Bylukz Corporation Private Limited (“Bylukz”, “We”, “Us”, “Our”) values the efforts of security researchers and ethical hackers who responsibly identify and report potential vulnerabilities across our systems, applications, and digital assets. This Responsible Disclosure Policy establishes guidelines for reporting such vulnerabilities to us in a safe, lawful, and coordinated manner, ensuring that responsible research strengthens the security and integrity of the Bylukz Platform. Bylukz may update or revise this policy at its sole discretion, and researchers are encouraged to review it periodically to stay informed of the latest terms.

Researcher Responsibilities and Guidelines

Researchers who submit reports agree to comply with the terms of this policy. They must avoid activities that violate privacy, disrupt production environments, degrade user experience, compromise data integrity, or interfere with Bylukz systems. Testing should always be limited to the minimum actions required to confirm the presence of a vulnerability. Researchers must not exploit vulnerabilities to access or modify data, gain unauthorized privileges, establish persistence, attempt lateral movement, or perform any actions beyond verification. The moment a vulnerability is confirmed or sensitive information is encountered, the researcher must immediately cease all testing and report the issue to Bylukz without delay. All vulnerabilities and associated findings must remain confidential and not be publicly disclosed unless Bylukz explicitly grants written permission.

Legal Compliance and Policy Boundaries

Bylukz does not condone any testing that violates applicable laws or contractual agreements. The company reserves the right to pursue legal action if a researcher violates policy terms, causes harm, or conducts testing outside the permitted boundaries. Decisions made by Bylukz’s security team regarding the validity, severity, and impact of any vulnerability will be final. Bylukz may share vulnerability information with affected partners, vendors, or open-source projects as necessary to facilitate remediation and improve security at all levels.

Authorized Research and Good Faith Compliance

If a researcher makes a good-faith effort to comply with this policy, Bylukz will consider the research authorized and will collaborate to understand and remediate the issue quickly. Bylukz will not pursue legal action against any researcher who respects both the letter and spirit of this policy. However, if a vulnerability has the potential to expose customer data, critical system functions, or operational capabilities, researchers must not exploit the vulnerability further. Any attempt to use such vulnerabilities for unauthorized access, disruption, financial gain, or other harmful actions may result in legal consequences.

Scope of Policy

This policy applies to the Bylukz Android app, iOS app, the Bylukz website, and any subdomains or digital infrastructures owned and managed by Bylukz Corporation Private Limited. If a vulnerability is discovered within these systems, the researcher must halt further testing and notify Bylukz promptly.

Out of Scope Findings

Certain findings are considered out of scope for this policy, including general software bugs, SSL configuration issues, SPF/DMARC problems without security impact, missing headers, non-latest browser or app version issues, vulnerabilities requiring MITM or physical access, click jacking without harm, logout or unauthenticated CSRF, outdated library issues without an exploit, text injection or content spoofing without an attack vector, open redirects, missing DNS CAA records, directory listing, stack traces, path disclosure, self-XSS, and any vulnerabilities arising from social engineering, phishing, or targeting Bylukz employees or users. Issues arising from non-Bylukz systems such as cloud providers or third-party platforms are also excluded. Weaknesses such as lack of CAPTCHA, autocomplete behaviour, session timeout settings, or visible API keys without impact are generally out of scope as well.

Prohibited Activities

Researchers must avoid causing Denial of Service (DoS or DDoS), using automated scanners or mass vulnerability detection tools, or exploiting vulnerabilities for any form of gain. They must refrain from accessing or attempting to access the accounts or personal data of other individuals. All findings must be kept confidential between the researcher and Bylukz until the issue is fixed and Bylukz grants written approval for disclosure. All reports submitted must include accurate steps to reproduce the issue, with clear explanation and impact. Researchers affirm that they possess the rights to disclose any information they submit and grant Bylukz a perpetual, irrevocable, royalty-free license to use any submitted information for security purposes.

Reporting Vulnerabilities

To report a vulnerability, researchers must email Bylukz at security@bylukz.com with the subject line indicating a suspected vulnerability. The report must include the researcher’s full name, email address, contact number, and any public profiles if available, followed by detailed vulnerability information such as the name, affected application, endpoint, impact, step-by-step reproduction method, and suggested remediation. Updated or additional information should be sent as soon as it becomes available. Bylukz may share the report with relevant internal or external teams as needed.

Recognition and Acknowledgment

Bylukz values responsible contributions and may, at its discretion, acknowledge researchers whose reports help resolve legitimate vulnerabilities. After verification and resolution, eligible researchers may be listed in Bylukz’s “Security Hall of Fame” or may receive certificates or recognition, provided that all guidelines were followed, and the vulnerability had a clear, significant security impact. Recognition is not guaranteed and remains subject to internal assessment.

This Responsible Disclosure Policy ensures collaborative efforts between Bylukz and the security community, fostering a safer platform for all customers, partners, and stakeholders.