Responsible Disclosure & Vulnerability Reporting Policy
Overview
Responsible Disclosure is bridg.money’s public invitation to discover and privately report vulnerabilities before they can be exploited. As a Technology Service Provider (TSP) bridging banks and businesses, we rely on a robust security posture to safeguard every payment flow. By following this policy, you are authorised to conduct certain security research on specified assets without fear of legal action, provided you act in good faith and comply with the rules below.
Definitions
- Researcher: Any individual or entity performing security testing under this policy.
- In-scope asset: A domain, sub-domain, API, application or environment explicitly listed in Scope of Testing.
- Vulnerability: A weakness that could compromise confidentiality, integrity or availability.
- Coordinated Disclosure: The process of privately reporting a vulnerability, allowing bridg.money time to remediate before public release.
- Safe-Harbour: Legal protection granted by bridg.money for authorised research activities performed in good faith
Scope of Testing
Environment / Asset:
- Merchant Dashboard (Production)
- Public APIs (BridgPay, BridgCollect, BridgRoute, BridgVault, BridgRecon)
- BridgVerify & BridgOnboard modules (KYC/KYB & onboarding tools)
- Sandbox partner portal (test integrations)
- Corporate website (www.bridg.money, trust & security pages)
- Future mobile apps (when launched)
- New public-facing assets automatically enter scope upon launch
Eligibility & Safe-Harbour
- Who may participate? Any individual except (a) current bridg.money employees or contractors, or (b) residents of OFAC-sanctioned jurisdictions. Teams may collaborate but must designate a single payout recipient.
- Legal authorisation: Activities that comply fully with this policy are expressly authorised. bridg.money will not initiate civil or criminal action, nor escalate to law enforcement.
- Good faith requirement: Cease testing and report immediately if you access personal data or service disruption occurs. Do not retain, copy or share sensitive data.
- Compliance with law: Safe-harbour applies only to activity that adheres to applicable cyber-security and data-protection laws, including the Information Technology Act 2000 (as amended) and related rules.
Rules of Engagement
Allowed:
- Manual probing and targeted fuzzing of in-scope assets
- Testing your own accounts / test data
- Rate-limited automated scans ≤ 10 req/s
- Exploiting LFI, SSRF, IDOR, authentication bypass
- Sub-domain takeover confirmation
Not Allowed:
- Volumetric DoS / DDoS attacks
- Social engineering (phishing, vishing, smishing)
- Physical intrusion into offices or data centres
- Spam or brute-force credential stuffing
- Actions that modify or delete data without consent
Tip: Include the header X-Researcher-Handle in test traffic to avoid being blocked by our fraud rules.
Reporting Procedure
- Send an encrypted email to security@bridg.money (PGP fingerprint: E95E 1C83 39F0 D14A BD01 3B78 650B 00F4 2C2B 65D9).
- Subject line: [VULN] — .
- Body must include:
- Asset/endpoint (URL, IP)
- Step-by-step PoC with requests, responses, screenshots or video
- Impact analysis
- Severity suggestion (CVSS v3.1)
- Proposed remediation (optional)
- bridg.money responds within 3 business days and assigns a tracking ID.
- Public disclosure is permitted 30 days after a fix, or sooner with written approval.
Assessment & SLAs
- Acknowledgement: ≤ 3 business days (automated receipt + analyst confirmation)
- Triage & Severity Assignment: ≤ 5 business days (CVSS 3.1 + business context)
- Remediation – Critical / High: ≤ 15 business days (compensating controls may be deployed first)
- Remediation – Medium / Low: ≤ 45 business days (part of scheduled release cycle)
- Status Updates to Researcher: Every 10 days until closure
- Duplicate reports: credit goes to the first valid submission; later duplicates are closed as informative.
Reward Framework
bridg.money offers competitive, severity-based rewards benchmarked against leading fintech programmes. Exact amounts are confidential; ranges below are indicative.
- Critical: Unauthenticated RCE, full account takeover, unrestricted SQLi → Hall of Fame, top-tier monetary reward, invite to private programmes
- High: Authentication bypass, serious SSRF, vertical privilege escalation → Hall of Fame, substantial monetary reward
- Medium: Reflected/DOM XSS, limited IDOR, misconfigured S3 bucket → Swag pack + discretionary monetary reward
- Low: Clickjacking, missing security headers, rate-limit gaps → Public thanks, possible swag
Rewards are issued within 30 days of fix deployment via INR bank transfer or USD-pegged stable-coin. Tax withholding follows Indian regulations.
Out-of-Scope / Non-Qualifying Issues
- Informational findings without exploitable impact
- Attacks requiring outdated browsers or rooted devices
- Banner disclosure, server-version leaks, descriptive 404 pages
- Self-XSS, SPF/DMARC misconfigurations alone
- TLS/SSL cipher issues mandated by regulatory compliance
- Testing of partner-bank infrastructure or third-party rails without consent
- www ↔ non-www redirect preferences
Hall of Fame
Researchers who submit valid, first‑to‑report vulnerabilities may be listed (with consent) on our public Wall of Appreciation, including severity, vulnerability title and CVE (if issued). Anonymous credit available on request.
Confidentiality & Data Use
All submissions are treated as confidential. bridg.money handles vulnerability information in alignment with the Digital Personal Data Protection Act 2023 (DPDP 2023) and relevant RBI privacy circulars. We will not share your report outside our remediation team without permission, and request that you keep details private until coordinated disclosure timelines are met.
Policy Lifecycle
This policy is Version 1.0. This document is informational and does not create contractual rights or obligations. bridg.money may modify the policy at any time at its sole discretion. This policy is governed by the laws of India, and disputes shall be subject to the exclusive jurisdiction of the courts in Bengaluru, Karnataka. Future updates will be posted at https://www.bridg.money/responsible-disclosure with a 14‑day notice for material changes.
Contact
- Security Team: security@bridg.money
- Emergency phone (24 x 7): +91 76765 12809
- Postal address (legal notices): Bridg Financial Technologies Pvt Ltd, WorkFlo Ranka Junction, #80/3 Old Madras Road, Bengaluru 560016, India
Quick Summary
- In‑scope: Prod dashboard, public APIs, sandbox partner portal, corporate site
- Report to: security@bridg.money (PGP) — Acknowledge ≤ 3 days
- Rewards: Severity‑based, competitive, paid within 30 days post‑fix
- Forbidden tests: Phishing, DoS, physical intrusion, data destruction
- Safe‑harbour: Full legal protection when acting in good faith
Thank you for partnering with us to keep bridg.money secure.