Skip to content

    Responsible Disclosure


    We take security very seriously. If you find a security vulnerability, we ask you to responsibly disclose the details to us.

    • Reach out to or use our vulnerability report page, if you have found any potential vulnerability in our products meeting all the below mentioned criteria. You can expect a confirmation from our security team in about 48 working hours of submission.
    • Please refrain from doing security testing in existing customers' production accounts.
    • When conducting security testing, make sure not to violate our privacy policies, modify/delete user data, disrupt production servers, or to degrade user experience.
    • You’re allowed to disclose the discovered vulnerabilities only to or by using our vulnerability report page. Documenting any potential In/Out of scope vulnerability to the public is against our responsible disclosure policy.
    • If your finding is valid and unique, you may be eligible for a reward.

    Out of Scope Vulnerabilities

    • Clickjacking / UI Redressing attack
    • Self-XSS and XSS that affects only outdated browsers
    • Using components of known vulnerability without relevant POC of attack
    • Host header and banner grabbing issues
    • Denial of Service attacks and Distributed Denial of Service attacks
    • Automated tool scan reports.Example: Web, SSL/TLS scan,Nmap scan results etc.,
    • Missing HTTP security headers and cookie flags on insensitive cookies
    • Rate limiting, brute force attack
    • Login/logout/low-business impact CSRF
    • Unrestricted file upload
    • Open redirects - unless they can be used for actively stealing tokens
    • Formula/CSV Injection
    • Vulnerabilities that requires physical access to the victim machine.
    • User enumeration such as User email, User ID etc.,
    • Phishing / Spam (including issues related to SPF/DKIM/DMARC)
    • Missing security best practices
    • Vulnerabilities found in third party services
    • Session fixation and session timeout