Vulnerability Disclosure Policy

VULNERABILITY DISCLOSURE POLICY

 

Introduction

 

FuturaNexus Private Limited, renowned for its pioneering brand "GetMedJob," stands at the forefront of innovation in India's tech landscape. While we empower countless individuals to realize their professional aspirations, we recognize the invaluable role that security researchers and bug hunters play in fortifying our platform. At FuturaNexus, our unwavering commitment lies in achieving scalability, reliability, and above all, security. Although our internal teams tirelessly bolster our web and mobile applications, we wholeheartedly embrace the ethos of peer review within the technical community. Thus, we approach every vulnerability disclosure with the utmost seriousness and extend an invitation for you to become our trusted "extra set of eyes."

 

Scope of Systems

 

https://getmedjob.com/*

https://employer.getmedjob.com/*

https://enabler-dashboard.getmedjob.com/*

Android and iOS applications

 

Exclusions

 

Any endpoint or asset not explicitly outlined in the scope, be it vendor-owned, third-party applications, or internal and external domains of FuturaNexus Private Limited, is strictly off-limits for testing purposes. Permission must be obtained before conducting secondary testing or pivoting from one vulnerability to another.

 

Prohibited Testing Methods

 

  • Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks, automated scanning, or manual testing leading to similar conditions
  • Brute-forcing and dictionary-based attacks
  • Social engineering tactics
  • Attacks compromising the integrity of getMedJob users or their accounts
  • Attempts to compromise user accounts
  • Vulnerabilities obtained through the compromise of user or employee accounts
  • Vulnerability Disclosure

 

Accepted Vulnerabilities

 

  • All vulnerabilities, whether listed in OWASP's top 10 or SANS 25, are welcomed provided they are directly associated with in-scope systems, unique, not previously reported, not classified as a P5 issue in Bugcrowd's VRT, and do not fall under the following categories:
  • Cookies (excluding session cookies) lacking secure flags
  • Issues already known and undergoing remediation by internal teams
  • Multiple reports for the same vulnerability type with minor discrepancies (only one will be accepted)
  • Issues deemed intended functionalities by our development and security teams
  • Accepted risks, as determined by our security team
  • IDOR references for objects with appropriate permission
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages
  • Fingerprinting/banner disclosure on common/public services
  • Disclosure of known public files or directories (e.g., robots.txt)
  • CSRF on forms accessible to anonymous users
  • Absence of captcha and session timeouts
  • Error messages like stack traces or DB errors, unless accompanied by a POC demonstrating exploit utilization
  • Clickjacking issues (excluding non-financial or login pages)

If a vulnerability pertains to a third-party vendor associated with FuturaNexus Private Limited, testing must be immediately suspended, and notification sent to us. Further testing may proceed only with explicit permission.

 

Official Communication Channels

 

Please report security issues or direct any inquiries via info@getmedjob.com, providing all pertinent information. We endeavour to respond within 5 business days. Should no response be received within this timeframe, a reminder may be sent after a week.

 

Reporting Protocol

 

To facilitate responsible disclosure in adherence to the VDP, please complete the form provided below accurately. Any errors must be rectified by resubmitting the form:

 

Form Link
https://forms.gle/1rsfujgmZdwZ3CgC8 

 

Kindly ensure vulnerability reports remain up-to-date by promptly providing any new information. Reports may be shared with affected partners, vendors, or open-source projects. If feasible, please include a POC video. 

In case, there is any new update regarding this vulnerability (whether a fix bypass or another exploitation method or a chained-vulnerability or a new impact related to this vulnerability) you must fill a new form.

 

Also, after reporting through form, when our security team contacts you for more details regarding the disclosure, you must not fill the form again. You are requested to reply via E-mail directly to info@futuranexus.com

 

Our Commitment

 

Under this policy, we agree to:

 

  • Promptly acknowledge and collaborate on report validation within a reasonable time period.
  • Provide regular updates on vulnerability progress
  • Expedite remediation within operational constraints and timelines
  • Extend Safe Harbor for compliant research, refraining from legal action if terms are adhered to
  • Acknowledge findings transparently without engaging in unfair practices

 

Our Expectations

 

We expect compliance with this policy and applicable laws. Report vulnerabilities promptly and refrain from further testing if critical issues are identified. Avoid exploiting vulnerabilities to detrimentally impact user experience or system integrity. Utilize only official communication channels for vulnerability information sharing. Allow a reasonable resolution timeframe before requesting public disclosure.
If you find any server-side vulnerability refrain from exploiting it in a way that may cause harm to user experience or expose our systems in unintended way (like exploiting a File upload vulnerability by uploading a full blown payload/malware to our backend systems).

If you get any sort of CLI access immediately stop and inform us.

 

Confidentiality

 

Both parties commit to maintaining strict confidentiality throughout the disclosure and remediation process. Disclosure of information, including vulnerability details, without written permission is strictly prohibited.

 

Safe Harbor

 

  • Vulnerability research conducted under this policy is authorized within legal boundaries. FuturaNexus waives certain restrictions to facilitate security research but cannot authorize actions on third-party products without written approval. Legal protection will be provided for compliant research activities. We consider following vulnerability research conducted to be:
    Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy.
  • Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls.
  • Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis and
  • Lawful, helpful to the overall security of GetMedJob/FuturaNexus, and conducted in good faith.

 

Bug Bounty/Rewards

 

Valid findings adhering to policy rules will be acknowledged in our Hall of Fame. Public disclosure may be permitted post-fix. However, FuturaNexus currently does not offer cash rewards but plans to do so in the future.

 

For any concerns or clarification, contact us through Official Channels before proceeding. We appreciate your cooperation in strengthening our security measures.