responsible disclosure policy - ElevateFinance

# Responsible Disclosure Policy Effective from 9 May 2026. Version 1.1.0. ElevateFinance Private Limited ("**ElevateFinance**", the "**Supplier**", "**we**", or "**us**") values the work of the security-research community. This Responsible Disclosure Policy ("**Policy**") describes how to report a security vulnerability and the safe-harbour terms ElevateFinance offers to researchers acting in good faith. This Policy is read together with the Acceptable Use Policy, the Privacy Policy, the Master Services Agreement (the "**MSA**"), the Data Processing Agreement (the "**DPA**"), and the CERT-In Incident Runbook. ## Defined terms In this Policy: - "**Researcher**" means a natural person or legal entity that identifies, reports, or proposes to report a Vulnerability to ElevateFinance under this Policy. - "**Vulnerability**" means a security weakness in the Platform that, if exploited, could materially affect the confidentiality, integrity, or availability of the Platform or the Personal Data it processes. - "**Platform**" or "**Service**" means the software-as-a-service product operated by ElevateFinance under the apex domain `elevatefinance.co` and every white-label tenant subdomain configured under the MSA. - "**Personal Data**" has the meaning given in the Digital Personal Data Protection Act 2023 (the "**DPDP Act**"). - "**Applicable Law**" means every law, rule, regulation, circular, notification, order, judgment, or directive in force in India and applicable to a Party's performance under this Policy. - "**Working Day**" means a day other than a Saturday, Sunday, or declared public holiday at ElevateFinance's principal place of business. ## 1. In scope **Plain-language summary.** Testing is permitted on ElevateFinance's own Platform. The list below is non-exhaustive; if in doubt, ask. The following targets are in scope: (a) `elevatefinance.co` and any sub-domain operated by ElevateFinance; (b) `*.elevatefinance.co` (every white-label tenant subdomain); (c) custom domains validly pointed to ElevateFinance through the listed hosting partner's domain-attach mechanism; (d) public programmatic interfaces exposed under the documented paths of the Platform; (e) the mobile applications published under ElevateFinance's identifiers; and (f) the desktop applications signed by ElevateFinance. ## 2. Out of scope **Plain-language summary.** Sub-processor systems are out of scope -- report to those vendors directly under their bug-bounty programmes. Volumetric attacks, social engineering, and physical access are out of scope. Researchers must not access third-party tenant data or any End-User's Personal Data. The following are out of scope, and any unauthorised access remains unlawful under Section 43 of the Information Technology Act 2000: (a) denial-of-service or volumetric attacks; (b) social-engineering attacks against ElevateFinance employees, contractors, or vendors; (c) physical access attempts; (d) sub-processor systems (the providers identified in the Sub-Processor List, including the listed hosting partners, the listed payment partner, the listed email-delivery partner, and any other listed sub-processor) -- report directly to those vendors under their bug-bounty programmes; (e) third-party tenant data: under no circumstance may a Researcher access another tenant's data, even to demonstrate a Vulnerability. Where the Researcher discovers a cross-tenant access path, the Researcher must stop immediately and report; and (f) any End-User's Personal Data: the Researcher shall not access, store, transmit, or publish Personal Data. Any data accidentally encountered must be deleted immediately and reported. ## 3. Reporting channel **Plain-language summary.** Reports go to a single dedicated inbox that supports encryption. 3.1 Reports go to `security@elevatefinance.co`. 3.2 The Researcher is encouraged to encrypt the report. The public-key fingerprint is published at `/.well-known/security.txt`. 3.3 The Researcher should include: (a) a clear description of the Vulnerability; (b) a reproducible proof-of-concept that does not exfiltrate data; (c) the impact the Researcher believes the Vulnerability has; and (d) contact information for follow-up. ## 4. Safe harbour **Plain-language summary.