Vulnerability Disclosure Policy

Overview

Agroy Finance and Investment Limitedtakes the security of our investors’ data and funds seriously. If you believe you have found a security vulnerability in any of our services, we want to hear from you and will work with you to understand and resolve the issue quickly. This policy is published in line with CERT-In responsible-disclosure guidance and the ISO/IEC 29147 and 30111 standards. A machine-readable summary is available at /.well-known/security.txt.

Scope

In scope: the Agroy investor-facing web and mobile surfaces, including www.agroy.com, live.agroy.com, ekyc.agroy.com, and the Agroy Live mobile apps (Android com.agroy.xts and iOS id1670574080).

Out of scope: third-party platforms we link to or embed (e.g. exchange, depository, KYC, IPO and payment-partner portals); please report those to the respective owner. Also out of scope: findings that require physical access, social engineering of our staff or customers, volumetric denial-of-service, spam, or reports from automated scanners without a demonstrated, exploitable impact.

Safe harbour

We will not pursue or support legal action against researchers who, in good faith, discover and report a vulnerability in accordance with this policy. We consider security research conducted under this policy to be authorised, lawful, and helpful. If legal action is initiated by a third party against you for activity that complied with this policy, we will make this authorisation known.

Rules of engagement

• Only test against accounts and data that belong to you. Do not access, modify, or exfiltrate other users’ personal data.
• Do not perform denial-of-service, load/stress testing, or any action that degrades service for other investors.
• Stop as soon as you have established that a vulnerability exists, and report it. Do not pivot deeper than necessary to demonstrate impact.
• Keep the details of any vulnerability confidential until we confirm it has been remediated and agree a coordinated disclosure timeline with you.
• Comply with all applicable laws.

How to report

Email security@agroy.com (or compliance@agroy.com). Please include: a clear description of the issue, the affected URL / endpoint / app screen, the steps to reproduce, any proof-of-concept (screenshots or a short video), and your assessment of the impact. Where possible, encrypt sensitive details; a PGP key for security@agroy.com is available on request. Do not include third-party personal data in your report.

Our commitment

• Acknowledgement within 3 working days of receipt.
• Triage and initial assessment within 7 working days, including a severity rating (we use CVSS v3.1/v4.0).
• Status updates at least monthly until the issue is resolved.
• Where personal data may be affected, we additionally notify the Data Protection Board and affected Data Principals as required under the DPDP Act 2023, and report to CERT-In / SEBI where applicable. See our Privacy Policy.

Recognition

We do not currently run a paid bug-bounty programme, but with your consent we are happy to acknowledge your contribution once a reported issue has been remediated. Thank you for helping keep Agroy investors safe.