Responsible Disclosure Policy

Thank you for taking the time to help improve the security of Sallfin's website and systems. We take the security of our platform and the confidentiality of client data seriously, and we genuinely appreciate the contributions of security researchers and responsible individuals who report vulnerabilities to us.

By submitting a vulnerability report to Sallfin, you agree to the terms set out in this Responsible Disclosure Policy ("Policy"). This Policy is intended to protect both you and Sallfin, and to ensure that reported issues are handled promptly and responsibly.

Quick reference

The table below summarises the key points of this Policy. Please read the full sections for complete details.

• Report to: security@sallfin.com
• Scope: sallfin.com and its subdomains and web applications
• Safe harbour: Yes — for good-faith research conducted within scope
• Monetary reward: No — this is a voluntary disclosure programme
• Coordinated disclosure window: 90 days from date of report
• Response time: Acknowledgement within 3 business days; initial assessment within 10 business days

1. Safe harbour

If you discover a security vulnerability and report it to us in good faith, following the process and conditions set out in this Policy, Sallfin will not pursue civil legal action against you, nor will we refer the matter to law enforcement, solely in connection with your good-faith discovery and reporting of that vulnerability.

This safe harbour applies only where you have acted in accordance with all conditions of this Policy. It does not apply if you access, retain, or misuse personal or confidential data; cause harm or disruption; or take any action beyond what is strictly necessary to identify and report the vulnerability.

2. Scope

This Policy covers the following systems operated by Sallfin:

• The Sallfin website at sallfin.com and any subdomains (e.g. www.sallfin.com)
• Any web application, API, or form accessible through those domains

This Policy does NOT cover:

• Systems, networks, or infrastructure operated by third-party providers (such as hosting providers, cloud platforms, or software vendors)
• Any client systems, data, or infrastructure — these are entirely out of scope and must not be accessed
• Physical premises, hardware, or offline systems
• Social engineering attacks targeting Sallfin personnel

3. How to report a vulnerability

Please submit all vulnerability reports by email to security@sallfin.com. To help us assess and respond to your report quickly, please include as much of the following as possible:

• A clear description of the vulnerability and the type of issue (e.g. XSS, SQL injection, broken authentication, information disclosure)
• The specific URL, endpoint, or component where the vulnerability exists
• Step-by-step instructions to reproduce the issue, including any relevant requests, responses, screenshots, or proof-of-concept code
• How you discovered the vulnerability
• The potential impact you believe the vulnerability could have
• Any suggested remediation steps, if you have them
• Your name and contact details (optional — you may report anonymously, but this will limit our ability to keep you updated)

Please do not include sensitive personal data belonging to third parties in your report. If you inadvertently encountered personal data during your research, note this in your report but do not include the data itself.

4. Permitted and prohibited methodology

We ask that you conduct your research responsibly and in a manner that does not harm Sallfin, its clients, or other users. You may test for vulnerabilities only on systems within scope.

You must NOT:

• Perform denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks, or any test that could degrade service availability
• Attempt to access, download, copy, modify, or delete data that does not belong to you, including any personal data or client financial information
• Access any account, system, or data beyond what is strictly necessary to demonstrate the existence of the vulnerability
• Exploit a vulnerability further than is necessary to establish proof of concept
• Use automated scanning tools in a way that generates excessive traffic or disrupts normal site operation
• Attempt to gain physical access to any Sallfin premises or hardware
• Engage in social engineering, phishing, or vishing against Sallfin personnel
• Publicly disclose the vulnerability before Sallfin has had a reasonable opportunity to investigate and remediate it (see Section 6)

Once you have identified and documented a vulnerability, you must stop testing and submit your report. The safe harbour in Section 1 does not apply to any activity that violates the conditions of this section.

5. No access to personal or client data

Sallfin handles highly sensitive client financial information. By participating in this programme, you represent and warrant that:

• You have not accessed, copied, retained, or misused any personal data or client financial data belonging to Sallfin or its clients
• If you inadvertently encountered any such data during your research, you have not retained it and will securely delete any copies
• You will not use any information obtained during your research for any purpose other than reporting the vulnerability to Sallfin

Accessing client financial data — even inadvertently — must be disclosed immediately in your report. Such access is outside the safe harbour regardless of intent.

6. Coordinated disclosure

We believe in coordinated disclosure to give us time to investigate and remediate issues before they are made public. We ask that you:

• Keep the details of the vulnerability confidential until we have issued a fix or determined that no fix is required
• Give us a reasonable period — ordinarily 90 days from your report — to investigate and remediate before disclosing publicly
• Contact us before any public disclosure to agree on timing and wording

If you wish to publish your research after a fix is in place, we are happy to work with you on the disclosure. We will acknowledge your contribution publicly if you would like us to.

7. Intellectual property

By submitting a vulnerability report, you grant Sallfin a perpetual, worldwide, royalty-free licence to use the information you provide — including any proof-of-concept code, suggested patches, or remediation advice — for the purposes of investigating, fixing, and improving our systems. This licence does not grant you any rights in any Sallfin intellectual property.

Sallfin does not claim ownership of any original research or tools you developed independently. We simply need the right to act on the information you share with us.

8. No monetary reward

Sallfin does not currently operate a paid bug bounty programme. Vulnerability reports are accepted on a voluntary, goodwill basis and no payment or other consideration is owed for any submission. If this changes in the future, we will update this Policy.

We will, however, publicly acknowledge the contributions of researchers who report valid vulnerabilities and wish to be credited, subject to their consent.

9. No employment or agency relationship

Submitting a vulnerability report does not create any employment, contractor, partnership, joint venture, or agency relationship between you and Sallfin. You have no authority to make any statement, representation, or commitment on Sallfin's behalf. Nothing in this Policy constitutes an offer of employment or engagement.

10. Disclaimer of liability

To the maximum extent permitted by applicable law, Sallfin makes no representations or warranties of any kind in connection with this Policy or any vulnerability submission. Sallfin shall not be liable for any direct, indirect, incidental, consequential, or punitive damages arising out of or in connection with your participation in this programme, including any reliance on the safe harbour provisions herein.

The safe harbour described in Section 1 is a statement of Sallfin's current intentions and does not constitute a legal waiver of any rights Sallfin may have under applicable law. Nothing in this Policy limits Sallfin's ability to respond to any activity that causes harm, disruption, or falls outside the scope or conditions of this Policy.

11. Governing law

This Policy is governed by the laws of India. Any dispute arising in connection with it shall be subject to the exclusive jurisdiction of the courts of Bhubaneswar, Odisha, India.

12. Changes to this Policy

Sallfin reserves the right to modify or withdraw this Policy at any time at its sole discretion. The current version will always be available at sallfin.com/responsible-disclosure. Changes take effect from the date they are published. Continued participation after a change constitutes acceptance of the updated terms.

13. Contact

To report a vulnerability or ask a question about this Policy, please contact:

We will acknowledge all reports within 3 business days and aim to provide an initial assessment within 10 business days.

Thank you for helping us keep Sallfin and our clients' data secure.