Contact Us

Responsible Disclosure Policy

Webvillee Technology Pvt. Ltd. will engage with external security researchers when vulnerabilities are reported according to the rules set forth in this Responsible Disclosure Policy.

Rules

Any vulnerabilities submitted through this policy must adhere to the following rules:
  • Submissions must adhere to the scope mentioned in this policy.
  • Any information about the vulnerability must remain confidential between Webvillee and the researcher indefinitely.
  • The vulnerability cannot be disclosed in any medium or form.
  • Do not perform any attack that would compromise the integrity of Webvillee’s services.
  • DDOS attacks are strictly prohibited.
  • You waive claims of any nature arising out of a disclosure accepted by Webvillee.

Requests for Compensation

Webvillee provides Hall of Fame acknowledgment on its website but does not provide monetary compensation for reported vulnerabilities.

Requesting compensation will make the submission non-compliant with this policy. However, Webvillee may choose to issue a Certificate of Appreciation or provide company swag at its sole discretion.

Scope

In Scope

The following targets are considered in scope:

  • Webvillee Technology Pvt. Ltd.’s website located at https://webvillee.com
  • Webvillee Technology Pvt. Ltd.’s web applications located at https://{subdomain}.webvillee.com


Out of Scope

  • Social engineering
  • DDOS attacks
  • Automation scripts and tools
  • Spelling mistakes
  • UI/UX bugs
  • Issues that do not affect the latest version of modern browsers
  • General best practice concerns
  • Same issue reported under multiple subdomains
  • Self-XSS
  • Open redirects without proven security impact
  • Brute force attacks
  • Man-in-the-middle attacks
  • Clickjacking without proven security impact
  • Disclosed Google API keys
  • Verbose messages or errors without disclosure of sensitive information
  • CORS misconfiguration on non-sensitive endpoints
  • Missing cookie flags
  • Missing security headers
  • Tab-nabbing
  • Host header injection
  • Cross-domain referrer leakage
  • Email spoofing, SPF, DMARC, or DKIM issues
  • Email bombing
  • Version disclosure
  • Issues requiring unlikely user interaction
  • Broken link hijacking (e.g., social media links)
  • Weak SSL/TLS configuration reports
  • API key disclosure without proven security impact
  • Physical attacks requiring access to a victim’s device
  • Recently disclosed 0-day vulnerabilities in third-party products
  • Reports without proof of exploitation
  • Stripping EXIF data (considered by design)
  • Known issues

How to Submit a Vulnerability Report

All vulnerabilities must be reported to security@Webvillee.com with the following details:

Details Required

  • Full Name
  • Mobile Number
  • LinkedIn Profile


Bug Details

  • Name of the Vulnerability
  • Proof of Concept
  • Detailed Steps to Reproduce

Preference, Prioritization, and Acceptance Criteria

What We Would Like to See From You

  • Well-written reports in English have a higher probability of resolution.
  • Reports that include proof-of-concept code help us better triage issues.
  • Reports containing only automated tool output may receive lower priority.
  • Reports outside the defined scope may receive lower priority.
  • Please include details on how the bug was discovered, its impact, and any suggested remediation.
  • Please include any plans or intentions regarding public disclosure.

What You Can Expect From Webvillee

  • A timely response within 3 business days.
  • An estimated remediation timeline after triage.
  • Transparent communication regarding progress and challenges.
  • An open dialogue to discuss issues.
  • Notifications during each stage of the review process.
  • Credit, acknowledgment, or certification after successful validation and remediation.

Complying With This Policy

As long as you comply with this policy, Webvillee Technology Pvt. Ltd. commits to the following:

  • Webvillee will not pursue civil or criminal legal action against researchers for accidental, good-faith violations of this policy where no harm has been caused.
  • Activities conducted in accordance with this policy are considered authorized conduct under applicable laws.
  • Webvillee will work with researchers to understand and remediate vulnerabilities.
  • Researchers will be informed regarding the timeline for remediation after verification of authenticity.

Public Disclosure

By default, this program operates in “PUBLIC NONDISCLOSURE” mode.

THIS PROGRAM DOES NOT ALLOW PUBLIC DISCLOSURE. ANY PERSON RELEASING INFORMATION ABOUT VULNERABILITIES FOUND UNDER THIS PROGRAM MAY BE SUBJECT TO LEGAL ACTION AND PENALTIES.