** ElevateFinance will not pursue civil claims against a Researcher who acts in good faith on the conditions below. Researchers who depart from these conditions are not protected by this Policy. Subject to the conditions below, ElevateFinance will not pursue civil claims under the Information Technology Act 2000 or any other Applicable Law against a Researcher who: (a) makes a good-faith effort to comply with this Policy; (b) avoids privacy violations, disruption to live tenants, and destruction or modification of data; (c) does not access another tenant's or another End-User's data; (d) gives ElevateFinance a reasonable amount of time to investigate and remediate before any public disclosure (typically ninety (90) calendar days, extended in mutual good faith for high-impact issues); (e) does not request payment as a condition of disclosing the Vulnerability. Bounty awards, where offered, are at ElevateFinance's sole discretion and are paid only after remediation; and (f) does not breach the Acceptable Use Policy or any other Applicable Law in the course of testing. ## 5. Recognition **Plain-language summary.** Researchers who responsibly disclose valid issues are recognised on a public Hall of Fame. A Researcher may opt out of recognition. 5.1 ElevateFinance maintains a public Hall of Fame at `/security/hall-of-fame` listing Researchers who have responsibly disclosed valid issues. 5.2 A Researcher may opt out of recognition. ## 6. Bounty (where applicable) **Plain-language summary.** Bounties are discretionary, paid in Indian Rupees, and may be subject to tax withholding under the Income-tax Act 1961. 6.1 Bounty awards are paid in Indian Rupees (or, at the Researcher's preference and ElevateFinance's discretion, in another currency) according to ElevateFinance's published bounty schedule. 6.2 The schedule classifies Vulnerabilities by impact (Critical, High, Medium, Low) and pays accordingly. 6.3 Tax withholding under the Income-tax Act 1961 may apply. ## 7. Coordinated disclosure **Plain-language summary.** ElevateFinance acknowledges, assesses, keeps the Researcher informed, and coordinates any public disclosure with the Researcher. ElevateFinance shall: (a) acknowledge receipt of every report within seventy-two (72) hours; (b) provide an initial assessment within seven (7) Working Days; (c) keep the Researcher informed of remediation progress; (d) notify the Researcher when the issue is fixed and ready for re-test; and (e) coordinate any public disclosure with the Researcher. ## 8. Reporting Vulnerabilities to CERT-In **Plain-language summary.** Where a Vulnerability constitutes an "incident" within the meaning of the CERT-In Direction of 28 April 2022, ElevateFinance separately reports to CERT-In within the mandated timeline. Researcher attribution is preserved unless the Researcher has opted out. 8.1 Where a Vulnerability constitutes an "incident" within the meaning of the CERT-In Direction of 28 April 2022, ElevateFinance separately reports to the Indian Computer Emergency Response Team within the timeline that the Direction prescribes. 8.2 Researcher attribution is preserved in every CERT-In report unless the Researcher has opted out of recognition. ## 9. Data Personal Breach Notification under the DPDP Act **Plain-language summary.** Where a Vulnerability has resulted in a Personal Data breach within the meaning of Section 8(6) of the DPDP Act, ElevateFinance complies with the DPDP Act notification clock as well as the CERT-In clock. The earlier deadline binds. 9.1 Where a Vulnerability has resulted in a Personal Data breach within the meaning of Section 8(6) of the DPDP Act, ElevateFinance notifies the Data Protection Board of India and affected Data Principals within the timeline the DPDP Act and the Rules prescribe. 9.2 The CERT-In clock and the DPDP Act clock run in parallel from the moment ElevateFinance becomes aware of the incident. The earlier deadline binds. ## 10. Governing law **Plain-language summary.** Indian law governs. Disputes go to the forum named in the MSA or the Terms of Service, as applicable. 10.1 This Policy is governed by the laws of India. 10.2 Disputes are resolved under the dispute-resolution clause of the MSA (where the Researcher is a Customer or End-User of a Customer) or the Terms of Service (where the Researcher is a retail User). ## 11. Cross-references This Policy is read together with: - Master Services Agreement - Terms of Service - Acceptable Use Policy - Privacy Policy - Data Processing Agreement - Sub-Processor List - DPDP Grievance Redressal - CERT-In Incident Runbook - Disclaimer --- Thank you for helping keep ElevateFinance and our Customers safe.