RESPONSIBLE DISCLOSURE POLICY

Effective Date: 18 June 2025 

Last Updated: 18 June 2025 

At Addverb Technologies Private Limited, including its subsidiaries (“Addverb”), we take security seriously. We recognize the valuable role that independent Security Researchers play in helping us maintain the highest standards of cybersecurity. This Responsible Disclosure Policy (“Policy”) outlines the process by which Security Researchers can report potential security vulnerabilities in Addverb’s digital assets in a lawful, responsible and ethical manner. 

By following this Policy, Security Researchers can contribute to the overall safety and resilience of our systems; while ensuring they remain protected from legal action, provided they strictly adhere to the terms set out herein. 

Scope of Policy 

This policy applies to addverb.com and its subdomains, operated, or managed by Addverb that are explicitly covered under public-facing domains. 

This Policy does not authorize: 

1. Any access to systems beyond the intended scope. 

2. Testing on non-public or third-party assets. 

3. Violation of applicable laws. 

For the purpose of this Policy, “Security Researcher” means any individual or entity who, in good faith, interacts with Addverb’s systems, services, or products for the sole purpose of reporting a security vulnerability in accordance with this Policy. This includes ethical hackers, independent researchers, bug bounty hunters, and any other parties submitting such reports. 

Responsible Disclosure Process 

We ask that all Security Researchers: 

1. Act in good faith and within the bounds of the law. 

2. Avoid any actions that could cause harm, disruption, or loss to Addverb or its customers. 

3. Provide a detailed report, including steps to reproduce the issue, potential impact, and recommended remediation. 

4. Do not disclose the vulnerability to the public or any third party until Addverb provides express written permission, in advance. 

Reporting 

To report a vulnerability, please email us at [email protected] 

Your report should include: 

1. A clear description of the vulnerability. 

2. The date and time of discovery. 

3. Assumed Impact 

4. Affected services, or URLs. 

5. Step-by-step instructions to reproduce the issue. 

6. Any relevant screenshots, logs, or proof-of-concept code. 

7. Recommended Fix 

Addverb will acknowledge receipt within 7 business days and aim to assess and resolve valid issues within a technically reasonable timeframe. Addverb may choose to disregard submissions by parties who submit a high volume of low-quality reports. 

Exclusions 

• Vulnerabilities that do not demonstrate security impact will be considered out of scope for this program. 

• Vulnerabilities regarding SPF/DMARC/DKIM records without verifiable proof of spoofing  

• Best practice concerns like non-session cookies not marked secure and HTTP only, SSL/TLS configuration, missing security headers, etc. 

• Vulnerabilities reported by automated tools and scanners without additional proof of concept 

• Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks 

• Spam, brute-force attacks, or testing involving personal data. 

• Exploits that need physical access to the victim’s device 

• Host header injection 

• Previously known vulnerable libraries without a working Proof of Concept 

• Any kind of spoofing attacks or any attacks that lead to phishing (e.g. Email spoofing, Capturing login credentials with fake login page) 

• Bugs requiring exceedingly unlikely user interaction i.e., social engineering attacks, both against users and Addverb employees, in particular. 

• Third-party API key disclosures without any impact or which are supposed to be open/public. Specifically, exposed Google Map API keys and keys in Android XML files.  

• OPTIONS / TRACE HTTP methods enabled 

• Known public files or directories disclosure (e.g. robots.txt, CSS/images, etc) 

• Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality 

• Any kind of vulnerabilities that require installation of software like web browser add-ons, etc. in the victim's machine 

• Brute force on forms (e.g. Newsletter / ContactUs page) 

• Missing best practices in Content Security Policy. 

• Missing SSL, CAA headers 

• Functional, UI, and UX bugs and spelling mistakes. 

Violations of the exclusions listed above may result in disqualification from safe harbour protections and potential legal action. 

No Rewards 

No monetary compensation is offered or provided in connection with reporting vulnerabilities. This policy is not intended to encourage or authorize penetration testing, scanning, or hacking attempts against Addverb’s information technology infrastructure, but rather to provide a responsible and secure framework under which legitimate security vulnerability disclosures can be communicated and remediated. 

Addverb reserves the right to assess each submission on a case-to-case basis. At its sole discretion, Addverb may choose to provide non-monetary gestures of appreciation, such as public acknowledgement or a letter of recognition, subject to a mutual agreement and only where the Security Researcher has complied with all terms of this Policy. 

Points to Remember 

• Do not exploit any vulnerability beyond what is necessary to prove its existence. 

• Do not access, copy, download, or tamper with data that does not belong to you. 

• Do not disrupt any system or service availability during testing. 

• Do not attempt to gain access to accounts or credentials of other users. 

• All activity must remain within the scope and limits set out in this Policy. 

Indemnity 

By submitting a vulnerability report under this Policy, the Security Researcher agrees to indemnify, defend, and hold harmless Addverb, its affiliates, officers, directors, employees, and agents from and against any and all claims, damages, liabilities, losses, costs, and expenses (including attorney’s fees) arising out of or related to the Security Researcher’s conduct, actions, or omissions that breach the terms of this Policy, violate applicable laws, or cause harm to Addverb or any third party. 

Legal Notice and Disclaimer 

Addverb reserves all legal rights in the event of any non-compliance with this Policy, including rights to initiate criminal or civil proceedings under applicable laws and relevant international legislation. 

This policy does not grant any license (express or implied) to access Addverb’s systems or to perform security testing. Addverb reserves the right to modify or withdraw this Policy at any time without notice. Participation does not create any contractual relationship between Addverb and Security Researcher. 

Contact Us 

All questions, comments, or vulnerability reports under this Policy should be directed to [email protected]