A
AskBooks
en
Back to home

Responsible Disclosure

Effective: 1 April 2026Governing law: IndiaEntity: Askflow Private Limited

We welcome security researchers reporting vulnerabilities in AskBooks. This page describes our scope, safe-harbour terms, and rewards. Please read carefully before testing.

1. Scope

In scope

  • askbooks.in and *.askbooks.in production domains
  • app.askbooks.in web application
  • api.askbooks.in public REST API
  • iOS app (App Store ID 6478xxxx) and Android app (com.askbooks)

Out of scope

  • Third-party services (Razorpay, Twilio, Cloudflare etc.) — please report directly to those vendors.
  • Social engineering of employees, physical security, denial-of-service attacks.
  • Findings on staging or dev subdomains — those are intentionally permissive.
  • Self-XSS, missing security headers without demonstrable impact, clickjacking on non-sensitive pages, automated scanner output without proof of impact.

2. Safe harbour

If you make a good-faith effort to comply with this policy, AskBooks will:

  • Not pursue or support legal action against you.
  • Treat your activity as authorised under the Information Technology Act 2000 and applicable computer-misuse laws.
  • Work with you to understand and resolve the issue quickly.

To stay within safe harbour you must:

  • Avoid privacy violations, destruction of data, or interruption of service.
  • Stop testing as soon as you confirm a vulnerability and report it.
  • Not disclose details publicly until a fix is deployed and we’ve mutually agreed on disclosure.

3. How to report

Email security@askbooks.in with:

  • A clear description of the vulnerability and impact.
  • Step-by-step reproduction (request samples, payloads, screenshots).
  • Your name (or pseudonym) and contact for follow-up.

Encrypted reports: PGP key fingerprint 4F1D 7A8C 9B2E 6F3A 1C5D 8E2B 7A4F 9C3E 1D8B 5E72 — full key on request.

4. Our commitments

  • Acknowledge your report within 1 business day.
  • Triage and assign severity within 3 business days.
  • Provide regular status updates (at least every 5 business days).
  • Credit you on our security hall of fame if you wish.

5. Rewards

Critical
₹1,00,000 – ₹4,00,000
High
₹40,000 – ₹1,00,000
Medium
₹10,000 – ₹40,000
Low
₹2,500 – ₹10,000

Severity is determined using CVSS 3.1 plus business-impact context. We may adjust based on quality of report and exploitability.

6. Hall of fame

We publicly thank researchers who help us. With your consent, your name (or handle) and the date of your report appear on our Trust Center.

7. Disclosure timeline

We aim to resolve and patch high/critical issues within 30 days. After a patch ships and a reasonable period has passed, we welcome coordinated public disclosure. Please don’t publish before we both agree.

8. Contact

security@askbooks.in · @askbooks on Twitter for non-sensitive coordination only.

Questions? Email legal@askbooks.in or write to Askflow Private Limited, Bengaluru, Karnataka 560034.