Vulnerability Disclosure Program


Service Lee Technologies Private Limited (“Servify”) takes the security of its systems and data very seriously and continuously strives to maintain the security and integrity of its products and services through state-of-art processes, security frameworks and regular audits. Servify is committed to working with the security researcher community to improve the same.  We strongly believe that a close partnership with security researchers on the latest trends to understand security threats and vulnerability identification creates a powerful ecosystem of security, making customers secure and confident to use the products and services along with all the impactful features. Servify, therefore, has adopted this Vulnerability Disclosure Program (“VDP”) to engage security researchers to report any security vulnerability that affects any product or service of Servify in a responsible manner. VDP is an initiative driven and managed by Servify’s Information Security team.

If you are a security researcher and have discovered any security vulnerability in the applications identified below, please report it to us as per our VDP. Reports that fall within the scope of VDP are also eligible for a certificate of thanks and recognition on our Security Hall of Fame as shared below.

You may report a vulnerability using the “Submit Report” button on this page.
 
 
Eligibility Criteria For Reporting Under VDP
 
If you consider yourself to be eligible to participate in the VDP, you must meet the following criteria:
  • You are at least 18 years of age.
  • You must be an individual researcher participating in your own individual capacity only.
  • You must agree to the terms and conditions of Servify’s VDP.
  • You did not and will not access any personal information that is not your own, including by exploiting the vulnerability.
You are not eligible to participate in the VDP if you meet any of the following criteria:
  • You are a resident of any country under sanctions or any other country that does not allow participation in this type of VDP;
  • You are under the age of 18 years;
  • You have any present or past record of committing any offence for violation of any law of the land;
  • You have violated any applicable law or regulation, including Cyber security laws or such other data security and privacy laws prohibiting unauthorized access to information. It is clarified that, any vulnerability security testing done in compliance with this Policy will be deemed to be authorized by Servify;
  • Your organization does not allow you to participate in these types of VDPs;
  • You are in breach of your employer’s policy with respect to participation in the VDP;
  • You are currently an employee of Servify or any of its subsidiaries, or an immediate family (parent, sibling, spouse, or child) or household member of such an employee;
  • You are not currently, nor have been an employee or consultant, of Servify or any of its subsidiaries or group companies within 6 months prior to submitting a report under VDP;
  • You are neither a family nor household member of any individual who currently or within the past 6 months meets or met the criteria listed above.
  • You currently (or within six months prior providing to us your report submission) perform services for Servify or any of its subsidiaries in an external staff capacity that requires access to Servify group, such as agency temporary worker, vendor employee, or contractor; or
  • You are or were involved in any part of the development, administration, and/or execution of the VDP.

You are responsible for reviewing and complying with your employer's rules for participating (including to the extent applicable receiving the recognition in the Security Hall of Fame) in this VDP. It is your responsibility to comply with any polices that your employer may have that would affect your eligibility to participate in our VDP or to receive the recognition. If you are participating in violation of your employer’s policies, you may be disqualified from participating or receiving any recognition in our Security Hall of Fame.

Further, Servify employees and contractors, as well as their immediate family members are strictly prohibited from participating in the VDP or sharing information with an external security researcher to bypass this prohibition (in which case all parties are ineligible under this VDP).

Please note that failure to comply with any of the above-mentioned criteria would immediately disqualify you from being eligible for an award under the VDP. Further, any conduct by a security researcher that appears to be unlawful, malicious, or of criminal in nature, including but not limited to, extortion would be immediately disqualified under this VDP.

There may be additional restrictions on your eligibility to participate in the VDP if the same is deemed necessary by the Management of Servify. If at any point while researching a vulnerability, you are unsure whether you should continue, please send an email to infosec@servify.in without any delay.

Scope of VDP

In Scope

The following Servify owned websites and mobile applications are in scope of VDP:
  1. *.servify.in
  2. *.servify.tech
  3. Servify Android Application 
  4. Servify IOS Application

Out of Scope

Servify owned WordPress websites and Sandbox (dev, staging or UAT) portals that are not within the scope of VDP, include, but are not limited to:

  1. blog.servify.tech
  2. guide.servify.in

If there is a particular system not in scope that you think merits testing, please contact us to discuss it first. We may in our sole discretion modify or amend the scope of this VDP from time to time.

