Responsible Vulnerability Disclosure Policy

Finnable Technologies Private Limited (“Finnable”, "we," "us," or "our") is committed to maintaining the highest standards of security and protecting the confidentiality, integrity, and availability of customer data and financial systems and recognize its responsibility to safeguard sensitive financial information and ensure robust security compliance.  
We acknowledge and value the critical role that independent security researchers and the  cybersecurity community play in identifying and responsibly disclosing security  vulnerabilities. This Responsible Vulnerability Disclosure Policy ("VDP" or "Policy") establishes clear guidelines, expectations, and protections for security researchers who discover and  report potential security vulnerabilities in our digital assets and services.

This policy applies to any individual or entity that discovers, or believes they have discovered, a potential security vulnerability in Finnable's in-scope systems, applications or digital infrastructure. This includes independent security researchers, bug bounty hunters,  penetration testers, and members of the general public.

(a) In-Scope Systems and Assets

• All web applications accessible at “.finnable.com” and related subdomains
• Finnable's customer-facing mobile applications (Android and iOS) on official app stores

(b) Out-of-Scope Systems and Assets

• Third-party services, platforms, or APIs not directly owned by Finnable (e.g., credit bureau APIs, payment gateways, e-sign providers)
• The organization's corporate email systems or internal employee collaboration tools
• Physical premises, hardware, or network equipment
• Social engineering or phishing attacks targeting Finnable employees or customers
• Automated vulnerability scanning of production systems without prior written approval

(a) Illustrative Vulnerability Types

The following categories of vulnerabilities are illustratively considered in-scope and eligible for review, recognition:

• SQL injection, NoSQL injection, LDAP injection, OS command injection
• Broken authentication and session management
• Insecure Direct Object References (IDOR) and broken access control
• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF) on sensitive authenticated functions
• Server-Side Request Forgery (SSRF)
• Remote Code Execution (RCE) or local file inclusion/traversal
• Sensitive data exposure: customer PII, financial data, loan data, API keys in source code
• Business logic vulnerabilities impacting loan origination, disbursals, or repayments
• Mobile application security issues (insecure data storage, hardcoded credentials,reverse engineering exposures etc)
• API security issues (lack of rate limiting on sensitive endpoints, missing authentication)
• Subdomain takeover vulnerabilities with demonstrable proof
• XML External Entity (XXE) injection

(b) Out-of-Scope Vulnerability Types

The following categories will not be accepted as valid vulnerabilities under this Policy. Submission of these types without clear evidence of exploitability may result in the report being closed as informational:

• Reports generated by automated scanning tools (Nessus, Burp Suite scanner output, etc.) without manual validation and working PoC
• Known vulnerable libraries/frameworks without demonstrable exploit
• Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks
• Social engineering of employees or customers
• Missing best-practice HTTP security headers (X-Frame-Options, CSP) without demonstrated  exploitability
• Self-XSS vulnerabilities that require the victim to execute the payload in their own session
• CSRF on logout or non-sensitive, unauthenticated functions
• Clickjacking on non-sensitive pages
• Missing Content Security Policy (CSP) without demonstrable XSS
• Cross-Origin Resource Sharing (CORS) Access-Control-Allow-Origin: \* or accepting of custom Origin header that does not specifically show a valid attack scenario
• Open redirect without a demonstrated chained attack scenario
• Theoretical subdomain takeover without a working PoC demonstrating control
• SSL/TLS configuration reports (e.g., weak cipher suites) without demonstrable exploit
• SSL/TLS best practices, attacks
• Missing SPF, DKIM, or DMARC records without demonstrable email spoofing PoC
• Password complexity or account enumeration without mass user enumeration evidence
• Vulnerabilities only exploitable on rooted or jailbroken devices
• Directory listings without sensitive content
• Issues affecting users of browsers more than two major versions behind the latest stable release
• Social engineering, phishing, vishing, or physical access attacks
• Any issue in a third-party component not under the organization’s control
• Lack of rate limiting without proof of abuse potential

The following categories will not be accepted as valid vulnerabilities under this Policy. Submission of these types without clear evidence of exploitability may result in the report being closed as informational:

• Accessing, downloading, modifying, or exfiltrating any customer data, financial records, employee data, or any proprietary data not belonging to you
• Performing Denial-of-Service attacks or any action that degrades the availability, performance, or integrity of the Finnable's systems
• Attempting to gain unauthorized access to internal networks, back-end systems, or administrative interfaces
• Deploying malware, backdoors, ransomware, or any malicious code on Finnable's systems
• Engaging in social engineering, phishing, or pretexting against Finnable employees, customers, or partners
• Publicly disclosing, sharing, or publishing any vulnerability details, PoC, or sensitive data discovered during research before Finnable has remediated the issue and provided written approval for disclosure
• Conducting testing on behalf of a third party, a competitor of Finnable, or any foreign intelligence entity
• Testing outside of declared scope without prior written permission
• Demanding payment or extorting Finnable as a precondition to disclosing vulnerability details
• Running automated scanners or fuzzers that cause load on production systems

To report a potential security vulnerability, please submit your findings through our security  mail handler security@finnable.com. 
To facilitate efficient triage and remediation, please include the following in your report:

• Vulnerability Summary and the Type: Clear, concise description of the vulnerability and its classification(SQL Injection, XSS, IDOR, etc.)
• Affected Asset(s): Specific URL, API endpoint, mobile app version, or system component
• Steps to Reproduce: Detailed, step-by-step instructions to reproduce the vulnerability
• Proof of Concept: Code snippets, HTTP requests, screenshots, or video demonstration
• Impact Assessment: Description of potential security impact and attack scenarios
• Remediation Suggestions: (Optional) Your recommendations for fixing the issue
• Your Information: Name/handle and contact email for communication