How do I report a security vulnerability to Scyverge?

Report security vulnerabilities by emailing info@scyverge.com with details of the vulnerability, affected systems, and steps to reproduce. Please do not publicly disclose the vulnerability before we have had time to respond and remediate.

What is Scyverge's vulnerability disclosure policy?

Scyverge commits to acknowledging vulnerability reports within 48 hours, providing an initial assessment within 5 business days, and keeping reporters informed throughout the remediation process. We ask that researchers avoid data destruction and privacy violations.

Does Scyverge offer a bug bounty programme?

Scyverge does not currently run a formal bug bounty programme but recognises and thanks security researchers who responsibly disclose vulnerabilities through our responsible disclosure channel at info@scyverge.com.

Responsible Disclosure

We are a cybersecurity firm. We take the security of our own systems seriously and welcome responsible disclosure from the security community. If you have identified a vulnerability in our infrastructure, website, or services, please report it to us and we will work with you to resolve it quickly.

1. Purpose

This Responsible Disclosure Policy ("Policy") sets out the terms under which security researchers and members of the public may report vulnerabilities discovered in Scyverge systems. Our goal is to protect our users, clients, and infrastructure by providing a clear and safe process for vulnerability reporting, in alignment with industry best practices and the Information Technology Act 2000 (India).

2. Scope

This Policy applies to vulnerabilities identified in systems directly owned and operated by Scyverge Labs Private Limited, including:

scyverge.com and all sub-domains.
Scyverge-operated APIs and web applications.
Scyverge email and authentication infrastructure.
Scyverge internal tools and client-facing platforms.

This Policy does not cover:

Third-party services or infrastructure not operated by Scyverge.
Client environments or systems (these should be reported to the respective client).
Open-source projects or libraries that Scyverge uses but does not maintain.
Social engineering or phishing attacks against Scyverge staff (see Section 8).

3. How to Report

Please send your vulnerability report by email to:

info@scyverge.com

Your report should include:

Description: A clear description of the vulnerability, including its type and the affected component.
Reproduction Steps: Detailed steps to reproduce the issue, including proof-of-concept code, screenshots, or video evidence where available.
Impact Assessment: An assessment of the potential impact, including the type of data or functionality at risk.
CVSS Score: If possible, a Common Vulnerability Scoring System (CVSS v3.1) score or vector string to help us prioritise. If you are unable to provide one, we will calculate it during triage.
Suggested Remediation: If possible, suggestions for fixing the vulnerability.
Your Identity: Your name or handle (for acknowledgement, if you wish). Reports may be submitted anonymously.

We will acknowledge receipt of your report within 3 business days.

4. What We Ask of You

To ensure a constructive and safe disclosure process, we ask that you:

Act in good faith: Do not exploit the vulnerability beyond what is necessary to demonstrate the issue.
Protect user data: Do not access, modify, or delete data that does not belong to you. If you inadvertently access data, stop immediately and report it.
Avoid service disruption: Do not perform denial-of-service attacks, brute-force attacks, or any action that degrades service availability or impacts other users.
Do not disclose publicly: Do not publicly disclose the vulnerability until we have had a reasonable opportunity to remediate (see timeline in Section 5).
Provide sufficient detail: Give us enough information to reproduce and validate the issue. Incomplete reports may delay our response.
Comply with applicable law: Your testing must not violate the Information Technology Act 2000 ( India), the DPDPA, or any other applicable Indian law.

5. What You Can Expect from Us

Acknowledgement: Within 3 business days of receiving your report.
Initial Assessment: A preliminary assessment of severity and scope within 7 business days, including a CVSS v3.1 score where applicable.
Regular Updates: We will keep you informed of our remediation progress at reasonable intervals.
Remediation Timeline:
- Critical severity (CVSS 9.0-10.0): within 15 days.
- High severity (CVSS 7.0-8.9): within 30 days.
- Medium severity (CVSS 4.0-6.9): within 60 days.
- Low severity (CVSS 0.1-3.9): within 90 days.
Public Acknowledgement: With your consent, we will acknowledge your contribution once the issue is resolved.
Notification: We will notify you once the vulnerability has been remediated and confirm whether it is safe for you to disclose publicly.

If we are unable to meet the remediation timeline, we will inform you of the reasons and provide an updated target date. We will not unreasonably delay remediation or use the timeline to suppress disclosure.

6. Safe Harbour

We will not pursue civil or criminal legal action against researchers who discover and report vulnerabilities in accordance with this Policy and act in good faith. We consider responsible disclosure activities conducted within the scope of this Policy to be authorised conduct, and we will not refer such reports to law enforcement.

This safe harbour applies only when:

You have complied with all requirements in Section 4.
You have not accessed, exfiltrated, or disclosed any data beyond what is necessary to demonstrate the vulnerability.
You have not caused disruption to our services or harm to our users.
Your actions would not constitute an offence under the Information Technology Act 2000 (India) or any other applicable Indian law.

7. Coordination and Disclosure

We believe in coordinated disclosure. After remediation is complete, we will notify you and agree on a date for public disclosure. Where a vulnerability affects broader industry systems or shared libraries, we may coordinate with CERT-In (Indian Computer Emergency Response Team) or other relevant bodies.

You may publicly disclose the vulnerability 90 days after your initial report, or 30 days after we confirm remediation, whichever comes first, provided you have notified us of your intent to disclose.

8. Out of Scope

The following types of reports are generally outside the scope of this Policy and will not qualify for safe harbour or acknowledgement:

Clickjacking on pages without sensitive actions.
Missing best-practice security headers without demonstrated exploitability.
Rate limiting or brute-force issues on non-sensitive endpoints.
Vulnerabilities requiring physical access to a user's device.
Social engineering or phishing attacks against Scyverge staff.
Findings from automated scanners without manual verification.
Content injection or spoofing requiring privileged network access (e.g., DNS hijacking).
Issues related to outdated browsers or operating systems no longer supported by the vendor.
Information disclosure via HTTP headers (e.g., server version) without demonstrated exploitability.
TLS configuration weaknesses below our minimum supported version (TLS 1.2) without demonstrated practical attack.

9. Data Protection

Any personal data you provide when submitting a vulnerability report (such as your name, email address, or contact details) will be processed in accordance with our Privacy Policy and the DPDPA. We will use this data only for the purpose of communicating with you about the reported vulnerability and, with your consent, for public acknowledgement. You may request erasure of your personal data at any time by contacting info@scyverge.com.

10. Changes to This Policy

We may update this Policy from time to time. Material changes will be posted on this page with a revised effective date. Continued submission of vulnerability reports after changes constitutes acceptance of the updated Policy.

11. Contact

Security Team
Scyverge Labs Private Limited
Email: info@scyverge.com
Phone: +91-9487140830
Response time: Within 3 business days