Responsible Disclosure Policy

Version 1.1.1, Effective Date: 1st August 2025

Faciliti Technologies Private Limited ("FACILITI", "we", "us") values the security research community. If you believe you've found a vulnerability in our products or infrastructure, we encourage responsible disclosure so we can protect our customers and users quickly and fairly.

Who we are

Faciliti Technologies Private Limited

44, 2nd Floor, Regal Building, Connaught Place, New Delhi 110001

[email protected]

1. Scope

This policy covers security vulnerabilities discovered in:

  • FACILITI web admin dashboard and APIs (faciliti.in and subdomains),
  • FACILITI mobile applications (Android/iOS),
  • Public website components under our control (faciliti.in).

Out of scope:

  • Third-party providers (e.g., AWS, Microsoft Azure) and their platforms.
  • The Quickprism identity layer and DigiLocker report such issues to their owners; if a finding spans multiple integrations, please email us, and we will coordinate.
  • Social engineering of our staff, customers, or suppliers.
  • Physical security of offices, data centres, or customer premises.

2. Rules of Engagement

To protect users, researchers must:

  • Not harm, avoid privacy violations, data destruction, or service disruption,
  • Never access, modify, or exfiltrate personal data; use only your accounts/test data,
  • No denial-of-service (DoS), brute force against live systems, or resource-exhaustion tests,
  • No automated scanning of production without written permission,
  • No social engineering, phishing, or physical intrusion attempts,
  • Keep details confidential and permit us a reasonable time to remediate before public disclosure.

3. Safe Harbour

Suppose you follow this policy in good faith. In that case, we will not initiate legal action or refer you to law enforcement for your research, and we consider your testing authorised under anti-hacking laws. This safe-harbour commitment does not apply to actions that are malicious, reckless, or that violate the Rules of Engagement above.

4. How to Report

Email: [email protected] (PGP key available on request)

Please include:

  • A clear description of the issue and impact,
  • Affected URL, endpoint, app version, or environment,
  • Step-by-step reproduction with minimal proof-of-concept code or screenshots,
  • Your test account details (if any), timestamped requests/responses, and headers (redact secrets),
  • Suggested remediation or references, if available,
  • Your contact and preferred credit name (or state if you prefer to remain anonymous).

Please avoid multiple threads for the same issue; reply to the existing thread with updates.

5. Our Commitment (SLAs)

  • Acknowledgement: within three business days,
  • Triage and initial assessment: within seven business days,
  • Status updates: at least every 14 days until remediation,
  • Remediation targets (guideline, may vary by complexity):

- Critical (remote code execution, auth bypass): aim ≤ 15 business days,

- High (significant data exposure, privilege escalation): aim ≤ 30 business days,

- Medium/Low: addressed in the next scheduled release cycle.

We use CVSS (v3.1/4.0) and real-world impact to prioritise.

6. Recognition and Rewards

At present, we do not offer monetary bounties. With your permission, we will credit confirmed, unique vulnerabilities on our "Security Hall of Thanks" page and provide a formal appreciation letter. For exceptional, high-impact findings, we may offer discretionary rewards.

7. What Findings Are Welcome (Examples)

  • Authentication/authorisation flaws (IDOR, privilege escalation),
  • Injection issues (SQLi, command, template, deserialization),
  • XSS, CSRF, clickjacking with demonstrable impact,
  • Cryptographic weaknesses (improper key/secret handling),
  • Sensitive data exposure due to misconfiguration,
  • Broken access control across multi-tenant boundaries,
  • Business-logic flaws enabling bypass of security controls.

8. What Is Generally Out of Scope (Examples)

  • Best-practice suggestions without security impact,
  • Missing security headers without exploitable context,
  • SPF/DMARC/DKIM configuration recommendations alone,
  • Click jacking on pages without sensitive actions,
  • Rate-limiting or brute-force findings without a clear exploitation path,
  • Use of outdated libraries without a proven exploit,
  • Self-XSS or issues requiring a compromised device/rooted OS.

9. Data and Privacy

Do not attempt to view, modify, or exfiltrate user data. If you accidentally access personal data, stop immediately, do not save screenshots or copies, and notify us at once so we can take protective steps under DPDP.

10. Coordinated Disclosure

We support responsible, coordinated disclosure. After remediation, we welcome joint advisories or researcher write-ups that help the community, provided they:

  • Accurately describe the issue and fix, and
  • Do not expose sensitive artefacts, keys, or active attack paths.

11. Changes to This Policy

We reserve the right to update this policy to reflect any changes in law, technology, or operational requirements. The effective date will be revised, and material updates will be posted on our website.

Thank You

Security is a shared responsibility. Thank you for helping us keep FACILITI and the communities that rely on it safe.

Last Updated: February 2026