INTUCATE

1. Introduction

Dharia Enterprises Private Limited ("the Company"), operating under the brand name Intucate, provides an online learning platform purpose-built for students preparing for the Chartered Accountancy (CA) examinations in India. The Intucate platform hosts video lectures, study materials, mock tests, instructor-uploaded content, community discussion forums, paid subscriptions, and supporting web and mobile applications.

The security, privacy, and integrity of our platform and the data entrusted to us by students, instructors, and other users is a responsibility we take with utmost seriousness. We recognise that no technology system can be entirely free of vulnerabilities and that the information security community plays a vital role in identifying weaknesses before they can be exploited by malicious actors.

This Vulnerability Disclosure Policy ("VDP" or "the Policy") establishes a transparent, structured, and legally sound framework through which security researchers, ethical hackers, and members of the public may report potential security vulnerabilities discovered in any in-scope Intucate system. The Policy defines the terms under which such research is authorised, the process for submitting reports, and the protections extended to researchers who act in good faith and in compliance with the conditions herein.

Intucate is committed to acknowledging, investigating, and remediating reported vulnerabilities in a timely and responsible manner. We regard coordinated vulnerability disclosure as a cornerstone of a mature and ethical information security programme.

2. Scope of the Policy

2.1 In-Scope Systems and Assets

The following systems, assets, and services are covered by this Policy:

• Intucate Web Application - the primary learning portal accessible via web browsers (including all subdomains of intucate.com or any successor domain).
• Intucate Mobile Applications - native Android and iOS applications published by Dharia Enterprises Private Limited on official application stores.
• Application Programming Interfaces (APIs) - all REST, GraphQL, or other API endpoints that support the Intucate web and mobile applications, including authentication, content delivery, payment, and notification APIs.
• User Authentication and Authorisation Systems - login, registration, password reset, multi-factor authentication, session management, and access-control mechanisms.
• Student and Instructor Account Portals - account management dashboards, profile settings, subscription management, and content-upload interfaces.
• Payment and Subscription Infrastructure - billing pages and payment flows directly managed and operated by Dharia Enterprises Private Limited.
• Cloud and Hosting Infrastructure - servers, databases, storage buckets, and network configurations directly provisioned and managed by the Company in support of the Intucate platform.
• Backend Administrative Systems - internal management tools and dashboards operated by the Company to administer the platform.

2.2 Out-of-Scope Systems and Assets

The following systems, assets, and services are explicitly excluded from the scope of this Policy. Testing or probing these systems, even if they appear connected to Intucate, is not authorised under this Policy:

• Third-party payment gateways, processors, and financial institutions (e.g., Razorpay, PayU, Stripe, or any other payment service provider) that are accessed via their own platforms.
• Third-party identity providers and single sign-on services not operated directly by Dharia Enterprises Private Limited.
• Third-party content delivery networks (CDNs), video hosting platforms, or cloud services not under the direct control of the Company.
• Third-party analytics, advertising, or tracking tools integrated into the platform via scripts.
• Social media profiles, pages, or accounts associated with the Intucate brand.
• Email service providers and communication platforms used by the Company but not directly operated by it.
• The physical premises, hardware, or internal corporate networks of Dharia Enterprises Private Limited.
• Any system, website, or application not listed under Section 2.1 above.

If you are uncertain whether a particular asset falls within scope, we encourage you to contact us at security@intucate.com before commencing any testing activity.

3. Authorisation for Security Research

Dharia Enterprises Private Limited formally authorises security research activities conducted strictly within the scope defined in Section 2 of this Policy, subject to the conditions and restrictions set out herein. Authorisation under this Policy is conditional and applies only when all of the following requirements are satisfied:

• The researcher conducts testing solely on in-scope systems as defined in Section 2.1.
• The researcher acts in full compliance with the Responsible Disclosure Principles set out in Section 4 and avoids all Prohibited Activities listed in Section 5.
• The researcher submits a complete and timely vulnerability report as described in Sections 6 and 7.
• The researcher does not publicly disclose the vulnerability prior to receiving written confirmation from the Company that the issue has been remediated, or prior to the expiry of the coordinated disclosure timeline defined in Section 12.
• The researcher does not use, retain, share, or monetise any data accessed during testing beyond what is strictly necessary to document the vulnerability.

