At Recur Club Technologies Private Limited, we are committed to maintaining the security and privacy of our customers' data. We appreciate the efforts of security researchers in helping us identify and address vulnerabilities. If you believe you've discovered a security vulnerability, we encourage you to follow our responsible disclosure policy outlined below:
Responsible Disclosure
If you've identified a security vulnerability in our systems, we ask that you report it to us responsibly. Our Bug Bounty program is designed to provide a framework for security researchers to collaborate with us on identifying and fixing security issues.
Bug Bounty Program
-If you are interested in collaborating with us, please apply to the Recur Club Bug Bounty program.
-If you've encountered a security vulnerability by chance, please refrain from disclosing it publicly. Instead, report it to us via email at
infosec@recur.club.
Rules for Security Researchers
1.
All security testing should be conducted on a separate environment provided exclusively for researchers who are part of the Recur Club Bug Bounty program.
2. When testing vulnerabilities encountered by chance on the production environment:
- Do not delete or modify data without authorization. Avoid unauthorised data access and service disruption.
- Do not attempt a Denial of Service (DoS) attack.Do not access or modify data that does not belong to you.
- Do not run automated tools against our servers without prior coordination.Refrain from abusing our servers' resources, including unsolicited or unauthorized emails.
- Do not publicly disclose the issue until we confirm its resolution.
- Do not engage in any attempts to blackmail or sell security information to us.
If you are uncertain about any aspect of the security testing process, please reach out to us at
infosec@recur.club.\
Our Commitment
- We will not pursue legal action against you if you adhere to the rules outlined above.
- We will acknowledge all appropriately submitted reports and collaborate with you to address the identified issues.
- Our team will conduct a risk assessment for each reported vulnerability.If a report is deemed ineligible, we will provide a reason for our decision.
- We respect your preference to remain anonymous or receive public acknowledgment for your contribution.
Hall of Fame
For eligible reports, we offer the opportunity to recognise your efforts in our Hall of Fame. Your name and optionally a link to your personal page will be listed among our security contributors.
Rewards
- We do not provide cash compensation for security reports.
- Some particularly important reports may receive rewards such as our branded stickers or a t-shirt. To receive these rewards, provide your mailing address in the Contact Form during submission or later when the report's eligibility is confirmed.
What Doesn't Qualify
Reports that do not meet the following criteria are not eligible for our Bug Bounty program:
- Unauthorized security testing on production servers.
- Bugs reported on platforms other than the designated environment or chance encounters in production.
- Vulnerabilities related to timing and DoS attacks.Previously reported vulnerabilities.
- Known vulnerabilities in our technology stack components reported within 96 hours of their public disclosure.
- Issues reproducible only under unlikely conditions.
- Bugs that reveal the existence of email addresses in our database or theoretical brute-forcing.
- Vulnerabilities categorized as accepted risks, including certain account-related aspects and security configuration settings.
Please note that this is not an exhaustive list and detailed rules of engagement will be provided to the security researchers onboarded onto the Recur Club Bug Bounty Program.
We appreciate your commitment to responsible disclosure and collaboration in maintaining the security of our systems. Thank you for your assistance in making Recur Club Technologies Private Limited a safer platform for all users.