Welcome to the Needl.ai Vulnerability Disclosure Program 🎉!

As part of our commitment to security, we invite you to help us identify vulnerabilities in our AI-assisted information hub. By submitting vulnerabilities and exploitation techniques, you have a chance to earn rewards (XOXOday Vouchers) determined by Needl.ai. We value your contributions and take your findings seriously. Please note that Needl.ai retains the right to make final decisions on rewards and may modify or terminate the program as needed. Thank you for joining us in creating a safer platform!

Disclosure Policy:

• We request that you inform us promptly upon discovering a potential security vulnerability.
• Our team will work quickly to resolve the issue. We ask for a reasonable time period to resolve the issue before it is disclosed to the public or any third-party.
• We kindly request that you make a sincere effort to avoid violating privacy, damaging data, or disrupting our services in any way.

Reporting Guidelines

• Please provide detailed reports with clear textual description of the report along with steps to reproduce the vulnerability.
• You must include attachments such as screenshots or PoC code as necessary.
• Include a clear attack scenario. How will this affect us exactly?
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

Confidentiality of submissions/ restrictions on disclosure

Protecting customers is needl's highest priority. We endeavour to address each Vulnerability report in a timely manner. While we are doing that, we require that the Submissions remain confidential and cannot be disclosed to third parties or as part of paper reviews or conference submissions.

You can make available high-level descriptions of your research and non-reversible demonstrations after the Vulnerability is fixed. We require that detailed proof-of-concept exploit code and details that would make attacks easier on customers be withheld for 60 days after the Vulnerability is fixed. needl will notify you when the Vulnerability in your Submission is fixed.

Violations of this section could disqualify you from participating in the program in the future.

Public recognition

Needl may publicly recognize individuals who have submitted vulnerability reports which helped needl to fix any probably vulnerability(ies) in the system. Needl at it is discretion may recognize you on its website unless you explicitly ask us not to include your name.

Expected behaviour from you

By participating in the Program, you will follow these rules:

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Only target your own accounts in the process of investigating any bugs/findings. Don't target, attempt to access, or otherwise disrupt the accounts of other users without the express permission of our team.
• Don't do anything illegal.
• Don't engage in any activity that exploits, harms, or threatens to harm children.
• Don't send spam. Spam is unwanted or unsolicited bulk email, postings, contact requests, SMS (text messages), or instant messages.
• Don't share inappropriate content or material (involving, for example, nudity, bestiality, pornography, graphic violence, or criminal activity).
• Don't engage in activity that is false or misleading.
• Don't engage in activity that is harmful to you, the Program, or others (e.g., transmitting viruses, stalking, posting terrorist content, communicating hate speech, or advocating violence against others).
• Don't infringe upon the rights of others (e.g., unauthorized sharing of copyrighted material) or engage in activity that violates the privacy of others.
• Don't help others break these rules.
• We are currently accepting reports for critical vulnerabilities only, such as RCE, subdomain takeover, and similar server-level vulnerabilities in the dev environments ( *.idatagenie.com ). Please refrain from reporting business logic bugs, beta feature access, and other non-critical issues for these subdomains. (Use app.needl.ai , which is our main webapp, to test for business logic bugs, or any other p1-p4 severity issues)

If you violate these Terms, you may be prohibited from participating in the Program in the future.

Rewards

We offer XOXOday Vouchers as a reward for successful bug reports, which are categorized based on their priority level. The Priority-Reward Bracket is as follows:

Severity	Reward
P1	20,000 INR
P2	15,000 INR
P3	5,000 INR
P4	1,000 INR

Exclusions

Reports falling into the categories listed below are considered out of scope for our VDP program :

• Clickjacking on pages with no sensitive actions
• Comma Separated Values (CSV) injection without demonstrating vulnerability.
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
• Attacks requiring MITM or physical access to a user's device
• Any activity that could lead to the disruption of our service (DoS)
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Rate limiting or bruteforce issues on non-authentication endpoints
• Service hardening recommendations without a clear security impact. This includes lack of, or weak, Captcha or rate limiting usage. This includes brute forcing that improper rate limiting can allow.
• Unrestricted file uploads without a clear impact, beyond resource consumption, DoS, undesirable content, etc.
• Self-XSS
• Missing security headers
• Missing HttpOnly or Secure flags on cookies
• Weak password policies
• Session Management, such as: session timeout, session hijacking, etc.
• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)
• Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
• Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.
• Previously known vulnerable libraries without a working Proof of Concept.
• Public Zero-day vulnerabilities that have had an official patch for less than 1 month
• Tabnabbing
• Open redirect - unless an additional security impact can be demonstrated
• Issues that require unlikely user interaction

Out of Scope Vulnerabilities for Mobile

• Lack of certificate pinning, or HSTS.
• Inadequate root prevention/detection in APK
• Lack of obfuscation or binary protection (anti-debugging) controls
• Any exploit that requires tricking the user into installing a malicious app
• Vulnerabilities requiring extensive user interaction
• Exposure of non-sensitive data on the device
• Storage of sensitive data in the in-app private directory
• Transmission of sensitive data through unsecured HTTP with TLS protection
• Discovery of hardcoded keys in mobile applications without a feasible attack scenario.
• Exploits using tools such as Frida
• Any kind of vulnerabilities that requires physical device access (e.g. USB debugging), root/jailbroken access or third-party app installation in order to exploit the vulnerability
• URI leaks caused by malicious apps with permission to view opened URIs or Snapshot/Pasteboard leakage
• Crashes due to malformed Intents sent to exported activities, services, or broadcast receivers (exploiting these for sensitive data leakage is within scope)
• Inadequate binary protection control in APK
• Vulnerabilities reported in modified APK through unofficial systems.

Exceptions

• if you strongly believe any of our infrastructure, outside of this program/scope, has some must addressable critical vulnerabilities, we are open to receiving reports on the same.
• We will consider them for rewards, even if they are out of scope but still turn out to be something critical for our business, on a case by case basis.