Dezerv Responsible Disclosure Programme
Dezerv Responsible Disclosure Programme
We invite security researchers and ethical hackers to help us identify and responsibly disclose vulnerabilities
We invite security researchers and ethical hackers to help us identify and responsibly disclose vulnerabilities
Rules of Engagement
Rules of Engagement
Rules of Engagement
To ensure a productive and respectful collaboration, we ask all participants to adhere to the following guidelines:
To ensure a productive and respectful collaboration, we ask all participants to adhere to the following guidelines:
To ensure a productive and respectful collaboration, we ask all participants to adhere to the following guidelines:
To ensure a productive and respectful collaboration, we ask all participants to adhere to the following guidelines:
Protect User Privacy
Do not access, alter, or share user data.
Protect User Privacy
Do not access, alter, or share user data.
Protect User Privacy
Do not access, alter, or share user data.
Non-Invasive Testing
Avoid tests that could disrupt services (e.g., DoS attacks).
Non-Invasive Testing
Avoid tests that could disrupt services (e.g., DoS attacks).
Non-Invasive Testing
Avoid tests that could disrupt services (e.g., DoS attacks).
Stay In Scope
Test only the systems listed under “In-Scope Assets.”
Stay In Scope
Test only the systems listed under “In-Scope Assets.”
Stay In Scope
Test only the systems listed under “In-Scope Assets.”
Keep It Private
Share vulnerabilities only with our team. Avoid public disclosure.
Keep It Private
Share vulnerabilities only with our team. Avoid public disclosure.
Keep It Private
Share vulnerabilities only with our team. Avoid public disclosure.
Co-ordination
You are obliged to share any extra information if asked for, refusal will invalidate submission.
Co-ordination
You are obliged to share any extra information if asked for, refusal will invalidate submission.
Co-ordination
You are obliged to share any extra information if asked for, refusal will invalidate submission.
Follow the Law
All testing must comply with applicable laws and regulations.
Follow the Law
All testing must comply with applicable laws and regulations.
Follow the Law
All testing must comply with applicable laws and regulations.
Use Your Own Account
Testing must be performed using accounts you own.
Use Your Own Account
Testing must be performed using accounts you own.
Use Your Own Account
Testing must be performed using accounts you own.
Failure to comply may result in removal from the programme or legal action.
Failure to comply may result in removal from the programme or legal action.
Rewards
Rewards depend on issue severity, guideline compliance and dezerv discretion. we may choose to not provide any rewards if report deemed non critical.
Rewards depend on issue severity, guideline compliance and dezerv discretion. we may choose to not provide any rewards if report deemed non critical.
In scope assets
In scope assets
In scope assets
The following systems are within the scope of this programme:
The following systems are within the scope of this programme:
The following systems are within the scope of this programme:
The following systems are within the scope of this programme:
1
Dezerv.in
1
Dezerv.in
1
Dezerv.in
2
Dezerv Mobile App (iOS & Android)
2
Dezerv Mobile App (iOS & Android)
2
Dezerv Mobile App (iOS & Android)
3
Wealth Monitor App (iOS & Android)
3
Wealth Monitor App (iOS & Android)
3
Wealth Monitor App (iOS & Android)
Out-of-Scope Assets
Out-of-Scope Assets
Out-of-Scope Assets
Strictly prohibited from testing the following:
Strictly prohibited from testing the following:
Strictly prohibited from testing the following:
Strictly prohibited from testing the following:
Third-party platforms (e.g., payment processors, cloud services)
Third-party platforms (e.g., payment processors, cloud services)
Internal Dezerv networks or infrastructure
Internal Dezerv networks or infrastructure
Social engineering (e.g., phishing, vishing)
Social engineering (e.g., phishing, vishing)
Physical security or office assessments
Physical security or office assessments
Eligible Vulnerabilities
Eligible Vulnerabilities
Eligible Vulnerabilities
Priority
Priority
Priority
Critical
Critical
Critical
Critical
Critical
Critical
Critical
Critical
Critical
Critical
Critical
Critical
High
High
High
High
High
High
High
High
High
High
High
High
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Medium
Low
Low
Low
Low
Vulnerability Type
Vulnerability Type
Vulnerability Type
Remote Code Execution (RCE)
Remote Code Execution (RCE)
Remote Code Execution (RCE)
Remote Code Execution (RCE)
SQL Injection (High Impact)
SQL Injection (High Impact)
SQL Injection (High Impact)
SQL Injection (High Impact)
Authentication Bypass
Authentication Bypass
Authentication Bypass
Authentication Bypass
Persistent Cross-Site Scripting (XSS)
Persistent Cross-Site Scripting (XSS)
Persistent Cross-Site Scripting (XSS)
Persistent Cross-Site Scripting (XSS)
Broken Access Control
Broken Access Control
Broken Access Control
Broken Access Control
Sensitive Data Exposure
Sensitive Data Exposure
Sensitive Data Exposure
Sensitive Data Exposure
Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF)
Insecure Direct Object References (IDOR)
Insecure Direct Object References (IDOR)
Insecure Direct Object References (IDOR)
Insecure Direct Object References (IDOR)
Information Disclosure (Non-Critical)
Information Disclosure (Non-Critical)
Information Disclosure (Non-Critical)
Information Disclosure (Non-Critical)
Example
Example
Example
Execute unauthorised code on our systems
Execute unauthorised code on our systems
Execute unauthorised code on our systems
Execute unauthorised code on our systems
Exfiltrate sensitive data from
databases
Exfiltrate sensitive data from
databases
Exfiltrate sensitive data from
databases
Exfiltrate sensitive data from
databases
Gain access to privileged areas without credentials
Gain access to privileged areas without credentials
Gain access to privileged areas without credentials
Gain access to privileged areas without credentials
Malicious scripts that impact other
users
Malicious scripts that impact other users
Malicious scripts that impact other
users
Malicious scripts that impact other
users
Access resources without permission
Access resources without permission
Access resources without permission
Access resources without permission
Leak of confidential user or system data
Leak of confidential user or system data
Leak of confidential user or system data
Leak of confidential user or system data
Perform actions on behalf of a user without their consent
Perform actions on behalf of a user without their consent
Perform actions on behalf of a user without their consent
Perform actions on behalf of a user without their consent
Accessing data belonging to other users
Accessing data belonging to other users
Accessing data belonging to other users
Accessing data belonging to other users
Minor leaks of system/configuration data
Minor leaks of system/configuration data
Minor leaks of system/configuration data
Minor leaks of system/configuration data
Duplicate reports, inadherence to Rules of Engagement, issues with minimal impact, or those lacking proof of exploitability may not qualify for recognition.
