1. Introduction

Veyronix Technology Private Limited (hereinafter referred to as "Genixpay") is committed to ensuring the security and integrity of its systems, platforms, and services. We take all reports of security vulnerabilities seriously and encourage responsible disclosure to help us address any potential weaknesses promptly and appropriately. This policy outlines how individuals or entities ("Researchers") may report vulnerabilities responsibly and how Genixpay will respond.

2. Our Commitment to Responsible Disclosure

Provided a Researcher adheres to the terms set forth in this Responsible Disclosure Policy and does not violate any applicable laws or regulations, Genixpay commits to:

  • Promptly acknowledging the receipt of a reported vulnerability and working collaboratively to validate and remediate the issue.
  • Keeping the Researcher informed of the investigation progress and resolution status.
  • Refraining from initiating legal action against the Researcher for reporting vulnerabilities in good faith.
  • Ensuring no service suspension or adverse action is taken against a merchant or agent as a result of a valid vulnerability report.
  • Recognising the Researcher's contribution in Genixpay’s Hall of Fame, where appropriate.

3. In Scope

This policy applies to all Genixpay services, including but not limited to:

  • Web-based platforms
  • Mobile applications (Android and iOS)
  • Services processing sensitive personal data, including card and authentication information

Web and mobile application vulnerabilities will be assessed against OWASP Top 10 and OWASP Mobile Top 10 standards respectively.

4. Out of Scope

This policy does not apply to:

  • Services hosted by third-party providers
  • Vulnerabilities related to user interface, spelling, or non-security bugs
  • Physical penetration testing, social engineering, or denial-of-service (DoS) attacks

5. Testing Guidelines

Researchers must:

  • Conduct testing only on accounts they own or have explicit permission to use.
  • Avoid accessing, modifying, or deleting data belonging to others.
  • Not use automated scanning tools or techniques that degrade system performance.
  • Avoid any testing methods that violate local or international laws.
  • Use only their own personal email and account details when registering accounts for testing purposes.

Genixpay prohibits any form of phishing, social engineering, or physical access attempts against our personnel or systems.

6. Rules of Responsible Conduct

  • Avoid disrupting services or impacting user/merchant experience.
  • Never exploit vulnerabilities beyond the extent required to demonstrate proof-of-concept.
  • Not cause any financial loss or unauthorised fund transfers.
  • Maintain confidentiality and not disclose the vulnerability publicly without Genixpay’s prior written consent.
  • Allow Genixpay a minimum of 30 days to investigate and address the reported issue before any form of disclosure.
  • Grant Genixpay and its affiliates a perpetual, worldwide, royalty-free licence to use, modify, and incorporate their submission into any service or product.

7. Reporting a Vulnerability

Researchers should include sufficient information to enable Genixpay to reproduce the issue. This may include:

  • A clear description of the vulnerability
  • Proof-of-concept scripts
  • Screenshots or screen recordings
  • Your contact details

Reports must be submitted via email to info@genixpay.com.

8. Recognition

While Genixpay does not offer monetary rewards, verified and impactful submissions may be recognised in our official Hall of Fame as a token of appreciation.

9. Legal Safe Harbour and Policy Compliance

Genixpay will not initiate legal action against Researchers who act in good faith and in alignment with this Responsible Disclosure Policy. Such activities will be considered authorised under Indian laws, including the Information Technology Act, 2000, provided they are carried out without malicious intent or unlawful exploitation. Genixpay will not initiate proceedings under intellectual property or cybersecurity statutes for legitimate, policy-compliant security research aimed at improving the safety of our systems.

If any third party initiates legal proceedings against a Researcher for actions consistent with this policy, Genixpay will make it known that such activities were conducted in good faith and in accordance with our Responsible Disclosure Policy.

10. Public Non-Disclosure Policy

This Responsible Disclosure Programme operates under a strict "Public Non-Disclosure" framework. This means vulnerability details must not be published publicly without Genixpay’s written consent. Breach of this clause may result in legal consequences.

By participating in this programme, you acknowledge your understanding and agreement with all terms outlined herein. Genixpay values your cooperation in safeguarding our environment.