Security Responsible Disclosure Policy

At Sikhami, the security of our users’ data and the integrity of our platform are of utmost importance. We are committed to providing a safe and secure environment for students, institutes, and educators on our platform.

This Responsible Disclosure Policy provides ethical guidelines for reporting security vulnerabilities, giving us sufficient time to identify, investigate, and patch the issues before they become public.

By following this policy, you help us protect our users, maintain the security of our services, and contribute to improving the overall safety of the Sikhami ecosystem.

—

How Responsible Disclosure Works at Sikhami

If you identify one or more security vulnerabilities in any of Sikhami’s environments, we request you to:

Do not publicly disclose the vulnerability until it has been resolved.
Report the vulnerability privately by contacting us at help@sikhami.com.

Allow us a reasonable amount of time to investigate, fix, and patch the vulnerability before sharing it publicly.

—

Scope

The following environments are in-scope for reporting vulnerabilities:

All Sikhami applications (Android and Web)
All Sikhami domains and subdomains:

`.sikhami.com`
Sikhami APIs and backend services

—

What to Report

We encourage you to report any vulnerability that:

Compromises user data
Bypasses privacy protections
Enables unauthorized access
Impacts the integrity of our platform or its services

—

How to Report a Vulnerability

Please send an email to help@sikhami.com with the following details:

1. Vulnerability Type (e.g., XSS, SQL Injection, IDOR, SSRF, etc.)
2. Affected Service (e.g., Website, Mobile App, API, etc.)
3. Detailed Description of the vulnerability
4. Proof of Concept (logs, screenshots, or video as applicable)
5. Impact Assessment – how the vulnerability affects users or data security

—

Prohibitions

To ensure a safe and ethical testing process, the following activities are strictly prohibited:

Attempting to access another user’s account or private data
Performing attacks that could harm the integrity or availability of Sikhami’s services
Publicly disclosing any vulnerability before it is fixed
Testing third-party services or applications not owned by Sikhami
Using automated vulnerability scanners or exploitation tools
Phishing, social engineering, or physical attacks on Sikhami’s employees, users, or infrastructure
Any form of Denial of Service (DoS/DDoS) attacks

—

Out of Scope Vulnerabilities

The following findings are not considered security vulnerabilities and are out of scope:

HTTP 404 or other non-200 response codes
Disclosure of publicly available files (e.g., `robots.txt`)
Clickjacking on non-sensitive pages
CSRF on forms available to anonymous users
Lack of Captcha or weak Captcha
Brute-force attempts on login pages
Missing security headers without a proven exploit
SSL-related findings without a working proof-of-concept exploit
Vulnerabilities affecting outdated browsers or platforms
Issues that require unrealistic user interaction

—

Terms and Conditions

Reporting vulnerabilities must not violate any applicable laws.
Testing must be performed only on your own account.
Do not attempt to access or modify other users’ data without explicit consent.
Sikhami reserves the right to modify, suspend, or terminate this program at any time.
As of now, Sikhami does not provide monetary rewards for vulnerability reports.

—

Contact Us

For responsible vulnerability disclosures, please contact us at:
📧 Email: help@sikhami.com