Effective Date: 29 June 2026 | Response SLA: 72 hours acknowledgement
1. Our Security Commitment
TechSlide IT Solutions Pvt Ltd, the developer and operator of RestoPOS, is committed to maintaining the security and integrity of our platform and the data entrusted to us by thousands of restaurant operators across India. Security is not an afterthought — it is a foundational element of how we build and operate our software.
We recognise that despite our best efforts, no software system is entirely free of vulnerabilities. The security research community plays a valuable role in identifying weaknesses that internal teams may miss. We are grateful to researchers who responsibly disclose security issues and are committed to working collaboratively to resolve confirmed vulnerabilities.
This Responsible Disclosure Policy outlines the framework for researchers and users to report security vulnerabilities to us, the process we follow to address such reports, and the protections we extend to good-faith reporters.
2. Scope — What to Report
The following systems and vulnerability types are within scope for responsible disclosure:
✅ In Scope — Systems
- restopos.in and all subdomains
- RestoPOS web application & dashboard
- RestoPOS REST APIs
- RestoPOS Android & iOS apps
- Admin portal (admin.restopos.in)
- Authentication systems
✅ In Scope — Vulnerability Types
- SQL injection / NoSQL injection
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Authentication bypass / broken auth
- Insecure direct object references (IDOR)
- Privilege escalation
- Sensitive data exposure
- Server-side request forgery (SSRF)
- Remote code execution (RCE)
- Business logic vulnerabilities
3. Out of Scope
The following are explicitly out of scope and should not be tested or reported:
❌ Out of Scope — Techniques
- Social engineering of staff or users
- Phishing attacks
- Physical attacks on offices or servers
- Denial of Service (DoS/DDoS) attacks
- Automated scanning without prior permission
- Testing on accounts you do not own
❌ Out of Scope — Issue Types
- Missing HTTP security headers (low-impact)
- SSL/TLS version issues without exploit PoC
- Rate limiting on non-sensitive endpoints
- Open redirects with no security impact
- Vulnerabilities in third-party services we use
- Self-XSS requiring full account compromise
Testing activities must not disrupt service availability, access other users' data, or violate applicable law. Any testing must be performed only on your own test account.
4. How to Report
Please report security vulnerabilities through one of the following channels:
- Email (preferred): [email protected] — use this for all vulnerability reports. For sensitive reports, we recommend encrypting your email if possible.
- Web Form: Use the submission form at the bottom of this page for structured reports.
Please do not report security vulnerabilities through public channels such as GitHub Issues, social media, public forums, or support tickets. Public disclosure before we have had a reasonable opportunity to investigate and remediate puts our users at risk.
Do not disclose any vulnerability or your testing activity to any third party before we have confirmed that the issue is resolved, or until we have agreed on a disclosure timeline with you.
5. What to Include in Your Report
To help us triage and investigate your report efficiently, please include the following information:
- Your name and contact email (for follow-up communications);
- Vulnerability type (e.g., XSS, IDOR, SQL Injection, Authentication Bypass);
- Severity assessment (Critical / High / Medium / Low) with your reasoning;
- Affected URL(s) or endpoint(s) — the specific path where the vulnerability exists;
- Step-by-step reproduction instructions — detailed enough for our team to reproduce the issue independently;
- Proof of concept — screenshots, screen recordings, or code snippets demonstrating the vulnerability (without exploiting it beyond what is necessary to prove the issue);
- Potential impact — describe what an attacker could achieve by exploiting this vulnerability;
- Any suggested remediation (optional but appreciated).
Incomplete reports may result in delayed response. The more detail you provide, the faster we can triage and act.
6. Our Response Process
We are committed to the following response timeline for all reports received at [email protected] or through the form below:
Day 1–3
Acknowledgement — We will acknowledge receipt of your report within 72 hours of submission, confirm the information received, and provide a reference number.
Day 3–10
Initial Assessment — Our security team will assess the validity and severity of the reported issue and communicate our findings to you.
Day 10–30
Remediation — For confirmed vulnerabilities, we will work to develop and deploy a fix. Critical and High severity issues are prioritised. We will keep you informed of progress.
Post-fix
Closure & Credit — Once resolved, we will notify you. With your permission, we may credit your contribution in our security acknowledgements. Coordinated disclosure may be agreed upon at this stage.
Fix timelines may vary based on severity and complexity. Complex issues may require longer remediation periods. We will communicate any delays transparently. We do not currently operate a paid bug bounty programme, but we sincerely appreciate responsible reporters and will acknowledge your contribution.
7. Safe Harbor
TechSlide IT Solutions Pvt Ltd extends the following safe harbor protections to security researchers who report vulnerabilities in good faith and in accordance with this policy:
- We will not initiate or recommend legal action against you for security research conducted in compliance with this policy;
- We will work with you to understand and resolve the issue quickly;
- We will not share your personal information with third parties without your consent, except as required by law;
- We consider your research to be "authorised" under the IT Act, 2000, and applicable law, provided it is conducted within the scope defined above.
Safe harbor does not apply if you:
- Access, modify, or delete data belonging to other users;
- Disrupt the availability of the Service (DoS);
- Conduct social engineering, phishing, or physical attacks;
- Publicly disclose the vulnerability before we have had an opportunity to remediate it;
- Use the vulnerability for any purpose beyond demonstrating the issue to us;
- Act in bad faith or with malicious intent.
Researchers who violate these conditions may be subject to legal action under the IT Act, 2000, and other applicable Indian laws.
8. Liability & Force Majeure Note
While we take every reasonable and practicable step to secure our infrastructure and your data, TechSlide IT Solutions Pvt Ltd is not responsible for security incidents arising from events beyond our reasonable control. This includes, but is not limited to:
- Sophisticated zero-day cyberattacks exploiting previously unknown vulnerabilities;
- State-sponsored attacks or advanced persistent threats (APTs);
- Vulnerabilities in underlying cloud infrastructure, operating systems, or third-party components that we did not introduce and could not reasonably have prevented;
- Force Majeure events including natural disasters, power failures, internet backbone disruptions, or government-ordered shutdowns;
- Security incidents arising from a user's own insecure practices, compromised credentials, or failure to maintain device security.
Our server infrastructure is maintained with industry-standard security practices. However, absolute security cannot be guaranteed for any internet-connected system. Users are advised to use strong passwords, enable two-factor authentication where available, and report any suspicious activity promptly.
Use the form below to submit a structured vulnerability report. All submissions are treated as confidential and reviewed by our security team.