If you happen to have identified a vulnerability on any of our web properties, we request you to follow the steps outlined below:

• Please contact us immediately by sending an email to security@houseofindya.com with the necessary details to recreate the vulnerability scenario. This may include screenshots, videos or simple text instructions.
• Please share your contact details (email, phone number), so that our security team can reach out to you if further inputs are needed to identify or close the problem.
• Do provide enough information to reproduce the problem, so we will be able to resolve it as quickly as possible.
• Do not reveal the problem to others until it has been resolved.
• Do not use attacks on physical security, social engineering, distributed denial of service, spam, etc.

Generally speaking, any bug that poses a significant vulnerability could be eligible for recognition but it's entirely at our discretion to decide whether a bug is significant enough to be eligible for recognition Security issues that typically would be eligible listed under Vulnerability Categories.

• Cross-Site Request Forgery (CSRF)
• Cross-Site Scripting (XSS)
• Code Executions
• SQL injections
• Server-Side Request Forgery (SSRF)
• Privilege Escalations
• Authentication Bypasses
• File inclusions (Local & Remote)
• Protection Mechanism bypasses (CSRF bypass, etc.)
• Leakage of sensitive data
• Directory Traversal
• Payment manipulation
• Administration portals without authentication mechanism
• Open redirects which allow stealing tokens/secrets

• Don't violate the privacy of other users, destroy data, disrupt our services, etc.
• Only target your own accounts in the process of investigating any bugs/findings. Don't target, attempt to access, or otherwise disrupt the accounts of other users.
• Don't target our physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDOS) attacks, etc.
• In case you find a severe vulnerability that allows system access, you must not proceed further.
• It is indya's decision to determine when and how bugs should be addressed and fixed.
• Disclosing bugs to a party other than indya is forbidden, all bug reports are to remain at the reporter and indya's discretion.
• Threatening of any kind will automatically disqualify you from participating in the program.
• Exploiting or mis-using the vulnerability for own or others benefit will automatically disqualify the report.
• Bug disclosure communications with indya's Security/Technology Team are to remain confidential. Researchers must destroy all artifacts created to document vulnerabilities (POC code, videos, screenshots) after the bug report is closed.

We are not part of a cash/bug bounty program but are happy to issue a certificate of recognition to individuals who report security issues responsibly and help us make indya's systems more secure.

indya would like to thank all individuals who have discovered and reported vulnerabilities in indya system as per the responsible disclosure program. We sincerely appreciate the efforts of each individual listed below and we thank them for their technical skills, security knowledge, and constructive engagement with indya.