LIVE
Security update: library patches applied Monitoring: uptime green New guidance: disclosure timelines Reminder: rotate credentials regularly Tip: enable MFA for all admins
bS
bataSutra
News, context & tools

Responsible Disclosure

We value the security community. If you’ve found a vulnerability, please report it responsibly. We’ll acknowledge, triage, and fix valid reports.

Scope Guidelines Safe Harbor

In scope

  • Hosts under *.batasutra.in and batasutra.in
  • Public web apps, dashboards, and APIs owned by bataSutra
  • Mobile experiences and PWA surfaces linked from our site

Out of scope

  • Third-party services, CDN edges, or domains we don’t control
  • Denial of service, volumetric attacks, or rate limiting tests
  • Password/credential stuffing without user consent
  • Reports without security impact (e.g., clickjacking on non-sensitive pages, missing SPF/DMARC on parked domains)

Guidelines for researchers

  • Do not access, modify, or exfiltrate data that isn’t yours; use test accounts.
  • Avoid privacy violations, data destruction, and service disruption.
  • Provide a clear write-up with impact, steps to reproduce, and a minimal PoC.
  • Give us reasonable time to fix before public disclosure.

How to report

  1. Send an email to security@batasutra.in.
  2. Include summary, impact, affected asset/URL, and reproduction steps.
  3. Attach PoC (text/screenshot) and logs where relevant.
  4. For sensitive details, encrypt using our PGP fingerprint listed above.

Severity bands

Severity Description Examples
Critical Unauthenticated RCE, full DB read/write, auth bypass RCE; admin takeover; payment tampering
High Privileged data access or cross-tenant access IDOR exposing other users’ data; SSRF to internal metadata
Medium Limited data exposure or privilege escalation conditions Stored XSS (scoped); CSRF on sensitive action
Low Hardening issues with limited impact Clickjacking; verbose server banners

Safe Harbor

  • If you make a good-faith effort to comply with this policy, we will not pursue legal action.
  • We consider research under this policy authorized under the CFAA and similar laws.
  • If a third party initiates legal action, we will make it known your actions were conducted in accordance with this policy.

Program change log

2025-09-22
Static release build
Converted to static content; top/bottom tickers hydrate from Google Sheets (Headlines tab).
Patch cadence: weekly Security headers tightened Vuln scanner: no criticals Dependency audit: passed New safe-harbor text live