Responsible Disclosure policy

At Practo, we take safety and security of our customers’ data very seriously and stand guard to the trust put in us by our users.


We understand the importance and value of the role played by security researchers and ethical hackers in keeping the internet safe. Therefore, we support their responsible efforts in not only identifying potential vulnerabilities but also reporting them responsibly.


We urge you to review the Responsible Disclosure Policy before you test and/or report an issue with any of our applications. We assure you that Practo will never pursue any legal action against users who report the issues, as long as they follow these guidelines.


Who can participate in the program?

Anyone who doesn't work for Practo or partners of Practo who reports a unique security issue in scope and does not disclose it to a third party before we have patched and updated will be eligible to take part in this program.

Responsible Disclosure policy:

  • - Report your finding by writing to us directly at secure@practo.com without making any information public.
  • - We will respond as quickly as possible, generally takes 24-48 hours.
  • - In best interest of our customers and their data, please do not publicly disclose the issue until it has been addressed by Practo within a reasonable timeframe.
  • - In order to keep everyone safe, please act in good faith towards our users' privacy and data during your disclosure. We won't take legal action against you or administrative action against your account if you act accordingly.
  • - Make every effort to avoid privacy violations, disruption to production systems, degradation of user experience and destruction of data during security testing. This would include Brute Force, DoS, Spamming, Scraping, Social Engineering etc.

Reporting guidelines

Please include the following information when sending us the details:

  • - Operating System name and version.
  • - Client name and version.
  • - Plugin names and version installed in the client.
  • - Steps necessary to reproduce the vulnerability including any specific settings required to be reproduced (If this contains more than a few steps, please create a video so we can attempt to perform the same steps).
  • - A copy of the source code following your successful test.
  • - What is the impact of the issue.
  • - What are some scenarios where an attacker would be able to leverage this vulnerability?
  • - What would be your suggested fix?

Scope

  • - All subdomains of practo.com i.e. *.practo.com
  • - Practo mobile apps -- Android, iOS

Our responsibility

Once we receive the details from you, we will ensure to acknowledge the issue within 24-48 hours. We’ll assess the issue and provide you with an estimated timeframe for addressing the reported vulnerability. We will notify you once the vulnerability is fixed. And last but not least, our gratitude and sincerest thanks to you for helping us keep user data and services safe and secure.

Legal terms

By participating in Practo’s Responsible Disclosure program (the “Program”), you acknowledge that you have read and agree to Practo’s Terms of Service as well as the following:

    - Your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.

    - You are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.

    - Practo reserves the right to terminate or discontinue the Program at its discretion.