Responsible Disclosure

1. Scope

This Responsible Disclosure Policy covers all Genovation-owned systems, including our website (genovation.ai), APIs, documentation sites, and the Genovation platform software itself. We invite security researchers, customers, and members of the public to report vulnerabilities responsibly.

2. How to Report

Send your report to:

Email: security@genovation.ai
PGP key: Available at genovation.ai/.well-known/security.txt
Encryption: We strongly encourage encrypting your report using our PGP key.

Your report should include:

A clear description of the vulnerability
Steps to reproduce, including any tools, scripts, or payloads used
The potential impact and severity (if known)
Your assessment of the affected component (website, API, platform)
Screenshots or proof-of-concept, where helpful
Your name and contact information (if you'd like to be credited)

3. What to Expect

Step	Timeline
Acknowledgment of your report	Within 2 business days
Initial triage and severity assessment	Within 5 business days
Regular status updates	Every 7 days until resolved
Resolution and fix deployment	Varies by severity (target: 30 days for critical)
Public disclosure (if agreed)	After fix is deployed + 30 days

4. Guidelines

To qualify for responsible disclosure protection, please:

Do report vulnerabilities to us before disclosing them publicly
Do provide enough detail for us to understand and reproduce the issue
Do give us reasonable time to address the vulnerability before any disclosure
Don't access, modify, or delete data that does not belong to you
Don't perform denial-of-service attacks, social engineering, or physical attacks
Don't access customer environments or customer data
Don't exploit the vulnerability beyond what is necessary to demonstrate it

5. In-Scope Targets

Target	Type
genovation.ai	Website
api.genovation.ai	API
docs.genovation.ai	Documentation
Genovation Platform (self-hosted)	Software (use your own test instance)

6. Out of Scope

The following are not in scope and should not be tested:

Customer-hosted platform instances (these belong to the customer, not Genovation)
Denial-of-service (DoS/DDoS) attacks against any target
Social engineering or phishing of Genovation employees
Physical attacks against Genovation offices or infrastructure
Automated scanning that generates excessive traffic or load
Findings from automated tools without manual verification
Missing security headers that do not lead to a demonstrable exploit
SPF/DKIM/DMARC configuration issues without a proof-of-concept

7. Recognition

We believe in recognizing the work of security researchers. With your permission, we will:

Credit you on our Security Acknowledgments page
Provide a letter of acknowledgment (useful for your portfolio or CV)
Consider financial rewards for critical and high-severity vulnerabilities (evaluated on a case-by-case basis)

We do not currently operate a formal bug bounty program with fixed payouts, but we are generous with researchers who report significant issues responsibly.

8. Legal Safe Harbor

Genovation Technological Solutions Pvt Ltd will not initiate legal action against security researchers who comply with this policy. We consider responsible security research conducted in accordance with these guidelines to be authorized, lawful, and helpful. We will not pursue civil action or criminal complaints against researchers acting in good faith.

If a third party initiates legal action against you for activities conducted in accordance with this policy, Genovation will make reasonable efforts to make it known that your actions were conducted in compliance with our policy.

9. Contact

Security reports: security@genovation.ai
General security inquiries: info@genovation.ai
PGP fingerprint: 4A3B 8F2C 91D7 E6A5 ... (full key at security.txt)