Vulnerability Disclosure Program | Petpooja
TRUST & SECURITY

Vulnerability Disclosure Program

Petpooja values the security of our systems and the responsible disclosure efforts of the security research community.

Found a security issue? Tell us responsibly.

If you believe you have identified a security vulnerability affecting Petpooja systems or applications, we encourage you to report it responsibly through our coordinated vulnerability disclosure process.

OUR COMMITMENT

Safe Harbor

Petpooja supports good-faith security research conducted in accordance with this policy.

GOOD FAITH

We will not pursue legal action against researchers who follow this policy.

We will not pursue legal action against researchers who:

  • 01 Act in good faith
  • 02 Avoid privacy violations and service disruption
  • 03 Do not access or modify customer data unnecessarily
  • 04 Provide us reasonable time to investigate and remediate reported vulnerabilities

If you believe your testing may exceed these guidelines, please contact us before proceeding.

Reporting Guidelines

A clear, complete report helps our team verify and remediate faster — and keeps researchers safe from misuse claims.

Please provide

  • Clear vulnerability description
  • Reproduction steps
  • Impact assessment
  • Supporting evidence
  • Affected URLs/assets

Please avoid

  • Denial-of-service testing
  • Spam/scanner floods
  • Social engineering
  • Accessing customer data unnecessarily
  • Destructive testing
  • Automated exploitation at scale
WHAT WE COVER

Scope

This program applies to production systems and services owned and operated by Petpooja.

In Scope

  • Production web applications under *.petpooja.com
  • Production APIs
  • Official Petpooja mobile applications
  • Publicly accessible production infrastructure owned by Petpooja
  • Electron POS

Out of Scope

Domains & subdomains

*.petpooja.in #test#.petpooja.com #staging#.petpooja.com #dev#.petpooja.com #stag#.petpooja.com #staging#.kharcha.com *.petpooja.co.in *.tvito.com blog.petpooja.com

Activities & environments

  • Staging, development, QA, testing, or temporary environments
  • Third-party services or integrations not controlled by Petpooja
  • Social engineering or phishing attacks
  • Physical attacks
  • Denial-of-service testing
RECOGNITION

Rewards

Petpooja may, at its sole discretion, provide monetary or non-monetary recognition for valid, original, and impactful vulnerability reports.

Rewards are not guaranteed and are evaluated based on factors including:

Severity Impact Report quality Exploitability Business risk
KNOWN INELIGIBLE

Out-of-Scope Vulnerabilities

Reports limited to the following classes are typically closed as informative. Submitting a working PoC that demonstrates real impact may still qualify.

Broken link hijacking (low severity)
Google Maps API key exposure
Clickjacking on pages without sensitive actions
CSRF on unauthenticated or non-sensitive actions
Attacks requiring MITM or physical device access
Known vulnerable libraries without a working Proof of Concept
CSV injection without demonstrated impact
SSL/TLS best-practice issues
Missing or weak Content Security Policy configurations
Missing HttpOnly or Secure cookie flags
Email configuration issues (SPF, DKIM, DMARC)
Rate-limiting or brute-force concerns
CDN cache invalidation or asset expiry issues
Software version disclosure, banners, verbose errors
Tabnabbing
Open redirects without additional exploitability
Self-XSS
Promo code or referral abuse
Access to publicly available user information
Username or email enumeration
Third-party platform warnings (e.g., hosting providers, CMS platforms)
Issues affecting outdated or unsupported browsers (more than two versions behind)
IMPORTANT

Disclosure Policy

Public disclosure of vulnerabilities is not permitted without explicit written authorization from Petpooja.

Coordinating disclosure protects our customers while a fix is rolled out. Please wait for our written go-ahead before publishing any details, including blog posts, talks, or social media.

Need authorization? security@petpooja.com

Submit a Report

All reports are handled confidentially through our coordinated disclosure platform.

security@petpooja.com

Opens an inline form — or email us directly. Either way, every report is acknowledged.