Exclusions

When reporting vulnerabilities, please consider the attack scenario/exploitability and security impact of the bug. The following issues are considered out of scope of this VDP, and we will not accept any of the following types of attacks:

  • Denial-of-service attacks.
  • Email spoofing and phishing.
  • Spam and social engineering.
  • Email or account enumeration.
  • Any physical access issues.
  • Publicly accessible pages.
  • Any weakness or disclosure of information that does not lead to a direct vulnerability.
  • Any vulnerabilities in third-party apps or websites are generally not within the scope of our VDP.
  • Rate limiting (Unless it implies a severe threat and/or business loss).
  • Duplicate submissions for the already identified vulnerabilities by external as well as internal researchers.
  • Vulnerability related to Google Maps API Keys.
  • Multiple recurrences of the same vulnerability on different domains will be treated as the same issue.
  • Software/Service version disclosure.
  • Cross-site request forgery (CSRF) in non-sensitive functions.
  • Missing/misconfigured SPF/DMARC DNS-records.
  • Gmail "+" and "." acceptance.
  • Weak or misconfigured SSL/TLS parameters.
  • Content spoofing.
  • WordPress vulnerabilities.
  • Vulnerabilities within our sandbox, UAT, or staging environments.
  • Vulnerabilities that are limited to unsupported browsers will not be accepted.
  • Username/email enumeration, password guessing, and exposed API interfaces (like xmlrpc.php) in standard software (i.e. WordPress).
  • IDOR for objects that you have permission to access.
  • Clickjacking and other issues only exploitable through clickjacking.
  • HttpOnly and secure flags are not set for non-session cookies.
  • Issues without clearly identified security impact such as missing security headers.
  • Formula Injection or CSV Injection.
  • DOM Based Self-XSS and issues exploitable only through Self-XSS.
  • Networking issues or industry standards.
  • Password complexity.
  • Disclosure of known public files or directories (e.g. robots.txt).
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Session Timeouts.
  • Concurrent Sessions.
  • SSL Pinning Bypass for both Android and iOS.
  • Root/Jailbreak Detection Bypass for both Android and iOS.
  • EXIF Geolocation Data Not Stripped From Uploaded Images.

 

Guidelines for Testing

  • Perform research within the defined scope as set forth in this VDP.
  • Do not access personal information or financial information of any customer or employee or other personnel of Servify or Proprietary information or trade secrets of companies, partners or vendors. If you accidentally access any of these If you encounter any of the below on our systems while testing within the scope of this VDP, stop your test and notify us immediately at infosec@servify.in.
  • If the identified vulnerability can be used to potentially extract sensitive information related to customers or internal systems, or impact our ability to function normally, then stop your test and notify us immediately at infosec@servify.in. This is absolutely essential for us to consider your disclosure a responsible one. We may take legal recourse if the identified vulnerabilities are exploited for unlawful gains or getting access to restricted customer or system information or impacting our systems.
  • If you gain access to any non-public application or non-public credentials, please stop testing and report the issue immediately.
  • Please do not run any automated scans and disrupt production systems.
  • Please do not use open network ports, open services other than public HTTP Endpoints, etc. while identifying vulnerabilities.
  • Do not download /use data more than what is necessary for testing the vulnerability.
  • Do not make any changes/modifications without explicit prior permission from Servify.
  • Avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
  • Do not use or exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use/exploit to “pivot” to other systems.
  • Do not violate any applicable laws and breach any agreements in order to discover vulnerabilities.
  • Do not attempt to target Servify’s employees or customers, through social engineering, phishing or physical attacks (including but not limited to automated chat systems).
  • Do not perform physical attacks against any facility of Servify.
  • Do not threaten or try to extort Servify. Do not act in bad faith and make requests for ransom.
  • Ensure that security testing does not cause any disruption to production systems, degradation of user experience or destruction of data, via automated security scanning, brute force testing, Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks, or rate limiting on non-sensitive endpoints, etc.
  • Do not advertently cause a privacy violation or disruption in the absence of any malicious intention (such as accessing account data, service configurations, or other confidential information) while investigating an issue. Any such violation or disruption must be disclosed immediately in your communication with Servify.

 

Reporting Process

If you have identified a potential security vulnerability issue, please follow the terms and conditions of VDP before submitting a report on such security vulnerability. By submitting the Report, you are deemed to have agreed to terms and conditions of the VDP.

Any query or accompanying material after the report is submitted, can be sent to infosec@servify.in. All the shared documents must be password protected. Password must be sent on separate email. The security vulnerability identified by you must be deemed original (i.e. not previously reported to Servify, and also not publicly disclosed), in order for you to receive recognition for the same.

