Security Disclosure Policy

Last updated: 17 May 2026 · RFC 9116 metadata at /.well-known/security.txt

Reporting a vulnerability

We welcome security reports from researchers, customers, and the public. The fastest path is email:

For sensitive reports, encrypt with our PGP key at /.well-known/security-pubkey.asc (rotated annually; fingerprint published at the same URL).

Scope

In scope:

  • sridait.com and all subdomains
  • The candidate portal (/dashboard/*) and admin portal
  • The PHP API surface at /api/*

Out of scope:

  • Third-party services we depend on (Hostinger infrastructure, our SMTP provider, Razorpay if re-introduced) — please report those directly to the vendor
  • Social engineering of staff, physical security, DoS / volumetric attacks
  • Reports based solely on automated scanner output without a working exploit

What we promise

  • Acknowledgement within 2 working days of receiving a report
  • Triage outcome (accepted / duplicate / out-of-scope) within 5 working days
  • Fix or mitigation for accepted High/Critical reports within 30 days
  • Public recognition (your choice) in our hall-of-fame after the fix ships
  • Safe harbour: we will not pursue legal action against good-faith researchers who follow this policy

Data Protection Officer

For data-protection requests (DPDPA / GDPR data subject rights — access, rectification, erasure, portability) contact:

Srida IT — Data Protection Officer
Email: dpo@sridait.com
Backup: info@sridait.com

We action all access and deletion requests within 5 working days as publicly committed in our privacy policy and on the candidate welcome email.

Data processing register

A summary of what data we process and why is published at /security/data-processing-register. The internal full register (legal basis, retention period, recipients, cross-border transfer details) is available on request to DPAs and accredited auditors.