vulnerability Disclosure Policy

Accepted Vulnerabilities

• Any vulnerability, whether it is part of OWASP Top 10 or SANS 25, is accepted as long as:
• It is directly associated with the systems in scope
• Unique (not reported by another researcher before)
• Not a P5 issue in Bugcrowd's VRT/Vulnerability Rating taxonomy

Out of Scope

• Any domain not mentioned in the in-scope list
• Third-party vendors/applications/services/platforms used by Bharat Rojgar
• API key disclosure without proven business impact
• WordPress usernames disclosure
• Self-XSS that cannot be used to exploit other users
• Verbose messages/files/directory listings without sensitive information
• CORS misconfiguration on non-sensitive endpoints
• Missing cookie flags
• Missing security headers
• CSRF with no or low impact
• Presence of autocomplete attribute on web forms
• Reverse tab-nabbing
• Non-existence of rate-limits
• Email bombing
• Best practices violations (password complexity, expiration, reuse, etc.)
• Clickjacking without proven impact/unrealistic interaction
• Sessions not being invalidated
• Tokens leaked to third parties
• Anything related to email spoofing, SPF, DMARC, DKIM
• Content injection without HTML modification
• HTTP Request Smuggling without proven impact
• Homograph attacks
• XMLRPC enabled
• Banner grabbing/Version disclosure
• Not stripping metadata of images/files
• Same-site scripting
• Subdomain takeover without takeover proof
• Origin IP disclosure
• Misconfigured Google Maps API keys
• Host header injection without proven business impact
• Outdated Swagger version & related issues
• Cache Poisoning
• Metrics exposure
• Vulnerabilities requiring extensive user interaction
• Vulnerabilities requiring root/Bypassing certificate pinning on rooted devices
• Attacks requiring physical access/social engineering/phishing/fraud

Prohibited Testing Methodologies

• DOS/DDOS attacks or automated scanners
• Brute force & dictionary attacks
• Phishing or any social engineering
• Attacks against Bharat Rojgar users & employees
• Attempts to compromise accounts
• Modify/Disrupt organization’s systems or services
• Vulnerabilities obtained through compromise of accounts

Reporting Procedures

• Email us via the specified email ID on our website
• If the vulnerability involves a third-party vendor/service, suspend testing and inform us
• We will notify the third party and update you if further testing is allowed

Official Channels

• Report queries only via our official email ID
• We aim to reply within 5 business days (send a reminder if no response after 1 week)

Our Commitments

• Respond promptly and validate reports
• Keep researchers informed during the process
• Remediate vulnerabilities in a timely manner
• Extend Safe Harbor if you comply with this policy
• Not undermine valid findings

Our Expectations

• Follow all applicable laws
• Report vulnerabilities promptly
• Do not exploit critical vulnerabilities that cause data loss, RCE, outages
• If you gain CLI access, STOP immediately and notify us
• Avoid disrupting services, exposing sensitive data, or harming user experience
• Use only official channels for reporting
• Respect confidentiality and do not leak reports
• Provide at least 30 days for remediation before public disclosure
• Use custom safe payloads for POCs
• Access minimum required data for demonstrations
• Use only your own or explicitly permitted accounts
• Do not engage in extortion
• If accidental access to user/company data occurs:
• Stop immediately
• Report accessed information
• Delete the data immediately
• Mention it in your bug report
• Do not share with anyone

Confidentiality

• Both parties must maintain strict confidentiality
• Researchers must not disclose vulnerabilities without written permission

Safe Harbor

• Research conducted under this policy is:
• Authorized under anti-hacking and anti-circumvention laws
• Exempt from conflicting ToS/AUP clauses
• Lawful, good-faith security research
• If legal action is initiated by a third party, we will support researchers who acted in compliance
• Bharat Rojgar cannot authorize testing on third-party products

Bug Bounty / Reward

• Findings in accordance with the rules will be rewarded by featuring your name & contribution on our website/app
• No cash rewards as of now (may be introduced in the future)
• Only the first valid reporter gets recognition
• Duplicates or invalid reports will not be eligible
• Public disclosure/blogs allowed after remediation & approval

Disclaimer

• Bharat Rojgar does not store credit/debit card details
• Not liable for loss due to disclosure during online transactions
• Not liable for unrequested personal information provided by users
• Users should verify information before interacting with others
• Never share private details (OTP, bank, PAN, Aadhaar, etc.)
• Report inappropriate content via our email
• For suicide & self-harm content: report immediately to us

Data Protection Officer / Grievance Officer

• For complaints regarding personal data processing, email:
• contact@bharatrojgar.info

Changes to This Policy

• We may update this policy from time to time
• Updates are effective immediately once posted
• Users should review this page periodically

Contact Us

• For queries or suggestions, contact us at:
• contact@bharatrojgar.info

---

Fraud & Safety Guidelines

• Report fraud/suspicious job offers, consultants, contractors, freelancers via our feedback section
• Email suspicious reports to: contact@bharatrojgar.info
• Report to cyber-crime department: Helpline 1930
• Stay alert:
  • Never share bank/OTP/personal details
  • Verify online presence of companies
  • Bharat Rojgar is completely free – do not make payments

---

Bharat Rojgar

We are committed to high work ethics for our clients and Indians. Let's Grow Together!

All visitors agree to abide by the Privacy & Legal Policy of Bharatrojgar.info

All rights reserved © 2025 by Bharatrojgar.info