VULNERABILITY DISCLOSURE POLICY
- Introduction and Policy Objectives
Responsible Vulnerability Disclosure and Coordination refers to the process of collection, analysis, mitigation coordination with researchers/finders and vendors leading to the public disclosure of newly identified cybersecurity vulnerabilities. The purpose of Responsible Vulnerability Disclosure and Coordination is to ensure that affected vendors and Original Equipment Manufacturers (OEMs) get sufficient time to remediate the vulnerability.
FINRAMP TECHNOLOGIES PRIVATE LIMITED (“Company” or "we" or "us" or "our") is dedicated to safeguarding customer information and maintaining robust system integrity. We recognize and value the essential contributions made by security researchers in fortifying cybersecurity practices. We hold the ISO 27001 certification and partner closely with regulated Non-Banking Financial Companies (NBFCs) and depository institutions, underscoring our comprehensive commitment to security and compliance. This policy strictly covers vulnerabilities related exclusively to systems and services owned and managed by us.
- Authorization and Safe Harbor Provisions
When researchers identify and responsibly report vulnerabilities in compliance with this policy, acting in good faith, we will collaborate closely with them to promptly address and resolve these issues.
We will not initiate legal action against researchers conducting vulnerability identification activities, provided these actions strictly adhere to the guidelines specified in this policy.
Good-faith efforts by researchers to comply with this policy during security research will be recognized as authorized. Furthermore, if a third party initiates legal proceedings against researchers for activities conducted in alignment with this policy, we will reaffirm the researchers' authorized status under this policy.
- Scope Definition and Engagement Guidelines
- In-Scope Systems:
- All domains and subdomains under quicklend.in
- Mobile applications (iOS and Android)
- Customer portals and authentication systems
- Authorized third-party integrations
- Out-of-Scope Systems:
- Systems operated by partner NBFCs etc.
- Social engineering activities
- Physical security assessments
- Third-party vendor systems unless explicitly authorized
- While conducting vulnerability assessments, researchers MUST:
- Avoid exploiting identified vulnerabilities beyond the minimum needed to confirm their presence. This includes refraining from downloading excessive data, deleting or modifying user data, or engaging in unnecessary system interactions.
- Employ only safe, non-destructive techniques to verify vulnerabilities.
- Copying, altering, or deleting any system data.
- Making unauthorized changes to systems or system configurations.
- Repeatedly accessing systems unnecessarily or sharing system access with unauthorized individuals.
- Leveraging gained access to target additional systems.
- Altering other users' access privileges.
- Utilizing automated scanning tools or employing brute force techniques.
- Conducting denial-of-service attacks, social engineering (including phishing, vishing, or spam).
- Engaging in physical security attacks or related activities.
- Researchers MUST NOT engage in the following prohibited activities:
- Introducing malware such as viruses, worms, or Trojan horses into any system.
- Exploiting vulnerabilities to gain unauthorized control over systems.
- Maintain confidentiality of all data accessed or downloaded during vulnerability discovery and refrain from sharing it with third parties.
- Keep all identified vulnerabilities confidential until fully resolved by the organization.
- Immediately cease testing upon encountering sensitive information (e.g., Personally Identifiable Information, medical records, financial data, proprietary information, or trade secrets), promptly notify the organization, and not disclose this information to others.
- Must delete all data accessed, downloaded and retrieved once the vulnerability has been acknowledged by us
- In-Scope Systems:
- Reporting Process and Requirements
- Reporting Channels:
If you have identified a vulnerability, please e-mail your findings as soon as possible to security@quicklend.in, specifying whether or not you agree to your name or pseudonym being made publicly available as the discoverer of the problem.
- Required Information:
- Comprehensive vulnerability description.
- Step-by-step guidance on reproducing the vulnerability.
- Potential impact assessment outlining possible business risks.
- Proof of concept demonstrations without exploitation.
- Suggested mitigation or remediation steps, if available.
- Reporting Channels:
- Response Timelines and Disclosure Coordination
When you report a vulnerability, we commit to acknowledging your submission within 5 business days. We will handle your report confidentially, evaluate it thoroughly, and, when feasible, notify you once the issue is resolved.
Any personal information you share (such as your name or email) will be processed in accordance with applicable data protection laws, and we will never share your details without your explicit consent. If you agree, we may publicly recognize your contribution when disclosing the vulnerability.
- Compliance and Regulatory Considerations
We are committed to adhering to all applicable cybersecurity regulations and guidelines. Specifically, our practices comply with the cybersecurity directives of the Reserve Bank of India (RBI) for Non-Banking Financial Companies (NBFCs) and follow the mandatory vulnerability reporting protocols as established by CERT-In.
Additionally, our approach aligns with the comprehensive data protection standards outlined in Company’s Privacy Policy, where vulnerabilities may impact our partner NBFCs, we shall actively coordinate with their security teams to ensure alignment and compliance with regulatory obligations.
- Legal and Ethical Framework
This Vulnerability Disclosure Policy is governed by applicable Indian cybersecurity laws, including but not limited to, the Information Technology Act, 2000, and related regulations. This policy supplements our existing Terms of Service and is to be interpreted alongside those terms. Violations of this policy, including unauthorized access or misuse of Company systems or data, may result in disciplinary or legal action.
Dispute resolution concerning this policy will follow procedures as described in the Terms of Service, including arbitration provisions as applicable.
