Responsible Disclosure

Email hello@sumedh.co.in with a description of the issue, the steps to reproduce it, and its potential impact. If you wish to encrypt your report, request our PGP key at the same address. Please do not disclose the issue publicly until we have had a reasonable opportunity to address it.

This policy covers this public website and any internet-facing service Sumedh explicitly designates as in scope. DRISHTI deployments are sovereign and air-gapped on customer premises; they are not internet-reachable and are governed by the relevant deployment agreement — please do not attempt to access any customer environment.

If you make a good-faith effort to comply with this policy during your research, we will regard your activity as authorised, will work with you to understand and resolve the issue promptly, and will not recommend or pursue legal action against you. Acting in good faith means: not accessing or modifying data beyond what is needed to demonstrate the issue, not degrading our services, and not exfiltrating, retaining, or disclosing data.

We aim to acknowledge a report within five business days and to keep you informed as we work toward a fix. We do not currently operate a paid bug-bounty programme; we are glad to credit researchers who wish to be named once an issue is resolved.