Our Philosophy
At HX Security, we test other organisations' systems for a living. That means we hold ourselves to the highest possible standard when it comes to the security of our own infrastructure, code, and data. We do not believe in security through obscurity.
We recognise that the global security research community plays a vital role in keeping the internet safer for everyone. Responsible security researchers who discover and disclose vulnerabilities ethically deserve respect, protection, and recognition — not legal threats or silence.
This Responsible Disclosure Policy is our public commitment to researchers who engage with us in good faith. We will work with you to understand, validate, and remediate any verified vulnerability — and we will acknowledge your contribution if you wish.
Our Pledge: We will never pursue legal action against researchers who discover and report vulnerabilities to us in good faith, following the guidelines in this policy.
Scope
This policy covers vulnerabilities discovered in HX Security's own systems, infrastructure, and digital assets. It does not authorise testing of any client systems — those are covered under separate client-specific agreements.
- hxsecurity.in (main website)
- All *.hxsecurity.in subdomains
- HX Security web applications
- Public-facing APIs
- Email infrastructure (SPF, DKIM, DMARC)
- Authentication mechanisms
- Client portal (if applicable)
- Any client systems or networks
- Third-party services we use
- Denial of Service (DoS/DDoS)
- Social engineering of our staff
- Physical security attacks
- Spam or phishing campaigns
- Automated scanner output (unvalidated)
Unsure if your finding is in scope? Email us at security@hxsecurity.in with a brief description before proceeding with deeper investigation. We'll confirm scope promptly.
Prohibited Actions
While we welcome responsible security research, the following actions are strictly prohibited. Engaging in these activities will void your safe harbour protections and may result in legal action:
- Data Exfiltration: Do not access, download, copy, or exfiltrate any data beyond what is minimally necessary to prove the vulnerability exists. Immediately stop and report if you inadvertently access sensitive data.
- Data Destruction or Modification: Do not delete, modify, or corrupt any data — including test data.
- Denial of Service: Do not conduct any attacks intended to degrade or deny service to our systems or users.
- Social Engineering: Do not attempt to manipulate our employees, contractors, or partners through phishing, pretexting, or other social engineering techniques.
- Physical Attacks: Do not attempt to gain physical access to our offices, data centres, or hardware.
- Lateral Movement to Client Systems: If you discover access to client data through our systems, stop immediately, do not proceed, and report it to us right away.
- Public Disclosure Before Remediation: Do not publicly disclose vulnerability details before we have had a reasonable opportunity to remediate (see our SLA in Section 6).
- Automated Aggressive Scanning: Do not conduct high-volume automated scans that impact system performance for legitimate users.
Important: Violating any of the above may result in immediate termination of your safe harbour protections and referral to appropriate legal authorities. When in doubt, always ask first.
How to Report
Please submit all vulnerability reports through our dedicated security channel. Do not report security vulnerabilities through our general contact form or social media — these channels are not monitored for security-sensitive content.
Primary Submission Channel
Send your report to: security@hxsecurity.in
PGP Encryption (Recommended for Critical Issues)
For critical vulnerabilities involving sensitive data, we strongly recommend encrypting your email. Our PGP public key is available on request — email us first with subject line [PGP Key Request] and we will provide it within 4 hours.
Subject Line Format
Please use the following format for your email subject to help us triage quickly:
[Responsible Disclosure] [Severity] — Brief Description
Example: [Responsible Disclosure] [High] — Reflected XSS on /search endpoint
What to Include in Your Report
A detailed, well-structured report helps us triage, validate, and fix the issue faster. Please include as much of the following as possible:
- Vulnerability Type: E.g., SQL Injection, XSS, SSRF, IDOR, authentication bypass, information disclosure, etc.
- Affected Asset: The specific URL, endpoint, application, or system component where the vulnerability exists.
- Severity Assessment: Your assessment of the severity and potential business impact (we will independently verify, but your view is valuable).
- Step-by-Step Reproduction: A clear, reproducible sequence of steps to trigger the vulnerability. Include exact HTTP requests/responses where possible.
- Proof of Concept (PoC): Screenshots, screen recordings, HTTP captures (Burp Suite exports), or code snippets that demonstrate the vulnerability without causing harm.
- Tools Used: List any tools or scripts you used during your research.
- Suggested Remediation: If you have a recommendation for how to fix the issue, please share it — your expertise is valuable.
- Your Contact Details: How we can reach you for follow-up questions. You may submit anonymously, but this limits our ability to keep you updated.
- Recognition Preference: Whether you'd like to be acknowledged publicly in our Hall of Fame, and if so, what name or handle to use.
Quality over quantity: A single well-documented report with a working PoC is far more valuable than multiple unvalidated findings from an automated scanner. We will always prioritise quality submissions.
