Legal

Responsible Disclosure Policy

Effective: April 2026 · Version 1.1 · Supersedes all prior versions

Amendment notice: Changes to this policy take effect on the effective date shown above for all researchers. Active investigations in progress at the time of any change will be governed by the version of this policy in effect when the report was submitted.

Privacy Policy Terms of Service Refund Policy Delivery Policy Data Policy Cookies Policy Security Policy Responsible Disclosure

ISO 27001 AlignedCERT-In GuidelinesIT Act 2000International Best Practice

Vext Audit Capital takes the security of our systems and client data with the utmost seriousness. This Responsible Disclosure Policy governs how security vulnerabilities in our systems may be reported and the terms under which security research is authorised. It must be read alongside the critical legal notice in Section 4 before conducting any testing.

Report a vulnerability: support@vextaudit.com · Subject: "Security Vulnerability Report"

Acknowledgement: Within 24 hours · Initial assessment: Within 3 Business Days

Pre-authorisation required before active testing (see Section 2 below).

1. Scope

This policy covers: vextaudit.com and all subdomains; publicly accessible API endpoints operated by the Firm; and email infrastructure configuration (SPF, DKIM, DMARC). It does not cover third-party services (Google, Razorpay, Vercel, Make.com; report those to the respective provider) or client systems (governed by engagement letters).

2. Pre-authorisation requirement

Active testing of the Firm's systems requires written pre-authorisation before any testing commences. To obtain pre-authorisation, email support@vextaudit.com with subject "Security Testing Pre-Authorisation Request", describing: the systems you intend to test; the testing methodology; the tools you intend to use; and your contact details. The Firm will respond within 3 Business Days with either written authorisation specifying the permitted scope and duration, or a written declination.

Passive observation of publicly accessible pages using a standard browser does not require pre-authorisation. All other testing, including but not limited to automated scanning, fuzzing, injection testing, authentication bypass attempts, and API testing, all require written pre-authorisation regardless of intent.

Testing without pre-authorisation is not covered by the safe harbour in Section 4 and may constitute an offence under Section 66 of the Information Technology Act 2000.

3. Conduct during authorised research

Authorised researchers must:

Conduct testing only within the scope specified in the pre-authorisation
Not access, copy, modify, delete, or exfiltrate any data beyond what is minimally necessary to demonstrate the vulnerability
Not conduct denial of service attacks or generate load that disrupts normal operations
Not introduce malware or destructive code
Not conduct social engineering or phishing against Firm personnel, clients, or service providers
Not test against accounts, data, or systems belonging to any other user or client
Report findings to support@vextaudit.com promptly and not disclose to any third party before the Firm has remediated the vulnerability

4. Safe harbour: civil matters only, criminal liability not affected

Civil non-prosecution commitment: For authorised research conducted strictly within the scope of written pre-authorisation and in full compliance with Section 3 above, the Firm commits not to initiate or support civil legal proceedings against the researcher for activities directly arising from that authorised research, under the laws of any jurisdiction in which the Firm operates.

Criminal liability not affected: This policy cannot and does not grant immunity from criminal liability under the Information Technology Act 2000, the Indian Penal Code, applicable cybercrime laws in the researcher's jurisdiction, or any other applicable criminal statute. Unauthorised access to computer systems is a criminal offence under Section 66 of the IT Act 2000 and equivalent laws globally. Neither the Firm nor this policy can indemnify any person against criminal prosecution by any authority. Researchers are solely responsible for ensuring their activities comply with all applicable laws in India and in their own jurisdiction.

No consideration: This safe harbour commitment is made as a published policy statement and does not constitute a contract. It may be amended or withdrawn at any time by updating this policy.

5. The Firm's response commitments

Acknowledgement within 24 hours of receiving a valid vulnerability report
Initial assessment within 3 Business Days confirming validity and scope
Progress updates at least every 7 days until resolution
Remediation targets: Critical: 14 days; High: 30 days; Medium: 60 days; Low: 90 days
Coordinated disclosure at an agreed date after remediation
Credit acknowledgement with the researcher's permission

6. Out-of-scope activities

The following are explicitly excluded from this policy and may result in criminal and civil legal proceedings regardless of intent:

Any testing without written pre-authorisation
Accessing, downloading, or exfiltrating any data not belonging to the researcher
Denial of service attacks of any kind
Introduction of malware or destructive code
Social engineering of Firm personnel, clients, or service providers
Physical access attempts to Firm premises or devices
Testing against other users' accounts or client data

7. Contact

Email: support@vextaudit.com

Subject line: "Security Vulnerability Report" or "Security Testing Pre-Authorisation Request"

Include: D