ClickPost Responsible Disclosure

At ClickPost, we take the security of our data and systems very seriously. We value the contribution and assistance of everyone in helping us secure our systems. If you discover any security vulnerability in our system, we would appreciate your cooperation in disclosing it responsibly.


Guidelines for disclosure

If you encounter a vulnerability within our product or systems, email your report to  if it meets the requirements mentioned below.
  • If a bug is discovered, it must not be publicly disclosed before being fixed by ClickPost.
  • ClickPost will not be held responsible for the violation of any guideline, rule, and/or legislation on your end. 
  • The privacy and data of users must be protected at all times.
  • There should be no disruption to our production systems or destruction of data during security testing. 
  • Do not attempt to perform brute-force attacks or denial-of-service attacks.
  • If a security issue is discovered, it must not be exploited for any reason whatsoever.
  • A proof-of-concept (PoC) submitted must have all the steps required to reproduce the issue.
  • The use of automated tools such as Nmap scan or SSL/TLS scan, etc. is strictly prohibited.


Scope of domains

Within scope: * except
Out of scope:

Vulnerabilities within Scope

  • SQL Injection
  • XXE
  • Cross-Site Request Forgery(CSRF)
  • Cross-Site Scripting (XSS)
  • Excluding Self-XSS
  • Broken Authentication
  • Broken Session flaws
  • Remote Code Execution
  • Privilege Escalation
  • Directory Traversal - Local File Inclusion
  • Open redirect
  • Misuse/Unauthorized use of ClickPost’s APIs
  • Leaking customer's sensitive data
  • Email Spoofing - SPF Records Misconfiguration
  • Server-Side Request Forgery (SSRF)


Vulnerabilities out of scope

  • Any issues related to software or application not under ClickPost’s control
  • Vulnerabilities that depend upon social engineering techniques
  • Any physical attempts made against ClickPost property
  • Minor and trivial issues such as version disclosures
  • Clickjacking
  • DDOS attacks
  • Subdomain Takeover
  • CSRF with very limited impact
  • Banner Grabbing
  • Cookie attributes not set/Secure flag issues
  • Reports on outdated browsers
  • SSL/TLS controls where other mitigating controls exist
  • CORS
  • Insecure Direct Object Reference

If you adhere to the above rules, we will do the following:


Acknowledge your report and work with you to fix the bug

Notify you once the bug is fixed

  • Issue bounty awards for eligible findings* 
*To be eligible for rewards, reports must comply with all parts of the policy. The bug bounty will only be awarded to the first to report the issue to us.
ClickPost will offer bounty awards for eligible findings in the range of INR 2500 to INR 14000*.
*The award will depend on the severity of the issue. The severity shall be subject to the decision of the internal team at ClickPost.