Responsible Disclosure


Responsible Disclosure

We at ENCIPHERS truly believe that whether it is a growing firm or a well-known enterprise, security should be given the utmost priority. As a team, of enthusiastic security researchers, we are investing each day by finding security vulnerabilities for our clients. Being a security services provider, we make sure that you are able to use our website and products securely. We are committed to the privacy and security of our user’s data. But YES, vulnerabilities are inevitable. For that sole reason, we are inviting security professional to test for any vulnerabilities on our website or products.

Whether it is a small vulnerability or a critical one, send us your report by filling the form below. If it a valid report, we will respond within 48-72 hours. As of now, we are not providing monetary rewards for Low and medium vulnerabilities. Monetary/Swag rewards are only provided for High and critical severity vulnerabilities. Though, we would be happy to put your name in our Hall Of Fame list.

Rules Of Engagement

When submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure. A submission that does not meet these requirements may not qualify for the Hall of Fame.

The following attributes are expected in a valid submission:

  • Description of the vulnerability.
  • Steps for reproduction. If we cannot reliably reproduce the issue, we cannot fix it.
  • Impact of the vulnerability an exploit scenario.
  • Proof of concept.
  • Any reference link


Currently only below are in scope:

Out Of Scope

Anything which looks like a test domain, or not a production website. Like, (removed domain).

Note: Please refrain from doing any stress testings like DoS or DDoS as it can pose a problem for our users.

Not Applicable Vulnerabilities

Please refrain from sending us a report on the below issues. Even if they are reproducible, ENCIPHERS consider them as Informational and not a security vulnerability.

  • Presence of banner or version information
  • OPTIONS / TRACE HTTP method enabled
  • “Advisory” or “Informational” reports such as user enumeration
  • Vulnerabilities requiring physical access to a system
  • Missing CAPTCHAs
  • Default web server pages
  • Brute-force attacks
  • Content injection
  • Hyperlink injection in emails
  • Missing SPF/DMARC records
  • Content Spoofing
  • Issues relating to password policy
  • Full-path disclosure
  • Version number information disclosure
  • XML.RPC being accessible publicly (Or enumeration using XML.RPC)
  • CSRF-able actions that do not require authentication (or a session) to exploit
  • Issues on 3rd-party subdomains/domains of services we use. Please report those issues to the appropriate service.
  • Reports related to the security-related headers: Strict Transport Security (HSTS) - XSS mitigation headers (X-Content-Type and X-XSS-Protection) - X-Content-Type-Options - Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario)
  • Click-jacking (without a valid exploit)
  • DOS vulnerabilities
  • Any theoratical issue, which does not seem to be exploitable

Responsible Disclosure Form

    Currently, we are not providing any monetary rewards. As a token of appreciation for your work, we will add you to our Hall of Fame.

    Have more questions? Need our PGP key? Send an email to

    Happy Hacking .:)