Responsible Vulnerability Disclosure Program


Service Lee Technologies Private Limited ("Servify") appreciates and acknowledges independent security researchers in keeping Servify and our customers secure. Our customer's privacy, the confidentiality, integrity and availability of our systems are our highest priority.

Guideline:


    • Do not access customer or employee personal information. If you accidentally access any of these, please stop testing and submit the vulnerability.
    • Stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials.
    • Please do not run any automated scans and disrupt production systems.
    • Perform research within the defined scope

Our Response:


Servify will make reasonable efforts to meet the following response targets for ethical hackers participating in our program:

  • First Response Time (from submission): 5 days
  • Triage (from the first response): 3 days
We’ll try to keep you informed about our progress throughout the process and alert you if we’re delayed for any reason and notify you when the vulnerability has been remediated.

How To Report:


Any identified vulnerability should be reported to [email protected]. The mail should be in the format shown below: Researcher Detail:
  • Researcher Name:
  • Publicly Identifiable Profile (Linkedin, Twitter, etc):
Vulnerability Detail:
  • Vulnerability Title:
  • Affected URL/Location:
  • Vulnerability Description:
  • Proof of Concept:
  • Impact:
  • Remediation Steps if any:


Program Scope:


Any Servify owned web and mobile application that handles data (including personal data) is intended to be in scope. This includes but is not limited to the following domains:
*.servify.in
*.servify.tech
Servify Android Application
Servify IOS Application


Out of Scope:


When reporting vulnerabilities, you shall consider the attack scenario / exploitability, and security impact of the bug. The following issues are considered out of scope from this Program, and we will not accept any of the following types of attacks:
  • Denial-of-service attacks.
  • Email spoofing:
  • Spam, social engineering or email phishing techniques.
  • Email or account enumeration.
  • Any physical access issues.Publicly accessible pages.
  • Any weakness or disclosure of information which does not lead to a direct vulnerability.
  • Any vulnerabilities in third-party apps or websites are generally not within the scope of our Program.
  • Rate limiting (Unless it implies severe threat to data, business loss).
  • Duplicate submissions for the already identified vulnerabilities by external as well as internal researcher.
  • Vulnerability related to Google Maps API Keys.
  • Multiple recurrences of the same vulnerability on different domains will be treated as the same issue.
  • Software version disclosure.
  • Cross-site request forgery (CSRF) in non-sensitive functions.
  • Missing/misconfigured SPF/DMARC DNS-records.
  • Weak or misconfigured SSL/TLS parameters.
  • Content spoofing.
  • Wordpress vulnerabilities which are not of High or Critical Severity.
  • Vulnerabilities that are limited to unsupported browsers will not be accepted.
  • Username / email enumeration, password guessing and exposed API interfaces (like xmlrpc.php) in standard software (i.e. Wordpress).


Hall of Fame:


Servify greatly appreciates anyone who has contributed to the security of our users by responsibly disclosing vulnerabilities to us. Thank you for your efforts. We currently do not offer any monetary compensation but we are happy to recognize you on our Security Hall of Fame.

Servify only accepts Critical, High and Medium severity issues for the Hall of Fame page.