Vulnerability Disclosure Policy

Effective date: 2024-08-01

At iSTAR Skill Development Pvt. Ltd. (Salesken), we are committed to ensuring the security and privacy of our systems, products, and services. We value the contributions of the security community in identifying vulnerabilities responsibly and aim to work collaboratively to address them.

Purpose

This policy outlines guidelines for security researchers to report vulnerabilities, our expectations for responsible disclosure, and the steps we will take to address valid reports.

Scope

The following assets are within the scope of this policy:

  1. Applications: Web app, desktop apps, browser extensions, CRM Plugins, API
  2. Infrastructure: *.salesken.ai
  3. Exclusions:
    • Third-party services or products.
    • Outdated browsers or unsupported versions of our applications.

What We Expect from Researchers

We ask security researchers to:

  1. Act in good faith to avoid privacy violations, destruction of data, and disruption of services.
  2. Do not exploit the vulnerability beyond the extent required to demonstrate the issue.
  3. Report vulnerabilities through our dedicated channel: contact@salesken.ai
  4. Provide a detailed report including:
    • Description of the vulnerability.
    • Steps to reproduce the issue (e.g., screenshots, video).
    • Potential impact.
  5. Maintain confidentiality of the vulnerability until it is resolved.

What Researchers Can Expect from Us

When a vulnerability is reported:

  1. We will acknowledge the submission within 3 business days.
  2. We will provide regular updates on the status of the reported issue.
  3. If the report is valid and within scope, we will:
    • Work to resolve the issue promptly
    • Offer a gift card based on severity.

Exclusions

The following activities are strictly prohibited and will disqualify participants from our program:

  1. Unauthorized access to data or accounts.
  2. Any form of social engineering, including phishing.
  3. Physical security testing of our offices, data centers, or staff.
  4. DDoS attacks or attempts to disrupt our operations.
  5. Automated scanning or brute-force attacks that may affect system availability.

Reports resulting from these activities will not be eligible for rewards and may result in legal action.

Reward Structure

  • Rewards will be determined based on the severity and impact of the vulnerability.
  • Cash Voucher or monetary credit of $50 to $1000 based on our assessment of severity and business impact.
  • Non-monetary recognition (e.g., Hall of Fame mention) may also be provided

Legal Safe Harbor

If you follow this policy in good faith:

  • We will not pursue or support legal action against you.
  • This protection does not apply to actions that violate the exclusions listed above.

How to Report

Send your vulnerability reports to:

  • Email: contact@salesken.ai
  • Include your name, contact information, and a clear description of the vulnerability.

Acknowledgment

We thank you for helping make Salesken more secure. Your efforts are greatly appreciated.