Responsible Disclosure Policy

Indiconnect Paytech Private Limited ("Indiconnect", "we", "our", or "us") is committed to maintaining the confidentiality, integrity, availability and security of its systems, platforms, services and data.

We acknowledge that independent security researchers and ethical hackers may identify security vulnerabilities that could assist in strengthening our security controls. This Responsible Disclosure Policy ("Policy") sets out the sole and exclusive framework under which such vulnerabilities may be responsibly disclosed to Indiconnect in a lawful, controlled and non-disruptive manner, and governs how Indiconnect will evaluate and respond to such disclosures.

This Policy applies to systems, applications, services, APIs, infrastructure and networks that are owned, operated or controlled by Indiconnect.

To participate under this Policy you must meet the following conditions:

• You are at least 18 years of age (or have the consent of a legal guardian).
• You are not a current or former employee (including contractor or intern) of Indiconnect, nor engaged in any engagement with us that may pose a conflict of interest.
• Your testing and reporting must comply with all applicable laws (including the Indian Information Technology Act, 2000, any amendments, rules/regulations, as well as other applicable jurisdictional laws) and must not violate any applicable contracts or terms of service.

Please submit your report to our dedicated email: grievance@indisign.co.in with the subject line: "Indiconnect Responsible Disclosure – [Short Title of Issue]"

Your report should include:

• A clear, concise summary of the issue.
• Step-by-step reproduction/investigation instructions.
• Relevant URLs, API endpoints, parameters, or payloads.
• Screenshots, logs or proof-of-concept (PoC) code, if available.
• The potential impact and your assessment of severity (optional, but helpful).
• Your contact details: full name, email address, phone number (optional), and affiliated organisation (if any).

Please do not publicly disclose the vulnerability (see Section 7 below) until we have had an opportunity to coordinate.

Upon receiving a valid submission, Indiconnect will:

• Acknowledge receipt of your report within five (5) business days.
• Review and verify the issue; assess its severity, root cause and scope of impact.
• Assign the issue for remediation in accordance with our internal prioritisation and timetable.
• Work (if mutually agreed) with you to remediate the issue and coordinate disclosure.
• At our sole discretion, we may provide recognition, public-acknowledgement (if you consent) or a reward (bug-bounty or other) for valid reports that lead to actionable improvements.
• Maintain confidentiality of your identity and your report details unless disclosure is required by law or you consent to publication.

By submitting a vulnerability under this Policy, you agree to comply with the following rules of engagement:

• Only access systems, data or functionality that is in-scope and necessary to reproduce the vulnerability. Accessing, modifying, deleting or downloading data that does not belong to you is prohibited.
• Do not disrupt, degrade or impair the performance, availability, reliability or integrity of Indiconnect's systems, services or infrastructure.
• Do not attempt to exploit the vulnerability beyond proof-of-concept or to cause damage or leakage of sensitive information.
• Do not target third-party systems, networks or services that are integrated or connected with our systems unless you have explicit prior written authorisation from Indiconnect.
• Do not use brute force attacks, automated scanners, denial-of-service tools, fuzzers or load-generators unless you have prior written authorisation.
• Do not withhold any information required by Indiconnect to reproduce or verify the issue. Providing incomplete or vague reports may result in disqualification.
• Do not publicly disclose, share or otherwise publish the vulnerability, your findings or the remediation details without prior written agreement from Indiconnect.

Any violation of the rules of engagement may result in rejection of your report, termination of your eligibility under this Policy, and potential legal action, including but not limited to civil or criminal proceedings.