This policy is being finalised and will be published before TatvaCRM's commercial launch. The section headings below indicate the topics that will be covered.
1.Reporting a Vulnerability
This section will describe how to report a security vulnerability, including the preferred communication channel (security@tatvacrm.com), what information to include in a report, and our commitment to acknowledging reports within 24 hours.
2.Scope
This section will define what is in scope for security research, including the domains and applications covered, and any areas that are explicitly out of scope (such as social engineering of staff or denial-of-service testing).
3.Safe Harbour
This section will describe our safe harbour commitment to security researchers who act in good faith, including our pledge not to pursue legal action against researchers who follow the responsible disclosure guidelines outlined in this policy.
4.Response Timeline
This section will detail our response timeline, including acknowledgement within 24 hours, initial assessment within 72 hours, and our target for deploying fixes based on severity classification.
5.Recognition
This section will describe how we recognise security researchers who report valid vulnerabilities, including our security acknowledgements page and any other recognition programmes.
For questions about this policy, email support@tatvacrm.com.