Certopact handles sensitive identity data for some of India's most regulated enterprises. We treat security as a non-negotiable part of building this product. If you have found a vulnerability, please report it to us — we want to fix it, and we want to thank you. This page tells you how.
Our promise.
If you report a vulnerability in good faith, following the guidelines on this page, we promise:
- We will acknowledge your report within 2 working days
- We will provide an initial triage assessment within 5 working days
- We will fix confirmed vulnerabilities as quickly as we reasonably can, with priority based on severity
- We will keep you informed throughout the process
- We will publicly credit you in our security acknowledgements page (if you want — anonymous reports are also welcome)
- We will not take legal action against good-faith researchers who follow this policy
- For high-impact reports, we will offer a swag pack and, where appropriate, a monetary bounty
What's in scope.
The following systems and surfaces are in scope for this programme:
- certopact.com and all subdomains
- Certopact Entry application (web admin console)
- Certopact kiosk and reception applications
- Certopact public APIs (api.certopact.com)
- Mobile applications, when released
- Authentication, session, and access-control flows
- Aadhaar / DigiLocker integration surfaces
- Email, SMS, and webhook handlers we operate
- Third-party services (UIDAI, DigiLocker, GCP, telcos)
- Customer-controlled deployments and on-premise installs
- Social engineering of Certopact employees
- Physical attacks on offices or hardware
- DDoS or volumetric attacks
- Spam or abuse of contact forms
- Public marketing pages on partner websites
- Self-XSS or attacks requiring physical access to a victim's device
If you are unsure whether something is in scope, please ask us before testing — write to [email protected] with your proposed approach.
Rules of engagement.
To stay within this programme, please:
- Test only against accounts you own. Use your own demo or test accounts. Do not access, modify, or destroy data belonging to other users
- Avoid privacy violations. If you encounter personal data during testing, stop, do not retain or share it, and tell us immediately
- Stop on impact. If your test could affect availability or data integrity, stop and report what you have
- Do not exfiltrate. Demonstrate the issue with the minimum proof necessary. Don't dump databases, mass-download files, or pivot deeper than needed
- No social engineering, phishing, or physical intrusion
- No public disclosure until we have had a reasonable chance to fix the issue (see Section 06)
- Comply with the law. Don't break the IT Act, the Aadhaar Act, or any other applicable law in the course of testing
Aadhaar data — special caution. Aadhaar verification flows touch UIDAI's infrastructure under our licensed AUA / KUA. Do not attempt to flood, fuzz, or stress-test these endpoints. Only test against your own Aadhaar verification with your own consent. Misuse of Aadhaar test infrastructure may constitute an offence under the Aadhaar Act 2016.
How to report.
Send your report to [email protected]. For high-severity issues you can encrypt the message using our PGP key (Section 09).
A good report includes:
- A clear description of the vulnerability and its likely impact
- Steps to reproduce, with the smallest possible proof of concept
- The URL, endpoint, parameter, or component affected
- Any screenshots, request/response captures, or videos that help
- The browser, OS, IP, and account or session you were testing from
- Your name (or alias) for credit, and an email we can use to reach you
You don't need to suggest a fix — that's our job. But if you have one, we welcome it.
Severity and response time.
We use a CVSS-aligned severity scale. Indicative response and fix targets for confirmed valid reports:
| Severity | Examples | Target fix time |
|---|---|---|
| Critical | Remote code execution; full database extraction; privilege escalation to admin; bypass of Aadhaar verification | Patch within 7 calendar days |
| High | Authenticated SQL injection; account takeover; sensitive data exposure of one tenant; SSRF to internal services | Patch within 30 calendar days |
| Medium | Stored XSS; CSRF on sensitive actions; logic flaws in match scoring; rate-limit bypass | Patch within 60 calendar days |
| Low | Reflected XSS in low-context pages; verbose error messages; missing security headers | Patch within 90 calendar days |
For Critical issues affecting Aadhaar or visitor data, we may patch faster than the timeline above and notify affected customers under our breach procedures.
Disclosure timing.
We follow coordinated disclosure. After a vulnerability is fixed, we will work with the reporter to publish a brief summary of the issue, the fix, and any necessary advisory. The default coordination window is 90 days from acknowledgement, extendable by mutual agreement for complex issues.
We ask researchers not to publicly disclose the issue, share it with media, or post details on social platforms before the coordination window closes. If we are unresponsive or you believe users are at active risk, please escalate to [email protected] before going public.
Rewards and recognition.
This programme is currently offered without monetary bounty. We are setting up a formal bug bounty programme for 2026 and will update this page when it goes live.
In the meantime, we will:
- Publicly acknowledge your contribution on our security page (with your permission)
- Send Certopact swag for valid reports — t-shirts, stickers, mugs
- For especially high-impact findings, offer a discretionary cash reward and a written letter of acknowledgement that you can use for resume or career purposes
Anonymous reports are welcome — just let us know in your report whether you want recognition.
Safe harbour.
If your security research is conducted in good faith and follows this policy, we consider it authorised. We will:
- Not pursue or support legal action against you under the Information Technology Act, the Aadhaar Act, or any other applicable law
- Not take action under the terms of service for activities permitted by this policy
- Help defend you, where reasonable, if a third party threatens action arising solely from your good-faith research under this policy
This protection does not extend to: (a) testing performed outside the scope or rules above, (b) data exfiltration or unauthorised retention of personal data, (c) actions that violate the law or the rights of others, or (d) public disclosure outside our coordination window.
If you are unsure whether a planned action falls within safe harbour, please write to us first — we are happy to clarify.
PGP key.
For sensitive reports, you can encrypt your email to [email protected] using our public PGP key. The fingerprint is:
The full key will be published at certopact.com/.well-known/security.txt and in the standard public PGP key servers. We rotate the key every 24 months, with overlap, so encrypt to the most recent fingerprint.
Hall of thanks.
We will list researchers who have responsibly disclosed valid issues here, in chronological order, with their permission. As Certopact is in pilot phase, this list is currently empty — we look forward to filling it.
Each entry includes the researcher's name (or alias), the affected component, the severity, and the date of disclosure.
Get in touch.
- Security reports
- [email protected]
- Data protection
- [email protected]
- security.txt
- /.well-known/security.txt
Thank you for helping make Certopact safer. Genuinely.