Explore wider investment opportunities across various debt instruments enabled by hassle-free online execution and post-settlement support.
Get access to 500+ investors from public and private sector banks, mutual fund companies, NBFCs, insurance companies and more.Sign up
Here’s your one-way ticket to the largest collection of bonds and NCDs online. Start your investment journey on the right foot with Plutus.Sign up
Protecting our infrastructure and the data entrusted to us by our customers is integral to what we do.
We recommend reading this disclosure policy fully before you report any vulnerabilities. This helps ensure that you understand the policy, and act in compliance with it. We value the work done by security researchers in making the Internet a safer and more secure space and have developed this policy using guidance from ISO 29147:2018.
As an organization with highest transparency, and working closely with our developer community, it should be no surprise that CredAvenue extends the same philosophy to our relationship with security researchers in good faith. CredAvenue welcomes the responsible disclosure of potential security vulnerabilities in our products, services or systems, subject to terms and conditions outlined in this policy, and in return, CredAvenue make efforts to show our appreciation to security researchers who take the time and effort to investigate and report security vulnerabilities to us according to this policy wherever we can.
We are committed to thoroughly investigating, understanding and resolving security issues across our websites in collaboration with the security community.
Any of the CredAvenue services iOS, Android or Web apps, which process, store, transfer or use in one way or personal or sensitive personal information, such as customer data and authentication data.
The fully qualified domain names of the systems within scope are listed below. Subdomains not explicitly listed are not in-scope.
Products and services in scope:
Together referred to as Platform.
The policy applies to everyone, including for example the CredAvenue staff, third party suppliers and general users of the CredAvenue services.
Unfortunately, due to CredAvenue funding structure, it is not currently possible for us to offer a paid bug bounty programme. We will, however, make efforts to show our appreciation to security researchers who take the time and effort to investigate and report security vulnerabilities to us according to this policy wherever we can.
If you want to actively test our systems for vulnerabilities, you must:
And you must not:
CredAvenue will not engage in legal action against individuals or entities that submit vulnerability reports that cover in scope of products and services (as defined above), through the approved channels (defined below).
Furthermore, CredAvenue agrees not to pursue legal action against individuals or entities that adhere to the following rules of engagement when identifying and submitting vulnerabilities unless we are compelled to do so by a regulatory authority, other third party, or applicable laws:
Must not perform:
We ask you to delete securely any and all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first.
Disclosure Guidelines for Vulnerabilities in third Party Software:
When a security vulnerability in some third party product is discovered by you the following disclosure guideline should apply:
Vulnerability reports should be submitted to the CredAvenue security team via email, to the address email@example.com.
Full Name of the Individual:
Link to their professional handles (LinkedIn, Twitter, Facebook, Github, etc)
Detailed POC with the below details:
Preference, Prioritization and Acceptance CriteriaIn
order to obtain the most value from this program, for both CredAvenue and the participating security researcher, we strongly advise that, and will give priority to disclosures which include:
If you follow these guidelines, you can expect the following from CredAvenue:
After submission, if your issue is accepted, you will hear from us within 72 hours.
If you do not hear from us within 72 hours, it means your issue has not been accepted this time.
The team will triage the reported vulnerability and respond as soon as possible to let you know whether further information is required, whether the vulnerability is in or out of scope, or is a duplicate report. If remediation work is necessary, it is assigned to the appropriate CredAvenue teams or supplier(s).
Priority for bug fixes or mitigations is assessed by looking at the impact severity and exploit complexity. Vulnerability reports might take some time to triage or address. You are welcome to enquire on the status of the process but should avoid doing so more than once every 14 days. The reason is to allow our teams to focus on the reports as much as possible.
When the reported vulnerability is resolved, or remediation work is scheduled, the Vulnerability Disclosure Team will notify you, and invite you to confirm that the solution covers the vulnerability adequately.
The disclosure point is not intended for:
Your participation in the Program will not violate any law applicable to you or disrupt or compromise any data that is not your own.
You are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments when we run bug bounty programs in the future.
CredAvenue reserves the right to terminate or discontinue the Program at its discretion.