Responsible / Vulnerability Disclosure

INNOWINDS TECHNOLOGIES PRIVATE LIMITED ("Bachpankart", "we", "us") welcomes responsible disclosure of security vulnerabilities affecting our platforms. This page describes the scope, guidelines, and program terms for researchers participating in our disclosure program.

Scope

• The Bachpankart shopping application across all supported platforms, including the desktop website, mobile website, and official mobile applications (Android and iOS), where available.
• All subdomains related to the Bachpankart shopping application and its official services.

A vulnerability that affects multiple Bachpankart domains or subdomains under the same root cause will be treated as a single report. Issues outside the defined scope (for example, unrelated third-party sites or infrastructure not operated by Bachpankart) are not eligible under this program. However, we welcome reports if you believe a vulnerability in an out-of-scope domain or subdomain could materially affect Bachpankart users or systems.

Vulnerabilities we are especially interested in

• Authentication and authorization flaws
• Insecure cryptography
• Remote code execution
• Injection vulnerabilities
• Cross-site scripting (XSS)
• Server-side request forgery (SSRF)
• Business logic flaws

Exclusions

The following are generally out of scope for this program (non-exhaustive):

• Missing SPF or DMARC records
• Reports from automated scripts or scanners without manual validation
• Missing security headers without demonstrated impact
• Open redirects or forwards when leaving the site, without security impact
• Vulnerabilities requiring extensive or impractical social engineering
• Cross-site scripting (XSS) with impact limited to the reporter's own account only
• Missing best practices in SSL/TLS configuration without exploitable impact
• Attacks requiring man-in-the-middle or physical access to a user's device
• Use of known vulnerable libraries without a proof of concept
• Lack of secure or HTTP-only flags on non-sensitive cookies, rate limiting without demonstrated impact, or password policy observations without exploitability
• Credential stuffing attacks
• Lack of obfuscation in mobile applications

Bachpankart reserves the right to modify this exclusions list at any time.

Guidelines

• Email your findings to hello@bachpankart.com.
• Do not disclose the reported vulnerability to others until we have had reasonable time to investigate and address it.
• Respect the privacy of our users at all times.
• Do not extort us or attempt to shake us down for payment.
• Do not take undue advantage of a vulnerability—for example, by downloading more data than necessary to demonstrate the issue, or by deleting or modifying other users' data.
• Do not perform denial-of-service attacks, cause corruption of data, conduct buffer overflow testing against production without coordination, or engage in social engineering or spam.
• Include a detailed report with your finding, proof of concept, impact assessment, screenshots, reproducible steps, and recommendations. Reports without sufficient detail may be delayed or not accepted as valid.
• Multiple vulnerabilities caused by one underlying issue will be treated as a single report.
• Provide enough information for us to reproduce the vulnerability so we can resolve it as quickly as possible.
• Do not publish the report, vulnerability details, or related write-ups without our written permission.

Program policy

Bachpankart reserves all rights to modify the terms and conditions of this program. Your participation constitutes acceptance of all applicable terms. Updated terms are effective upon posting on this page.

The researcher who first reports a valid, in-scope vulnerability may be acknowledged once the issue is resolved. We appreciate responsible security research and may acknowledge contributions with an appreciation email, a digital certificate, or public recognition on our security acknowledgements page, depending on the severity and nature of the finding. Severity is determined by Bachpankart at its sole discretion.

Participation in this program does not guarantee a bounty, reward, or compensation unless expressly agreed in writing. For general enquiries, see our Contact Us page.