Authorisation granted under this Policy is personal and non-transferable. It does not constitute permission to conduct testing on behalf of third parties or to share testing access with other individuals. The Company reserves the right to withdraw this authorisation at any time and for any reason, including in cases where a researcher is found to be acting in bad faith or outside the conditions of this Policy.

For the avoidance of doubt, activities not covered by this Policy - including testing of out-of-scope systems, testing conducted using automated tools in a manner that disrupts services, or any activity that results in unauthorised access to user data - are not authorised and may constitute criminal offences under applicable Indian law, including the Information Technology Act, 2000, and its amendments.

4. Responsible Disclosure Principles

Researchers engaging with the Intucate platform under this Policy are expected to adhere to the following principles of responsible disclosure. These principles reflect global best practices in ethical security research and are designed to protect users, the Company, and the researcher alike.

• Act in Good Faith: Conduct all research with the genuine intention of improving the security of the Intucate platform. Avoid actions that could be interpreted as malicious, exploitative, or harmful.
• Respect User Privacy: Do not access, collect, store, transmit, or disclose any personally identifiable information (PII) or sensitive user data. If you inadvertently access user data, cease access immediately and report the incident in your disclosure without retaining or sharing the data.
• Avoid Service Disruption: Do not take any action that degrades, disrupts, or renders unavailable the Intucate platform or any related infrastructure. Limit testing activities to the minimum necessary to establish and document the vulnerability.
• Avoid Data Destruction or Modification: Do not delete, modify, corrupt, or tamper with any data, records, files, or configurations belonging to the Company, its users, or its infrastructure.
• Report Promptly: Submit your vulnerability report to the Company as soon as practicable after identifying the issue, and no later than seventy-two (72) hours after initial discovery. Do not delay reporting in order to investigate the vulnerability more extensively without first notifying the Company.
• Minimise Scope of Access: Access only the systems and data strictly necessary to demonstrate the existence and impact of the vulnerability. Do not use compromised access to explore areas of the platform beyond what is required for proof-of-concept documentation.
• Maintain Confidentiality: Do not disclose any discovered vulnerability to any third party - including on public forums, social media, or vulnerability databases - until the Company has confirmed remediation or has provided written authorisation for coordinated public disclosure pursuant to Section 12.

5. Prohibited Activities

The following activities are strictly prohibited and will void any authorisation granted under this Policy. Researchers who engage in any prohibited activity may be subject to civil liability and/or criminal prosecution under applicable Indian law, including but not limited to the Information Technology Act, 2000, and the Indian Penal Code.

• Accessing, copying, modifying, deleting, exfiltrating, or otherwise processing any user data, instructor data, payment data, or Company data beyond what is strictly necessary to demonstrate the vulnerability.
• Conducting denial-of-service (DoS), distributed denial-of-service (DDoS), resource exhaustion, or any other attack that disrupts, degrades, or impairs the availability of the Intucate platform or any related service.
• Performing or attempting social engineering, phishing, vishing, smishing, or any other deceptive attack targeting the Company's employees, contractors, users, or third-party service providers.
• Exploiting a discovered vulnerability beyond what is strictly necessary to establish and document its existence and impact. Proof-of-concept exploitation must be limited to demonstrating access or the theoretical impact of the vulnerability and must not cause actual harm.
• Using automated scanning tools, crawlers, fuzzers, or exploit frameworks in a manner that generates an excessive volume of requests capable of disrupting service or degrading performance for other users.
• Attempting to compromise systems that are explicitly listed as out-of-scope in Section 2.2.
• Testing while authenticated as any user other than an account you have created and own exclusively for testing purposes.
• Attempting to access, decrypt, or enumerate data of other users, students, or instructors without their explicit prior consent.
• Introducing, deploying, or executing malicious code, ransomware, trojans, worms, or any other malware on any Intucate system.
• Attempting to intercept, monitor, or manipulate network communications other than those between your own controlled test environment and the Intucate platform.
• Physical attacks on data centres, offices, network hardware, or any physical infrastructure.
• Sharing, selling, publishing, or otherwise disclosing vulnerability information to any party other than the Intucate security team.

6. How to Report a Vulnerability

6.1 Reporting Channel

All vulnerability reports must be submitted through the official security reporting channel. Reports submitted through other channels (e.g., general support tickets, social media, or third-party disclosure platforms) may not be processed and will not confer the protections described in this Policy.