Once a Report is submitted, Servify reserves the right to request from you, and you already accept to abide by this request, to securely and irreversibly delete any data related to such Report, including, without limitation, any data about Servify and its services, affiliates or any of its users, employees, or agents. Additionally, you agree to securely and irreversibly delete any data related to the Report immediately upon it no longer being reasonably necessary to retain for the purposes of conveying the impact or scope of the reported issue, after verifying with Servify that it is no longer necessary, and/or if the Report is closed, regardless of the outcome.

 

Review and Response Protocol

After a Report is submitted in accordance with this VDP, Servify will review the Report and validate its eligibility. Servify will make reasonable efforts to respond to participants of the VDP. The timelines for response are below:

  • First Response (from submission of the Report): 5 days
  • Triage closure (from first response): 3 days

The aforesaid timelines are indicative and may vary depending on the complexity and completeness of your Report, as well as on the number of Reports we receive.

Servify retains sole discretion in determining which Reports are qualified. If Servify receives multiple Reports for the same issue/vulnerabilities from different parties, the participant who submitted the first eligible Report will be qualified for the Security Hall of Fame in terms of this VDP. The decision made by Servify’s security team regarding validity, severity & impact of a vulnerability will be considered final and cannot be contested. Servify may share your vulnerability reports with any affected partners, vendors or open-source projects.

 

Recognition - Security Hall of Fame

Servify greatly appreciates anyone who has contributed to the security of our users via responsible disclosure of vulnerabilities to us in accordance with this VDP. We thank you for your efforts.

We currently do not offer any bounty/cash reward or any compensation in kind. However, for genuine ethical disclosures in accordance with this VDP, we will gladly acknowledge your contribution publicly in our Security Hall of Fame if you want a public acknowledgement.

Eligibility for Security Hall of Fame:

  • You must be the first person to responsibly disclose the vulnerability.
  • The vulnerability discovered must be found when testing within the scope of this VDP.
  • Reported vulnerability significantly impacts security and integrity of products or impacts the privacy of customer or partner data.
  • Vulnerabilities are rated Critical, High, Medium or Low. Only vulnerabilities rated Critical, High or Medium will be eligible for the Security Hall of Fame.
  • Servify will reserve the right to decide the Severity of the vulnerability based on the impact.

 

Authorization/Safe Harbor

Any activities conducted in a manner consistent with this VDP will be considered authorized conduct and we will not initiate any legal action against you. This limited authorization does not provide you with authorization to access Company data or another person’s account.

Servify cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. Servify will not be responsible for your liability from actions performed on third parties. However, if legal action is initiated by any third party against you in connection with activities conducted under this VDP, we will take steps to make it known that your actions were conducted in compliance with this VDP.

We waive any restrictions in our applicable Terms of Service that would prohibit your participation in this VDP in accordance with the terms of, for the limited purpose of your security research under this VDP.

 

Privacy

Please see Servify’s Privacy Policy  for disclosures relating to the collection, store and use of your personal information (such as name, email address, phone number, public profile) in connection with the VDP. Notwithstanding the Privacy Policy, your information may be shared with service providers of Servify in relation to the VDP. Your consent is deemed to be granted for such disclosures when you make a Report.

 

Confidentiality

Any information you receive, collect or otherwise obtain about Servify and its services, affiliates or any of its users, employees, or agents in connection with VDP (whether after or before you joined the VDP, notably as a result of you finding and/or investigating a security bug in our in-scope applications or infrastructure) must be kept confidential, held in trust and strictest confidence, only used in connection with the VDP, and should not be disclosed to any third party. You must protect it against disclosure to any person in the same manner and with the same degree of care, but not less than a reasonable degree of care, which you would do to protect your own confidential information.

You will not:

  • access, store, modify or reproduce in writing our users data or other confidential information;
  • use any such confidential information, except solely for the purpose of this VDP;
  • divulge, use, disclose or distribute any such Confidential Information, including without limitation, any information regarding your participation in our VDP and any Report, to any third party without prior written approval of Servify;
  • not copy or reverse engineer any such confidential information or use/exploit such confidential information for your own benefit or the benefit of another;
  • discuss this program or any vulnerabilities (even resolved ones) outside of the program;
  • independently develop or have developed for itself, products, concepts, systems, or techniques that are similar to or compete with the products, concepts, systems, or techniques contemplated under this VDP. Such development will be construed as a violation of the obligations of you under this VDP.

