At Fynd, we deeply appreciate the efforts of ethical hackers and security researchers who act in good faith to help us improve our platform’s security. We understand that finding bugs and vulnerabilities takes time and skill - and we welcome responsible disclosure that protects our systems, users, and data.

That said, we’ve seen a growing number of messages from individuals who report bugs and immediately request money to fix them. This post is to clarify our standard process and explain what to expect when you discover a vulnerability on our platform.

✅ We Have a Responsible Vulnerability Disclosure Policy

We officially support good-faith security research under a publicly available Vulnerability Disclosure Policy. This policy is designed to:

• Encourage responsible security testing on our platform
• Provide safe harbor for researchers who act ethically
• Set clear expectations on what is allowed, how to report, and what happens next

You can find the full document here, or contact us at security@gofynd.com.

🧪 What You Can Test

We allow non-destructive testing of our publicly accessible systems, specifically:

• Any subdomain of fynd.com
• No phishing, social engineering, DDoS, data exfiltration, or unauthorized lateral movement
• No tampering with or accessing other users' data

Always follow responsible testing guidelines. Any activity outside the defined scope may void protection and be treated as unauthorized.

📬 How to Report a Vulnerability

To responsibly report a vulnerability, email security@gofynd.com with the following:

• A clear description of the issue
• Proof of concept (PoC)
• Steps to reproduce
• Impact and risk assessment
• Your contact details

We aim to acknowledge valid reports within 5 business days and will work with you through the investigation and resolution process.

📢 Coordinated Disclosure Only

We follow a 90-day embargo policy:
Researchers are expected not to publicly disclose any details for 90 days after acknowledgment so we can remediate the issue and protect users.

If a critical issue is actively being exploited or requires faster action, we may accelerate coordinated disclosure. Unauthorized public disclosure may void safe harbor protections.

🤝 What You Can Expect from Us

If your report is valid and valuable, we may offer:

• A Certificate of Contribution
• Acknowledgment (private or public with your consent)
• The satisfaction of helping secure one of India’s fastest-growing platforms

❗ However, we do not offer cash rewards, bounties, or payments unless previously agreed to in writing. We do not participate in any bug bounty program at this time.

🚫 What Not to Do

We strictly prohibit:

• Extortion or ransom demands
• Scanning that disrupts services
• Phishing, social engineering, or accessing unrelated data
• Demanding money in exchange for silence or disclosure

Researchers who violate these rules will lose safe harbor protection, and we may involve legal teams as needed.

🤓 In Summary

If you’ve found a bug, thank you! Here’s what to do:

1. Review our Vulnerability Disclosure Policy
2. Ensure your testing falls within authorized scope
3. Email security@gofynd.com with a detailed, responsible report
4. Wait for our team to investigate - and we’ll take it from there

Let’s build a safer web - together.