Hippo Store’s Vulnerability Disclosure Policy
Vulnerability Disclosure Policy

Hippostores Technology Pvt Ltd (referred as “HTPL” or “Company” hereinafter) considers customer trust and the information security as its one of the top priorities. We are continuously make diligent efforts to ensure that our IT environment is secure for our stakeholders. We also appreciate the good faith efforts of the Security researcher community to protect our information and the privacy of our customers. However, while we do our utmost to take considerable care of the potential security issues within our IT systems, we also duly recognize that vulnerabilities can appear. For the same, if security researcher (referred as “You” hereinafter)find the vulnerability in our systems, we’d appreciate it to be notified to us and responsibly disclosed to us, promptly and as soon as possible.Please note that our Vulnerability Disclosure Policy is not a solicitation to actively probe our IT environment / internet facing services to discover vulnerabilities. These probes shall be considered as illegitimate and shall attract attention of our security team triggering investigatory activities.

Reporting vulnerabilities responsibilities and procedures

If you believe that you have found a material vulnerability, kindly report it to us by clicking and submitting here on this form. While reporting, please include detailed account of the vulnerability, along with a method for us to replicate the vulnerability. It is mandatory to report the CVSS score as obtained by clicking here. In interest of mutual safeguards, kindly do not disclose the vulnerability in the public or to any other party other than HTPL.Hippostores Technology Pvt Ltd (HTPL) shall conduct its own triaging and risk assessment of the findings and shall take an appropriate decision on informing to the customers, stakeholders and regulatory bodies at large. You are not authorized to make any announcement on behalf of HTPL.

The vulnerabilities thus positively observed need to be reported to Hippostores Technology Pvt Ltd with complete description, including the proof of concept of such finding.HTPL does not authorize intrusive penetration testing, scanning tools or taking any action that may intentionally or incidentally negatively impact the integrity of our services; this includes any actions that may cause a degradation of services or put customer confidentiality at risk; nor research that is not otherwise legitimate, or not helpful to the overall security program of HTPL’s services, or not conducted in good faith.

Qualification Criteria

Only vulnerabilities discovered on the https://hippostores.com domain are eligible under this disclosure program. The vulnerabilities thus reported in compliance to the above stated responsibilities and procedure shall be seen in the overall Business and threat context of HTPL and shall be duly assessedby the HTPL Information Security along with relevant SME teams for its validity. While it might be possible that a vulnerability exists and a suitable proof of concept is demonstrated by the reporter, however it may not necessarily be resulting into a Business impact as assessed by the HTPL teams; in all such cases those vulnerabilities shall not be eligible for consideration.

Any vulnerability discovered on the third party systems shall not be considered. Also, any known vulnerability which is already recognized and reported by the OEMs shall not be considered as the eligible submission.

Safe Harbour

At HTPL we strongly believe that finding of vulnerability by the researcher community is performed in good faith and must be provided a safe harbor from any sort of legal action from HTPL and we are committed to it.

If at any point in time if you have any doubts if your subjected security research is consistent with our Vulnerability Disclosure Policy, kindly reach out to us with the query at infosec@hippostores.com before you proceed.

While we are committed to security of our Technology landscape, this policy is not binding on the third party service providers and they are not restricted to take any legal action against any such research activities. In an event you find any third party related vulnerabilities, kindly contact the appropriate third-party directly, though it must be noted that such third-parties may not necessarily provide a legal safe-harbor.

If a third-party vulnerability has significant collateral effects on HTPL services, then we may choose to, at our sole discretion, work with you and the third-party to address the vulnerability.

What we promise to do at HTPL
  • Our Information Security team will confirm receipt of vulnerability submission within two business days.
  • We will respond to your report within four business days with our evaluation of the report, validity of the reported finding, acceptance of the reported vulnerability and an expected resolution date.
  • We will never disclose the vulnerability to the public and shall require the same from you, unless we give explicit written confirmation to do so. If we decide to make the issue public, we will give you credit for identifying it, however that is only upon your consent to duly recognise your credilbility.
Rewards

Hippostores Technology Pvt Ltd currently does not provide any monetary rewards for reporting the vulnerabilities, however to give due credit to your research and recognize your genuine intent to partner with us in keeping our stakeholders safe, we may recognize you through official email communication and / or recognition on our Hall of Fame page.

In an event that there are more than one responsible disclosures of the same vulnerability, we shall consider recognizing all such efforts through email medium.

If there is any inconsistency between this Policy and any other applicable terms, the terms of this Policy shall prevail. By submitting a report to HTPL, you accept and agree to the terms of this Policy.