Security & responsible disclosure

CampaignChain welcomes reports from security researchers. This page is the responsible-disclosure policy referenced from /.well-known/security.txt.

How to report

Send a report to security@dhruvantasystems.com. Please include:

• A clear description of the vulnerability.
• Reproduction steps (request/response logs, proof of concept snippets).
• The impacted URL, environment, and any affected accounts.
• Your preferred contact channel and whether you would like to be credited in a disclosure.

Preferred languages: English, Hindi, Telugu.

What to expect from us

• Acknowledgement within two business days.
• Triage and severity assessment within five business days, with a status update.
• Coordinated disclosure once a fix has been deployed and verified.
• Credit in our advisory log when you request it and when the report led to a fix.

Safe-harbour

Researchers acting in good faith under this policy will not be pursued for actions that:

• Use only their own accounts, or accounts they have explicit written permission to test.
• Do not exfiltrate other users' data, attempt account takeover at scale, or disrupt service.
• Avoid public disclosure until coordinated with CampaignChain.

Out of scope

• Reports based purely on missing security headers without a demonstrated exploitable impact.
• Volumetric denial-of-service or rate-limit testing.
• Social-engineering attacks against CampaignChain employees, users, or vendors.
• Vulnerabilities in third-party services that are not under Dhruvanta Systems' control.

Other contacts

Privacy-related questions belong on the Privacy Policy page. Content or account grievances should be routed to the Grievance Officer.