • Participants will be notified once the issue is fixed.

Severity & Reward Categorization

Vulnerabilities are categorized by severity: Critical, High, Medium, Low. Bounty rewards will be assessed internally based on the severity and impact of the vulnerability.

Safe Harbor

Activities conducted in accordance with this Policy will be considered authorized. Credvue will defend Participants from legal action by third parties if activities are conducted in good faith under this Policy.

Confidentiality

All information shared by Credvue or discovered during testing is confidential. Participants must:

  • Keep all confidential information secure for 5 years.
  • Use information solely for reporting vulnerabilities.
  • Return all confidential information upon request.

Legal & Miscellaneous

  • This Policy is governed by the laws of India, with courts in Noida having exclusive jurisdiction.
  • Credvue retains ownership of all confidential information.
  • Participants may not disclose, copy, or develop competing products using confidential information.
  • Credvue reserves the right to amend this Policy at any time.

Contact Information

Email: security@credvue.in

Address: LG-75 Ansal Fortune, Arcade K-Block, Noida, Gautam Buddha Nagar-201301, Uttar Pradesh

Phone: +91 9717475889

Thank you for helping keep Credvue and its users safe!