6.2 Reporting Process

To submit a vulnerability report, please follow the steps below:

• Prepare your report in accordance with the information requirements set out in Section 7 of this Policy.
• Send the report to security@intucate.com with the subject line: [VDP REPORT] - [Brief Description].
• If the vulnerability involves sensitive user data or credentials, do not include actual user data in the report. Instead, describe the type and category of data that was accessible.
• Attach relevant supporting evidence such as screenshots, screen recordings, HTTP request/response logs, or proof-of-concept code. Ensure all attachments are clearly labelled.
• Do not conduct any further testing of the same vulnerability while awaiting the Company's response, unless you receive written authorisation to do so.
• Await acknowledgement from the Company's security team within forty-eight (48) business hours.

We strongly encourage the use of encrypted communication when transmitting vulnerability details. If you require assistance with encrypted reporting, please contact our security team before submitting.

7. Information to Include in Reports

A well-documented report enables our security team to triage, reproduce, and remediate the vulnerability efficiently. Please include the following information in every report:

7.1 Mandatory Information

• Vulnerability Title: A concise, descriptive title (e.g., "Stored XSS in Community Discussion Module - Unescaped HTML Input").
• Vulnerability Type: The category or class of vulnerability (e.g., SQL Injection, Cross-Site Scripting, Insecure Direct Object Reference, Broken Authentication, IDOR, SSRF, etc.).
• Affected System / Component: Identify the specific system, module, endpoint, or application feature that is vulnerable (e.g., "POST /api/v2/discussions/create - body parameter 'content'").
• Steps to Reproduce: Provide a detailed, step-by-step walkthrough of how to trigger or replicate the vulnerability. Include all relevant HTTP requests, parameters, payloads, and conditions.
• Proof of Concept (PoC): Include a minimal working example demonstrating the existence of the vulnerability. PoC code should be non-destructive and limited to demonstrating impact.
• Impact Assessment: Describe the potential impact of the vulnerability if exploited, including the type of data or functionality that could be compromised, and the affected user population.
• Severity Estimate: Provide your assessment of the vulnerability severity using a recognised framework such as CVSS 3.1 or qualitative labels (Critical / High / Medium / Low / Informational).
• Environment Details: Specify the environment in which the vulnerability was observed (e.g., production, browser version, operating system, mobile OS version, API version).

7.2 Optional but Helpful Information

• Suggested Remediation: If you have recommendations for how the vulnerability could be fixed, please include them. Concrete suggestions are welcomed.
• Supporting Evidence: Screenshots, screen recordings, network traffic captures (HAR files), or log excerpts that corroborate the finding.
• CVE Reference: If the vulnerability relates to a known CVE, include the CVE identifier.
• Researcher Contact: Your name or alias and preferred contact method for follow-up questions.

Incomplete reports lacking mandatory information may result in delayed triage or closure of the report without remediation. We will attempt to contact you for clarification before closing incomplete reports.

8. Response Process and Timelines

Dharia Enterprises Private Limited is committed to handling all vulnerability reports promptly, transparently, and professionally. Our response process is as follows:

8.1 Acknowledgement

Upon receipt of a vulnerability report submitted to security@intucate.com, the Company will send an acknowledgement to the reporter within forty-eight (48) hours. The acknowledgement will confirm receipt of the report and assign a unique tracking reference number.

8.2 Triage and Initial Assessment

Our security team will conduct an initial triage of the reported vulnerability within five (5) business days of acknowledgement. During triage, we will assess the validity of the report, attempt to reproduce the vulnerability, and assign an internal severity classification. We will communicate the outcome of initial triage to the reporter, including whether the report has been accepted for investigation or determined to be out of scope, a duplicate, or invalid.

8.3 Investigation and Remediation

Accepted vulnerabilities will be investigated by the Company's engineering and security teams. The Company targets remediation within ninety (90) calendar days from the date of initial acknowledgement. Actual remediation timelines may vary depending on the severity and complexity of the vulnerability:

• Critical and High severity vulnerabilities: Target remediation within thirty (30) calendar days.
• Medium severity vulnerabilities: Target remediation within sixty (60) calendar days.
• Low and Informational severity vulnerabilities: Target remediation within ninety (90) calendar days.

Where remediation requires significant architectural changes or third-party coordination, the Company will notify the reporter if an extended timeline is required and will provide regular updates at intervals not exceeding thirty (30) calendar days.