All Confidential Information furnished to you by Servify will remain the exclusive property of Servify and Servify will have the sole and exclusive ownership of all right, title, and interest in and to the confidential information, including ownership of all copyrights, patents and trade secrets pertaining thereto, subject only to the rights and privileges expressly granted by Servify under the terms of this VDP.

Promptly upon Servify’s request at any time, you will return / cause to be returned to Servify all the confidential information, including all materials or documents, any copies, summaries and notes of the contents thereof (whether in hard or soft copy form) without limitation, all copies of any analyses, compilations, studies or other documents prepared by and/or for company, containing or reflecting any confidential information and give written certification accordingly.

You understand and acknowledge that any misappropriation or disclosure of any of the confidential information in violation of the confidentiality obligations will cause Servify grave and irreparable harm, loss and injury, the amount of which may be difficult to ascertain. You agree that Servify has the right to apply to a court of competent jurisdiction for specific performance and/or an order restraining and enjoining any such further disclosure or breach and for such other relief as Servify will deem appropriate, without posting or the need to post any bond or other security. Such right of Servify to obtain equitable relief in the form of specific performance, temporary restraining order, temporary or permanent injunction or any other equitable remedy which may then be available to it, without the necessity of proving actual damages, will be in addition to the remedies otherwise available to it at law. You expressly waive the defense that a remedy in damages will be adequate.

Grant Of License

Servify does not claim any ownership rights to your Report. However, by providing any Report to Servify, you grant Servify and its subsidiaries/affiliates the following non-exclusive, irrevocable, perpetual, royalty free, worldwide, sub-licensable license to the intellectual property in your Report:

  • to use, review, assess, test, and otherwise analyze your Report;
  • to reproduce, modify, distribute, display, adapt and perform publicly, and commercialize and create derivative works of your Report and all its content, in whole or in part; and
  • to feature your Report and all of its content in connection with the marketing, sale, or promotion of this VDP or other programs (including internal and external sales meetings, conference presentations, trade-shows, and screenshots of the Submission in press releases) in all media (now known or later developed agree to sign any documentation that may be required for us or our designees to confirm the rights you granted above.

You are deemed to have understood and acknowledged that Servify may have developed or commissioned materials similar or identical to your Report, and you waive any claims you may have resulting from any similarities to your Report.

 

Remedies

You will indemnify, defend and hold harmless Servify and its affiliates and their respective directors, employees and consultants (“Indemnified Parties”) from and against any losses, costs, expenses, damages of whatsoever nature which may be incurred or suffered by any Indemnified Party arising out of or as a result of any breach of VDP (including negligence) or otherwise of any of your obligations contained herein.

You also expressly agree and acknowledge that a breach of your obligations under this VDP will result in irreparable and continuing injury to Servify, which may not be fully compensated and for which it would have no adequate remedies under this VDP or under law and for which monetary damages alone would not constitute reasonable recompense. Notwithstanding anything to the contrary contained in this VDP, the indemnification rights of Servify are in addition and without prejudice to any remedies that Servify may have under applicable law or equity, including specific performance and injunctive relief. Every right or remedy granted by this VDP, whether provided herein or conferred by any statute, common law, custom, trade or usage, is cumulative and not alternative and may be enforced successively or concurrently. Further, appropriate legal recourse will be taken if the identified vulnerabilities are exploited for unlawful gains or getting access to restricted customer or system information or impairing Servify’s systems or program guidelines are not followed or breach of the confidential information, and you will not be eligible for VDP.

 

General

Nothing contained in this VDP will be construed to obligate Servify to disclose any information to you.

This VDP will be fully binding upon you.

The failure of Servify to insist upon or enforce strict performance of any of the provisions of this VDP or to exercise any rights or remedies under this VDP will not be construed as a waiver or relinquishment to any extent of Servify’s rights to assert or rely upon any such provisions, rights or remedies in that or any other instance; rather the same will remain in full force and effect.

This VDP may be changed, amended, varied, modified or cancelled by Servify at any time, without notice. In case of any change, amendment or modification, a revised version of VDP will be posted here.

This VDP does not intend, in any manner, to create any joint venture, partnership or any other relation (unless expressly agreed in writing) with you and Servify.

This VDP will be governed by, construed and enforced in accordance with the laws of the Republic of India.

The courts in Mumbai, India will have the exclusive jurisdiction.