Vulnerability Disclosure Policy
How to report a security vulnerability to us safely.
Company: EcomSarthi Business Solutions LLP ("EcomSarthi", "we", "us", "our")
Product: Ecom10x — One Dashboard. Every Marketplace. (the "Platform" or "Service")
Effective Date: [EFFECTIVE_DATE — e.g., 1 August 2026] · Version: [VERSION — e.g., 1.0] · Next Review: [NEXT_REVIEW_DATE — e.g., 1 February 2027]
1. Our Commitment
We welcome good-faith reports of security vulnerabilities in Ecom10x and will work with reporters to verify and remediate promptly.
2. How to Report
Email [SECURITY_EMAIL — e.g., security@ecom10x.in] with: a description of the issue and its impact; steps to reproduce (proof-of-concept where safe); affected URLs/endpoints; and your contact details. Please use English. If you need to share sensitive material, request a secure channel in your first email.
3. Scope
In scope: the Ecom10x web application, its APIs, and authentication flows.
Out of scope: third-party Marketplaces and their APIs (report to them directly); our subprocessors' platforms; social engineering of staff or users; physical attacks; denial-of-service or volumetric testing; spam; and automated scanning that degrades service.
4. Rules of Engagement (Safe Harbour)
If you: act in good faith; access only the minimum data necessary to demonstrate the issue; do not access, modify or delete other users' data; do not disrupt the Service; and give us reasonable time to remediate before any public disclosure — then we will not initiate legal action against you for your research, and we consider such research authorised under this Policy to the extent within our control. Never test with real customer data; create your own trial account.
5. Our Response Targets
- Acknowledgement: within 3 business days.
- Triage decision: within 7 business days.
- Remediation: prioritised by severity; critical issues are addressed as an emergency.
- We will keep you informed of progress and tell you when the issue is fixed.
6. Recognition
We do not currently operate a paid bug bounty. With your consent, we are happy to credit meaningful reports on our Trust Center acknowledgements list.
7. Coordinated Disclosure
Please allow up to 90 days (or a mutually agreed timeline) before public disclosure so users are protected. See also the Responsible Disclosure Policy.
Contact
[SECURITY_EMAIL — e.g., security@ecom10x.in]