Our Response Process & SLAs
We take all valid reports seriously. Here is how we handle the process from receipt to resolution:
Coordinated Disclosure
We request a coordinated disclosure period of 90 days from the date of your initial report to allow us to remediate the vulnerability before public disclosure. For critical vulnerabilities with active exploitation risk, we may request an extension — but we will always communicate openly and keep you informed.
If we fail to respond meaningfully within the timelines above, you may proceed with public disclosure after notifying us 7 days in advance.
Severity Classification
We use the following severity framework, aligned with CVSS v3.1, to classify and prioritise reported vulnerabilities:
| Severity | CVSS Score | Examples | Target Fix SLA |
|---|---|---|---|
| Critical | 9.0 – 10.0 | RCE, SQLi with data exfiltration, Authentication bypass to admin, Mass account takeover | 7 days |
| High | 7.0 – 8.9 | Stored XSS, SSRF with internal access, Privilege escalation, Sensitive data exposure | 30 days |
| Medium | 4.0 – 6.9 | Reflected XSS, IDOR (limited impact), Open redirect, Missing security headers | 60 days |
| Low / Info | 0.1 – 3.9 | Version disclosure, Non-exploitable misconfigurations, Best-practice improvements | 90 days |
Severity may be adjusted based on our assessment of the specific environment, exploitation difficulty, and actual business impact. We will always explain our reasoning if we reclassify your submission.
Safe Harbour
HX Security extends the following safe harbour protections to security researchers who act in good faith in accordance with this policy:
We will not pursue civil or criminal action against any researcher who: (1) discovers a vulnerability through legitimate security research aligned with this policy; (2) refrains from actions prohibited in Section 3; (3) reports the vulnerability to us promptly and provides us a reasonable timeframe to remediate before any public disclosure; and (4) makes no unauthorised use of discovered data and deletes any inadvertently obtained data upon our request.
We consider legitimate security research that follows this policy to be "authorised" under applicable computer crime laws. We will not file complaints with law enforcement against researchers who comply with this policy.
If legal action is initiated by a third party against you for activities conducted in accordance with this policy, we will make our position clear that your activities were conducted in good faith and in accordance with an authorised disclosure policy.
Note: Safe harbour applies only to activities explicitly covered by this policy. It does not cover activities against our clients' systems, illegal access to third-party infrastructure, or activities that violate the prohibited actions in Section 3.
Recognition & Hall of Fame
We believe that recognising contributors who help keep our systems secure is both fair and important. Researchers who submit valid, confirmed vulnerabilities will be offered:
- Public Hall of Fame Listing: Your name or chosen alias listed on our public Responsible Disclosure Hall of Fame page (with your permission).
- Written Letter of Acknowledgement: A formal letter confirming your contribution — useful for professional portfolios, CVs, and certifications.
- Direct Credit in Fix Documentation: Where appropriate, credit in our internal security remediation records.
- LinkedIn Recommendation: For particularly impactful contributions, we are happy to provide a professional endorsement for your security research skills.
Recognition is entirely optional. You may submit anonymously, and we will honour any preference you express regarding how (or whether) your contribution is credited publicly.
Coming Soon — Hall of Fame: We are building our public Hall of Fame page. Early contributors will receive special recognition as founding members of the HX Security research community.
Bug Bounty
HX Security currently operates a courtesy-based responsible disclosure programme rather than a formal monetary bug bounty. We are a growing company and are building toward a structured bounty programme.
At present, we offer non-monetary recognition and the protections described in this policy. For particularly significant vulnerabilities (Critical severity with material impact), we may, at our sole discretion, offer additional courtesies on a case-by-case basis.
We will publish an update to this page when we launch a formal bug bounty programme. Researchers who have previously contributed valid findings will be given priority access to the programme upon launch.
Interested in paid security work? If you are a skilled security researcher interested in a formal engagement with HX Security, reach out to us at contact@hxsecurity.in. We are always open to working with talented researchers.
Policy Updates
This Responsible Disclosure Policy may be updated from time to time as our programme matures, as we introduce a bug bounty, or as legal and industry standards evolve.
The "Last Updated" date at the top of this page reflects the most recent revision. Significant changes will be announced on our website. We encourage researchers to review this policy before each engagement.
Questions about any aspect of this policy are always welcome at security@hxsecurity.in.
Contact
For all security-related disclosures and policy questions, please use our dedicated security channel:
- Security Email: security@hxsecurity.in
- General Enquiries: contact@hxsecurity.in
- Website: hxsecurity.in
- LinkedIn: linkedin.com/company/hx-security
Please do not disclose vulnerability details on social media, public forums, or to any third party before following the coordinated disclosure process described in this policy.
Found a Vulnerability in Our Systems?
We appreciate your effort. Send us a detailed report and we'll handle it with the urgency and respect it deserves.