Vulnerability Disclosure Policy

Pathshala welcomes reports from security researchers who help us protect our users. If you make a good-faith effort to follow this Policy when researching and reporting an issue, we will:

• not take legal action against you;
• not contact law enforcement about your research;
• treat your report as confidential and not share your identity without your permission;
• work with you to understand and validate your report;
• acknowledge your contribution publicly if you would like.

This safe harbour is conditional on you staying within the scope and rules below.

The following Pathshala assets are in scope:

• pathshala.co
• pathshalainc.com
• app.pathshala.co
• *.pathshala.co and *.pathshalainc.com institute subdomains
• Institute custom-domain portals we host (you must have authorisation from the Institute or operate against your own test Institute)
• Pathshala OS mobile apps published by Pathshala Inc.

We are particularly interested in: authentication and session handling, authorisation / IDOR / tenant-isolation flaws, RCE, SQL/NoSQL/command injection, server-side request forgery, XSS, CSRF where it crosses tenants, insecure direct object references, broken cryptography, account-takeover chains, sensitive-data exposure, and privacy-affecting issues.

The following are NOT in scope and should not be reported:

• Findings from automated scanners without a working proof of concept;
• Volumetric denial-of-service or brute-force attacks;
• Social-engineering or phishing against Pathshala staff or customers;
• Physical attacks on Pathshala offices, devices, or staff;
• Self-XSS, missing security headers without a demonstrated impact, missing rate limits on non-sensitive endpoints, cookie flags on cookies without sensitive content;
• Software version disclosure, presence of autocomplete attributes, lack of CAPTCHA on non-sensitive forms;
• SPF / DKIM / DMARC misconfigurations unless they enable a working spoof;
• Vulnerabilities only exploitable against an out-of-date browser or OS;
• Findings against third-party SaaS that we do not control (Cal.com, Stripe, AWS managed services, etc.) — please report directly to that vendor.

To stay within safe harbour you agree to:

• only test against accounts and Institutes that you own or have written authorisation to test;
• not access or modify other users' data beyond the minimum necessary to demonstrate the issue, and to stop as soon as that is achieved;
• not perform attacks that could degrade or interrupt the Service for other users;
• not exfiltrate data;
• delete any Pathshala or user data you incidentally obtained as soon as it is no longer needed for the report;
• give Pathshala a reasonable time to investigate and remediate before any public disclosure;
• comply with all applicable laws.

• Acknowledgement. Within 2 business days.
• Triage. Within 5 business days we will confirm whether we can reproduce the issue and rate its severity.
• Fix. Targets are 7 days for Critical, 30 days for High, 60 days for Medium, 90 days for Low. We will keep you informed of progress.
• Disclosure. Once the issue is fixed and customers have had a reasonable upgrade window we are happy to coordinate a public write-up; default disclosure window is 90 days from initial report.

Pathshala does not yet run a paid bug-bounty programme. We do publish a Security Researchers Wall of Thanks and will send Pathshala-branded swag for high-impact reports. Once the user base justifies a paid programme we will move to a managed bounty platform and grandfather existing researchers in.

Prefer encrypted channels for sensitive material? Email security@pathshala.co. PGP key fingerprint published on /.well-known/security.txt when available.

Or fill out the form below — it is rate-limited and CAPTCHA-gated.