Version 1.1 · Effective 15 June 2026 · Jurisdiction: India
1. Our commitment
We welcome reports from security researchers and treat them as partners in keeping Certopact safe. For a good-faith report that follows this policy, we will:
- acknowledge it within 2 working days;
- triage it within 5 working days;
- fix it on a timeline based on severity, and keep you updated throughout;
- offer public credit (optional); and
- extend safe-harbour legal protection (see below).
2. Scope
In scope:
- certopact.com and its subdomains;
- Certopact Entry — verification kiosk and reception apps;
- Certopact Access — pre-registration, kiosk/walk-in check-in, host approvals and badge flows;
- public APIs (api.certopact.com);
- mobile applications, when released;
- authentication and access-control flows;
- Aadhaar / DigiLocker integrations; and
- email, SMS and webhook handlers.
Out of scope: third-party services, customer on-premises deployments, social engineering, physical attacks, DDoS, and self-XSS.
3. Rules of engagement
- Test only your own accounts and data.
- Avoid privacy violations; demonstrate minimal impact and do not exfiltrate data.
- Comply with applicable law.
- Do not disclose publicly before a fix is released.
- Aadhaar systems: no fuzzing or stress-testing of verification or UIDAI/DigiLocker integrations is permitted.
4. How to report
Email [email protected] with:
- a clear description of the vulnerability;
- step-by-step reproduction;
- affected components or endpoints (Entry, Access, API, website, etc.);
- proof-of-concept material; and
- how we can contact you.
5. Remediation timelines
| Severity | Target fix |
|---|---|
| Critical | Within 7 days |
| High | Within 30 days |
| Medium | Within 60 days |
| Low | Within 90 days |
6. Safe harbour
Good-faith research that follows this policy is authorised, and we will not pursue legal action under the IT Act or Aadhaar Act provisions for such activity. If legal action is brought by a third party, we will make clear that your actions complied with this policy.
7. Recognition
We do not currently offer monetary bounties; a formal programme is planned for 2026. In the meantime, researchers receive acknowledgement, optional public credit, swag and discretionary rewards for significant findings.
8. Contact
Security: [email protected]
General: [email protected] · +91 63574 97151
Post: Perigeon Software Private Limited, Ahmedabad, Gujarat, India