Vulnerability Disclosure Program

Saleshandy is committed to protecting our customers and our systems. If you believe you've found a security vulnerability in Saleshandy products or services, we encourage you to report it responsibly.

This program is voluntary and is intended to enable responsible security research and vulnerability disclosure.

This policy applies to the following "Information Systems":

In Scope

• https://my.saleshandy.com and its first-party application functionality
• Saleshandy-owned APIs and services directly used by my.saleshandy.com
• Saleshandy Chrome Extension (latest published version from Chrome Web Store)
• Email sending infrastructure (SMTP/delivery services operated by Saleshandy)
• OAuth authentication flows for connected email accounts
• Webhook endpoints receiving or sending data from/to Saleshandy systems
• IMAP/SMTP credential handling within Saleshandy's backend

Out of Scope

• https://www.saleshandy.com (static marketing site; not connected to user accounts)
• Third-party services, integrations, or platforms (even if linked from our product)
• Customer-managed environments, custom deployments, or systems not owned/operated by Saleshandy
• Third-party email providers' infrastructure (Gmail, Outlook, etc.)

If you identify an issue in a third-party system, please follow that provider's disclosure process.

We welcome reports of security issues such as (examples):

• Authentication and authorization bypass
• IDOR / broken access control
• SQL/NoSQL injection
• XSS with meaningful impact
• SSRF, RCE, command injection
• Sensitive data exposure
• Privilege escalation
• Security misconfigurations with a working proof of concept

Severity determination is at Saleshandy's discretion based on actual exploitability and business impact.

Out of Scope (Examples)

The following are generally out of scope:

• Denial of Service (DoS/DDoS) testing, traffic flooding, or resource exhaustion
• Social engineering (including phishing) or attempts to obtain employee credentials
• Physical attacks against Saleshandy offices, employees, or infrastructure
• Vulnerabilities requiring outdated/unpatched browsers or non-default client configurations without a practical impact
• Reports that only describe best-practice gaps (e.g., missing headers) without a clear exploit path or meaningful impact
• Clickjacking on pages with no sensitive actions
• Automated scanner output without validation and reproduction steps

Third-party dependencies: We evaluate third-party dependency issues on a case-by-case basis. If you identify a vulnerable dependency that is exploitable in the context of our systems, please report it with your analysis — we will assess the impact and validity.

To keep research safe for our customers and services, please:

• Use only accounts you own or have explicit permission to test
• Make a good-faith effort to avoid privacy violations and disruption
• Do not access, modify, copy, retain, or exfiltrate data that does not belong to you
• Stop testing immediately if you encounter sensitive data, and report the finding promptly
• Do not perform destructive testing (e.g., data deletion) or persistence mechanisms
• Do not use testing that degrades service availability (including DoS)

Automated Testing Guidelines

If you use automated tools (e.g., Burp Suite, nuclei, custom scripts):

• Limit request rates to a maximum of 10 requests per second per endpoint
• Avoid aggressive fuzzing that could trigger rate limits or degrade service
• Do not run automated scans during peak hours (9 AM – 6 PM IST) without prior coordination
• If you are unsure whether your testing approach is acceptable, contact us at security@saleshandy.com before proceeding

Please submit a report with enough detail for us to reproduce and validate the issue.

Preferred reporting channel: Email security@saleshandy.com

What to Include

• A clear description of the issue and its potential impact
• Step-by-step reproduction instructions
• Affected URLs/endpoints, parameters, and/or request/response samples
• Proof of concept code or screenshots (if helpful)
• Any relevant environment details (browser/app version, account type, roles)
• Your proposed severity assessment (using CVSS 3.1 if possible)

Please Do Not

• Publicly disclose the issue before coordinated disclosure (see Disclosure section)
• Demand compensation or make threats as a condition of disclosure

If multiple researchers report the same vulnerability:

• Credit goes to the first valid report received (based on timestamp)
• Subsequent reporters will be notified that a duplicate was already received
• We do not disclose details of the original reporter to subsequent reporters

If your report is marked as a duplicate but you believe your submission contains unique information or a different attack vector, you may request a re-review.

This program is primarily recognition-based. We may, at our discretion, offer a bounty or other token of appreciation for reports with meaningful business impact and strong technical value.

We may recognize contributions through:

• A letter of appreciation upon request.
• At our sole discretion, a bounty or token of appreciation for valid reports with meaningful business impact.

If our compensation model changes in the future, this policy will be updated accordingly.

When you conduct security research in accordance with this policy and in good faith, Saleshandy considers that research to be authorized on in-scope systems and we will not pursue legal action for such activities.

Safe harbor is conditioned on:

• Following this policy and applicable laws
• Avoiding harm, disruption, and privacy violations
• Limiting testing to what is necessary to confirm the vulnerability
• Promptly reporting the vulnerability and not publicly disclosing details before coordinated disclosure

Safe harbor does not apply to:

• Testing of systems outside scope
• Social engineering, phishing, or physical attacks
• Activities intended to disrupt service or harm users

Public disclosure of vulnerabilities is not permitted without prior written consent from Saleshandy.

All vulnerability details, including proof of concept, reproduction steps, and any related communications, must remain confidential. Unauthorized disclosure may void safe harbor protections and result in legal action.

If you wish to be credited for your contribution (e.g., in release notes), please indicate this in your report and we will coordinate appropriately.

This policy and any disputes arising from vulnerability research conducted under it shall be governed by the laws of India. Any legal proceedings shall be subject to the exclusive jurisdiction of the courts in Ahmedabad, Gujarat, India.

This VDP policy may be updated from time to time. The version in effect at the time of your research will apply to activities conducted under it.

Material changes will be noted at the top of this document with the "Last updated" date.

Contact us at security@saleshandy.com