8.4 Communication

The Company will maintain open and responsive communication with reporters throughout the investigation and remediation process. We may contact reporters to request additional information, clarification, or verification of the proposed fix. Reporters are encouraged to respond to follow-up inquiries promptly.

8.5 Closure

Upon successful remediation of the reported vulnerability, the Company will notify the reporter and provide confirmation of the fix. At this point, coordinated public disclosure may proceed in accordance with Section 12 of this Policy.

9. Safe Harbour Clause

Dharia Enterprises Private Limited values the contribution of the security research community and recognises that responsible security testing can expose vulnerabilities that improve the safety of our platform and the protection of our users. Accordingly, the Company provides the following assurances to researchers who act in good faith in compliance with this Policy:

• The Company will not initiate or threaten any civil or criminal legal action against a researcher solely on the basis of security research activities conducted in good faith and in strict compliance with this Policy.
• The Company will not file complaints with law enforcement authorities in connection with research activities that comply with the terms of this Policy.
• The Company will advocate on behalf of a researcher if legal action is threatened by a third party in connection with research activities that comply with this Policy.
• The Company will treat a researcher's activity as authorised computer access under this Policy and will not pursue claims under the Information Technology Act, 2000, or any other applicable Indian cyber law, with respect to compliant research activities.

10. Recognition and Rewards

10.1 Current Programme Status

Dharia Enterprises Private Limited is in the process of evaluating the establishment of a formal Bug Bounty Programme for the Intucate platform. At the time of this Policy's effective date, the Company's recognition and reward framework is as follows:

10.2 Eligibility for Recognition

To be eligible for recognition or reward under this Policy, the researcher must:

• Be the first to report the specific vulnerability in question (duplicate reports are not eligible).
• Report a valid, previously unknown, in-scope vulnerability that poses a genuine security risk.
• Have complied with all terms of this Policy, including the Responsible Disclosure Principles and the prohibition on Prohibited Activities.
• Provide a complete report as described in Section 7.
• Not be a current employee, contractor, or immediate family member of an employee or contractor of Dharia Enterprises Private Limited.

10.3 Exclusions

The following categories of findings are generally not eligible for recognition or reward:

• Vulnerabilities in out-of-scope systems (Section 2.2).
• Theoretical or speculative vulnerabilities without a working proof of concept.
• Findings related to software versions or configurations that have been publicly disclosed as vulnerable without additional context or novel exploitation.
• Issues identified solely through automated scanning with no manual analysis or validation.
• Clickjacking on non-sensitive pages.
• Missing security headers that do not result in a direct, demonstrable vulnerability.
• Reports that require physical access to the target device.

11. Confidentiality

All vulnerability information submitted to Dharia Enterprises Private Limited under this Policy is treated as strictly confidential. The Company will not share vulnerability details with third parties without the express prior written consent of the reporting researcher, except where required by applicable law or where disclosure is necessary to coordinate remediation with a directly affected third party.

In turn, researchers are required to maintain strict confidentiality regarding all discovered vulnerabilities, all communications with the Company's security team, all non-public technical information relating to the Intucate platform accessed during testing, and any user data or Company data accessed (whether intentionally or inadvertently) during testing. This obligation of confidentiality commences at the time of discovery and continues until the Company provides written authorisation for public disclosure in accordance with Section 12 of this Policy, or until the vulnerability has been publicly disclosed by the Company itself.

Researchers who breach this confidentiality obligation - including by prematurely disclosing vulnerability details to third parties, posting information on public platforms or social media, or using vulnerability information for personal gain - will forfeit all safe harbour protections described in Section 9 and may be subject to legal action.

12. Coordinated Disclosure

Intucate supports and encourages coordinated vulnerability disclosure. Our goal is to ensure that vulnerabilities are fully remediated before any public disclosure occurs, thereby protecting our users from exploitation during the remediation period. The Company's coordinated disclosure framework operates as follows:

• Upon confirmation that a reported vulnerability has been successfully remediated, the Company will notify the reporter and discuss the possibility of coordinated public disclosure.
• The researcher and the Company will agree on a disclosure timeline, content, and format for any public disclosure. Disclosure may take the form of a security advisory, a blog post, a CVE submission, or any other format agreed upon by both parties.
• The Company requests that researchers refrain from publishing or sharing any information about the vulnerability until at least ninety (90) calendar days have elapsed from the date of initial report submission, or until the Company confirms remediation, whichever occurs first.
• If the Company fails to remediate a reported vulnerability within ninety (90) calendar days and has not provided a satisfactory written explanation and extended timeline, the researcher may provide the Company with a written notice of intent to disclose. The Company will have a further fifteen (15) calendar days to respond before the researcher may proceed with responsible public disclosure.
• In all cases, public disclosures should be factual, non-sensationalised, and should not include sensitive operational details that could facilitate exploitation of similar vulnerabilities in other systems.

