Skip to main content
BambooPaper.in
Policies

Security Policy & Vulnerability Disclosure

How to report a security vulnerability on BambooPaper.in — scope, response SLA, safe-harbor language and credit policy. RFC 9116 compliant.

Last updated:

BambooPaper.in (operated by Agochar Tech LLP) takes the security of customer accounts, payment flows and operational infrastructure seriously. This page sets out how to report a vulnerability, what we consider in scope, and what you can expect from us in return. It is the human-readable companion to our security.txt file (RFC 9116).

1. How to report

Send vulnerability reports to security@bamboopaper.in. PGP encryption is not required. Please include:

  • A clear, reproducible description of the issue
  • The exact URL(s), request payloads or steps to reproduce
  • Impact assessment — what an attacker could do
  • Your preferred name (or pseudonym) for public credit, if any

Please do not file vulnerability reports through the public /contact/ form, social media, or by raising a customer-support ticket — those channels are read by non-security staff and can delay triage.

2. Response SLA

  • Acknowledgement: within 2 business days (IST, Mon–Sat 10:00–19:00)
  • Triage + severity assessment: within 5 business days
  • Fix or mitigation: within 14 days for high-severity issues, 30 days for medium, 90 days for low
  • Disclosure: coordinated — we ask reporters to keep details confidential until a fix is deployed

3. In scope

  • The bamboopaper.in storefront, including the cart, checkout, account dashboard and subscription portal
  • The Medusa admin and storefront APIs hosted under api.bamboopaper.in
  • Authentication and session handling (login, password reset, email verification, magic links)
  • Payment-link verification, Razorpay webhook signature validation, idempotency guarantees
  • Order, customer and admin data confidentiality and integrity
  • Webhook receivers (Razorpay, Shiprocket, ZeptoMail) — signature bypass or replay
  • Maintenance-mode bypass without authorisation
  • Server-Side Request Forgery, command injection, SQL injection, XSS, CSRF, SSTI
  • Subdomain takeover or DNS misconfiguration on bamboopaper.in / agochar.in

4. Out of scope

  • Reports against generated PDF invoices, MSDS, or marketing PDFs
  • Self-XSS that requires the user to paste code into their browser console
  • Missing rate-limit headers on bot or scraper traffic that does not affect customer-facing functionality
  • DMARC / SPF / DKIM weakness on outbound transactional email (we operate ZeptoMail with the recommended records, but Zoho-side anti-spoofing is upstream of us)
  • Reports of best-practice nags from automated scanners without a working proof-of-concept
  • Click-jacking on unauthenticated marketing pages with no sensitive action
  • UI / UX issues that do not present a security risk
  • Spam or social-engineering against support inboxes
  • Issues in third-party services (Razorpay, Shiprocket, ZeptoMail, Zoho Campaigns) — please report those directly to the vendor
  • Denial-of-Service attacks, traffic floods, brute-force without rate-limit-bypass evidence
  • Attacks requiring physical access to a user's device

5. Safe-harbor language

We will not pursue civil or criminal action against good-faith security researchers who:

  • Make a reasonable effort to avoid privacy violations, data destruction, service disruption and degradation of customer experience
  • Only interact with their own accounts or with test accounts they have created
  • Do not exploit a vulnerability beyond the minimum needed to confirm its existence and impact
  • Give us reasonable time to investigate and fix before any public disclosure
  • Comply with applicable Indian laws, including the IT Act 2000 and DPDPA 2023

If you have any doubt whether a planned test is in scope or safe, email us before testing.

6. Bounty & credit

We currently do not operate a paid bug-bounty programme. For valid in-scope reports we offer:

  • Public acknowledgement on our security credits page, with the reporter's permission
  • A small thank-you gift (a BambooPaper product bundle) for significant findings
  • A LinkedIn recommendation from the security contact, if requested

A paid bounty programme is on our roadmap once the engineering team has the bandwidth to triage at volume.

7. After a fix is shipped

Once a vulnerability is fixed and customer impact (if any) has been addressed, we will:

  • Notify you that the fix is live, with a brief technical summary of what changed
  • Ask you for written consent before publishing credit on this page
  • Update this page and the security.txt file if our policy changes materially

8. Contact

Email: security@bamboopaper.in
Languages: English, Hindi
Hours: Mon–Sat, 10:00 – 19:00 IST
Postal: Agochar Tech LLP, Rajkot, Gujarat 360005, India