Duplicate reports, inadherence to Rules of Engagement, issues with minimal impact, or those lacking proof of exploitability may not qualify for recognition.
Submit a Report
How to Submit a Report
How to Submit a Report
How to Submit a Report
Ready to submit a vulnerability? Use our secure form to share your findings:
Ready to submit a vulnerability? Use our secure form to share your findings:
Ready to submit a vulnerability? Use our secure form to share your findings:
Ready to submit a vulnerability? Use our secure form to share your findings:
A clear and detailed description of the issue
A clear and detailed description of the issue
Step-by-step reproduction instructions
Step-by-step reproduction instructions
Potential security impact
Potential security impact
Any relevant evidence (screenshots, videos, PoC)
Any relevant evidence (screenshots, videos, PoC)
Our team will acknowledge your report within 48 hours and work with you to resolve the issue promptly.
Our team will acknowledge your report within 48 hours and work with you to resolve the issue promptly.
Our team will acknowledge your report within 48 hours and work with you to resolve the issue promptly.
Our team will acknowledge your report within 48 hours and work with you to resolve the issue promptly.
For any questions, reach out at: sec@dezerv.in
For any questions, reach out at: sec@dezerv.in
For any questions, reach out at: sec@dezerv.in
Submit a Report
You are building India’s future, we would like to build yours.
Track all your investments in one place
Download Wealth Monitor App
Our weekly expert newsletter on stories that matter to your money.
ISO 27001 Certified
Compliant with international data standards
Regulated entity
With licenses from SEBI and AMFI
Secure and private
Data encrypted with 256-bit AES encryption.
©2021-2025 Dezerv. All Rights Reserved
Dezerv Investments Private Limited is a Portfolio Manager with SEBI Registration no. INP000007377. An Investment Manager to Category - I AIF-VCF-Angel Fund with SEBI Registration no. IN/AIF1/22-23/1066 and Category II AIF - Dezerv Alternatives Trust with SEBI Registration no. IN/AIF2/23-24/1345.
Mutual Fund distribution services are offered through Dezerv Distribution Services Pvt. Limited. AMFI Registration No.: ARN -248439. Mutual fund investments are subject to market risks, read all scheme related documents carefully. Terms and conditions of the website are applicable. Privacy policy of the website is applicable.
You are building India’s future, we would like to build yours.
Download Wealth Monitor App
Our weekly expert newsletter on stories that matter to your money.
Compliant with international data standards
ISO 27001 Certified
With licenses from SEBI
and AMFI
Regulated entity
Data encrypted with 256-bit AES encryption.
Secure and private
©2021-2025 Dezerv. All Rights Reserved
Dezerv Investments Private Limited is a Portfolio Manager with SEBI Registration no. INP000007377. An Investment Manager to Category - I AIF-VCF-Angel Fund with SEBI Registration no. IN/AIF1/22-23/1066 and Category II AIF - Dezerv Alternatives Trust with SEBI Registration no. IN/AIF2/23-24/1345.
Mutual Fund distribution services are offered through Dezerv Distribution Services Pvt. Limited. AMFI Registration No.: ARN -248439. Mutual fund investments are subject to market risks, read all scheme related documents carefully. Terms and conditions of the website are applicable. Privacy policy of the website is applicable.
You are building India’s future, we would like to build yours.
Our weekly expert newsletter on stories that matter to your money.
Download Wealth Monitor App
PRODUCTS
ABOUT
LEGAL
Compliant with international data standards
ISO 27001 Certified
With licenses from SEBI and AMFI
Regulated entity
Data encrypted with 256-bit AES encryption.
Secure and private
©2021-2025 Dezerv. All Rights Reserved
Dezerv Investments Private Limited is a Portfolio Manager with SEBI Registration no. INP000007377. An Investment Manager to Category - I AIF-VCF-Angel Fund with SEBI Registration no. IN/AIF1/22-23/1066 and Category II AIF - Dezerv Alternatives Trust with SEBI Registration no. IN/AIF2/23-24/1345.
Mutual Fund distribution services are offered through Dezerv Distribution Services Pvt. Limited. AMFI Registration No.: ARN -248439. Mutual fund investments are subject to market risks, read all scheme related documents carefully. Terms and conditions of the website are applicable. Privacy policy of the website is applicable.