The Company will give full credit to the researcher (using their preferred name or alias) in any public security advisory published in connection with a coordinated disclosure, unless the researcher specifically requests anonymity.

13. Platform Security Commitment

Dharia Enterprises Private Limited is committed to maintaining a robust and continuously improving information security programme for the Intucate platform. This commitment includes, but is not limited to:

• Secure Development Lifecycle (SDL): Integrating security review, threat modelling, and code review into the software development and release process.
• Regular Security Assessments: Conducting periodic penetration tests, vulnerability assessments, and security audits by qualified internal or external professionals.
• Data Protection: Implementing appropriate technical and organisational measures to protect the personal data of students, instructors, and other users in accordance with applicable Indian data protection law, including the Digital Personal Data Protection Act, 2023.
• Access Control: Enforcing the principle of least privilege across all internal systems and ensuring that user accounts are protected by strong authentication mechanisms.
• Incident Response: Maintaining an incident response plan to ensure timely detection, containment, and notification of security incidents.
• Employee Training: Providing regular information security awareness training to all employees and contractors with access to the Intucate platform.
• Third-Party Security: Conducting due diligence on third-party vendors and service providers with respect to their information security practices.

We view the security research community as a valued partner in our security programme. Vulnerability reports submitted under this Policy directly contribute to a safer learning environment for all Intucate users and are taken seriously at every level of our organisation.

14. Legal Considerations

This Policy does not authorise any activity that is unlawful under the laws of the Republic of India or any other applicable jurisdiction. Researchers must ensure that their activities comply at all times with applicable law, including but not limited to the following:

• The Information Technology Act, 2000 (as amended by the Information Technology (Amendment) Act, 2008), in particular Sections 43, 66, 66B, and 66C relating to unauthorised access, data theft, and identity theft.
• The Indian Penal Code, 1860, including provisions relating to fraud, cheating by impersonation, criminal breach of trust, and criminal intimidation.
• The Digital Personal Data Protection Act, 2023, regarding the collection, processing, retention, and disclosure of personal data.
• The Payment and Settlement Systems Act, 2007, and applicable Reserve Bank of India guidelines, regarding the handling of payment data.
• Any other applicable central or state legislation of India.

The safe harbour protections described in Section 9 of this Policy are limited in scope and do not override any applicable law. The Company does not and cannot authorise activities that constitute criminal offences under Indian law, regardless of the intent of the researcher. Researchers who are uncertain whether a proposed testing activity is lawful are strongly advised to seek independent legal advice before proceeding. The Company accepts no liability for any legal consequences arising from testing activities conducted outside the scope and conditions of this Policy.

15. Policy Updates

Dharia Enterprises Private Limited reserves the right to amend, update, or replace this Vulnerability Disclosure Policy at any time and at its sole discretion. Updates may be made in response to changes in applicable law, changes in the Company's platform or infrastructure, developments in industry best practices, or feedback received from the security community.

Material updates to this Policy will be communicated by publishing a revised version of this document on the Intucate platform website at https://www.intucate.com/vdp. The version number and effective date will be updated accordingly. Researchers are encouraged to review this Policy periodically to remain aware of any changes. Continued participation in security research activities in respect of the Intucate platform after the publication of an updated Policy will constitute acceptance of the revised terms. Reports submitted prior to a policy update will be governed by the version of the Policy in effect at the time of submission.

16. Contact Information

For all vulnerability disclosure reports, policy clarification enquiries, or general information security communications, please contact the Intucate Security Team using the details below:

Please note that the security@intucate.com address is monitored exclusively for security-related communications. General support requests, billing queries, and academic enquiries submitted to this address may not receive a response. Please contact our general support team for non-security matters.

17. Effective Date

This Policy is effective from the date indicated above and supersedes any prior vulnerability disclosure guidelines or security research policies published by Dharia Enterprises Private Limited.