Security Disclosure Policy
If you believe you have found a security vulnerability in this website or, in future, in the Nodal Pay application, this policy explains how to report it to us responsibly and what you can expect in return.
1. Our approach to security
This Security Disclosure and Responsible Reporting Policy is issued by [LEGAL ENTITY NAME] ("Nodal Pay", "we", "us"). Security is a design priority for Nodal Pay. We are building our platform with practices such as encryption of data in transit, access controls, secure development processes, and regular internal review, and we plan to continue strengthening these practices as the product matures.
At the same time, we are honest about what any organisation can promise: no system is completely free of vulnerabilities, and we do not claim that ours is. That is exactly why responsible reports from security researchers and users matter to us. If you find a weakness, we would rather hear about it from you first.
Because Nodal Pay is currently under development, this policy is itself a draft. The reporting channel, timelines, and processes described below are indicative and will be confirmed and finalised before public launch.
2. Scope of this policy
This policy currently applies to:
- this marketing website and its subpages; and
- any pre launch web infrastructure that we operate and that is publicly reachable.
Once the Nodal Pay application launches, we intend to extend this policy to cover the app and its supporting services, and we will publish an updated version of this document at that time. Systems operated by third parties, including app stores, hosting providers, analytics services, and any regulated payment partners we may work with, are not covered by this policy and are subject to those parties' own disclosure programmes.
3. How to report a vulnerability
Please send vulnerability reports to [SECURITY EMAIL]. The final reporting channel, including any encryption keys or a security.txt file, will be confirmed and published before launch.
A useful report typically includes:
- Description, a clear summary of the vulnerability and the affected page, endpoint, or component;
- Steps to reproduce, the specific actions, requests, or configuration needed to observe the issue, with screenshots or request/response samples where helpful;
- Impact, your assessment of what an attacker could realistically achieve, such as data exposure, account access, or content manipulation;
- Environment, browser, device, or tooling details if relevant; and
- Your contact details, so we can ask follow up questions and keep you informed. Anonymous reports are accepted, but we cannot provide updates or recognition without a way to reach you.
Please report each distinct vulnerability separately, and do not include more personal data in your report than is necessary to demonstrate the issue.
4. Our commitments to reporters
When you report in good faith under this policy, we aim to:
- acknowledge receipt of your report, indicatively within 5 working days;
- investigate the report and assess its severity and impact;
- keep you reasonably informed of progress while we work on a fix, where you have provided contact details;
- let you know when the issue has been resolved, or explain why we have assessed it as out of scope or not a vulnerability; and
- treat your report and your identity confidentially, and not share your details with third parties without your consent, except where required by applicable law.
These timelines are indicative. As a small pre launch team, we may occasionally take longer, but we will make reasonable efforts to respond promptly and to prioritise issues by severity.
5. Good faith research guidelines
We consider security research to be conducted in good faith under this policy when you:
- do not access, modify, or delete data belonging to other users or to us beyond the minimum necessary to demonstrate the vulnerability;
- stop and report immediately if you encounter personal data, and do not copy, store, or share it;
- do not degrade, disrupt, or take down our services, including through load or stress testing;
- do not use social engineering, phishing, or physical intrusion against our team, users, or partners;
- do not demand payment or other consideration as a condition of reporting or withholding disclosure; and
- give us a reasonable period to investigate and remediate the issue before disclosing it publicly. We ask for at least 90 days from your report, and we are happy to discuss coordinated disclosure timelines with you.
6. Out of scope
The following are outside the scope of this policy and should not be tested or reported under it:
- denial of service or distributed denial of service attacks of any kind, including resource exhaustion testing;
- spam, content injection without a demonstrated security impact, and social engineering attacks;
- physical attacks against offices, infrastructure, or personnel;
- vulnerabilities in third party services, platforms, or dependencies that we do not operate, please report these to the relevant provider;
- reports based solely on automated scanner output without a demonstrated, reproducible impact; and
- missing best practice hardening (for example, individual missing security headers or verbose error messages) with no plausible exploitation path.
If you are unsure whether something is in scope, ask us first at [SECURITY EMAIL] before testing.
7. No bounty programme at this stage
Nodal Pay does not currently operate a paid bug bounty programme, and no monetary reward is promised or implied for reports made under this policy. We may consider introducing a reward or bounty programme after launch; if we do, its terms will be published separately on this page.
8. Legal note
We value good faith security research. If you make a genuine, good faith effort to comply with this policy while researching and reporting a vulnerability, we do not intend to initiate legal action against you for that research, and we will consider your activity to be authorised to the extent we are able to do so. This position is subject to applicable law, including the Information Technology Act 2000 and other Indian legislation, and cannot override obligations we may have to regulators or law enforcement authorities. It also does not extend to conduct that falls outside the guidelines in this policy, such as accessing other users' data, disrupting services, or extortion.
This policy does not give you permission to act in violation of any law, and it does not bind third parties whose systems or data may be affected by your research.
9. Recognition
With your consent, we would be glad to acknowledge reporters who responsibly disclose valid vulnerabilities, for example, by naming you (or your handle) on a public acknowledgements list once one is established after launch. If you prefer to remain anonymous, we will of course respect that.
10. Contact and related policies
Security reports: [SECURITY EMAIL]. For general queries, please use the details on our Contact page, and for account or service complaints, please see our Grievance Redressal Policy. You may also wish to read our Privacy Policy, Terms of Use, and Acceptable Use Policy, which apply alongside this document.
We may update this policy from time to time, including before launch. The "Last updated" date at the top of this page reflects the most recent revision.