Report a Vulnerability

This policy explains how to report potential security issues in Udaan Gateways Pvt Ltd's websites, apps, applicant portals we operate, integrations, and internal tools. Please act in good faith and allow reasonable time for remediation before public disclosure.

• We investigate all legitimate reports and fix verified issues with priority proportional to impact on applicant/partner data.
• We will not pursue legal action against researchers who follow this policy in good faith (see Safe Harbor).
• We respect researcher privacy and keep personal details confidential unless required by law.

Issues that affect confidentiality, integrity, or availability of our systems or applicant data. Examples relevant to education/visa workflows:

• IDOR/broken access control exposing applicant profiles, documents (passport, transcripts, bank letters), or case status.
• Authentication issues (session fixation, weak token validation, MFA bypass) on our domains or portals we operate.
• Injection flaws (SQLi/NoSQLi), XSS, CSRF, SSRF, template injection affecting our infrastructure.
• Cloud/storage misconfigurations (e.g., public buckets) revealing PII/financial proofs.
• Misrouted communications (email/SMS/WhatsApp) causing data leakage; improper email auth resulting in spoofing of our domain.
• Server-side information disclosure that meaningfully aids exploitation (keys, credentials, config dumps).

Note: Only assets owned/controlled by Udaan Gateways Pvt Ltd are in scope. University/government portals (IRCC/UKVI/USCIS/Home Affairs, etc.) are out of scope; report those to the relevant owners.

Generally not eligible unless paired with a clear, exploitable security impact:

• University/government/vendor platforms we do not control (application aggregators, payment gateways).
• DoS/DDoS, stress/automation that degrades service, or spam campaigns.
• Best‑practice reports without impact: missing security headers, verbose banners, version disclosures, clickjacking without data access.
• Self‑XSS or browser‑only issues requiring high user interaction.
• Rate‑limit/brute‑force without demonstrated account takeover or data access.
• Physical security or social engineering of staff, students, or partners.

• Only test on assets you own or lawful test accounts. Do not access, modify, or exfiltrate data of others.
• Never disrupt counselling sessions, interview slots, application submissions, payment flows, or biometrics scheduling.
• Do not run automated scans that may impact service quality without prior written consent.
• Do not share or retain any personal data obtained during testing; securely delete once reported.
• Comply with applicable laws; avoid content generation that fabricates identities or documents.

Our workflows involve sensitive documents (passports, transcripts, bank letters, CAS/I‑20, etc.). If you inadvertently access another person’s data:

• Stop testing immediately and capture minimal evidence (redacted screenshot with unique record IDs where possible).
• Do not download bulk data or share it publicly. Do not attempt to validate by accessing additional records.
• Include redaction notes in your report; we will request further logs if needed.

Email security@udaangateways.com with:

• Issue summary, severity, and realistic impact on applicants/partners.
• Steps to reproduce (PoC), affected URLs/endpoints, test account used.
• Observed logs/headers, sample payloads, and network timeline where relevant.
• Your contact info and preferred attribution (name/handle/site).

• 1 business day: Acknowledge receipt.
• 3–7 business days: Initial triage, reproduce, and prioritise.
• Fix window: Depends on severity/complexity; we’ll share status updates until remediation and deployment.
• Disclosure: We coordinate public disclosure after a fix or within a mutually agreed timeline.

If you comply with this policy, Udaan Gateways Pvt Ltd will not initiate legal action or law‑enforcement referral for your research activities directed at our in‑scope assets. This does not protect unlawful, malicious, or harmful actions, or activity against third‑party/uncontrolled systems.

We do not currently run a paid bug bounty. With your consent we may credit validated researchers on a public Hall of Fame after remediation, and may share a thank‑you note or swag where feasible.