Skip to main content
← Back to LogHat

Security Disclosure Policy

Effective from: 9 June 2026

Version: 1.0

This document is the LogHat Vulnerability Disclosure Policy. It tells a security researcher how to report a vulnerability in the LogHat Platform, what is in scope, what is out of scope, and what we commit to do when a report arrives.

The Platform is operated by Technit Space and Aero Works Private Limited, CIN U29304UP2019PTC118508, registered office at B-120, Sector 88, Noida, Uttar Pradesh 201305, India.

A short machine-readable summary of this Policy is available at /.well-known/security.txt, formatted per RFC 9116.

1. How to report a vulnerability

Send a report to hello@loghat.app with the subject line "Security disclosure". Include:

  • A clear description of the vulnerability.
  • The target — host, path, parameter, API endpoint, or feature.
  • Reproduction steps in numbered form, with the smallest example that triggers the issue.
  • An assessment of the impact and the likely attack scenario.
  • Where applicable, a proof-of-concept exploit constrained to read only public or fictional data.
  • Whether you would like to be credited in our public acknowledgement page, and if so, the name or handle to credit.

We accept PGP-encrypted email. The current PGP key fingerprint is published at /.well-known/security.txt.

We will acknowledge receipt within two (2) working days. We will provide an initial triage decision (in scope, out of scope, duplicate, or under review) within five (5) working days.

2. What we commit to

If your report is made in good faith and is within scope:

  1. We will not pursue legal action against you under the Information Technology Act, 2000 sections 43 or 66, the Indian Penal Code, or any contractual restriction in our Terms of Service, in respect of the activity reasonably necessary to discover and report the vulnerability.
  2. We will keep you informed of the remediation status at a minimum of fortnightly intervals.
  3. We will not publish your contact details without your consent.
  4. We will credit you on our acknowledgements page, if you wish, once the fix is deployed.
  5. Where a fix requires a coordinated disclosure window, we will agree the window with you in writing.

3. What we ask you to do

In return, we ask that you:

  1. Report the vulnerability to us privately and give us a reasonable period to remediate before public disclosure. We will not impose an unreasonable embargo; ninety (90) days from acknowledgement is our default ceiling, shorter for critical issues and longer only with your agreement.
  2. Limit testing to your own account and test material. Do not access, modify, exfiltrate, or destroy data belonging to any other user.
  3. Do not run automated scanners that generate substantial traffic.
  4. Do not attempt social engineering of LogHat staff, vendors, or their employees.
  5. Do not attempt physical attacks against LogHat or its subprocessors' premises.
  6. Do not request payment for a report as a condition of disclosing it. We do not currently run a paid bug-bounty programme; if and when we do, the terms will be published separately.

4. Scope

In scope

  • *.loghat.app and any subdomain that resolves to the LogHat Platform.
  • The LogHat backend API for endpoints under /api/ that the LogHat frontend invokes.
  • The LogHat Android and iOS mobile applications, if and when published.
  • The LogHat WhatsApp integration, for vulnerabilities reproducible against LogHat-specific endpoints.

Out of scope

  • LogHat-adjacent services not operated under loghat.app. Report vulnerabilities in those services to the relevant team.
  • Third-party services we depend on (Microsoft Azure, Azure OpenAI, Razorpay, ZeptoMail, WhatsApp Business via Meta, Google Tag Manager, Microsoft Clarity). Report those to the relevant provider under their own programme.
  • Findings from purely automated scanners with no demonstrated impact.
  • Email spoofing of hello@loghat.app where the impact is limited to displaying a forged sender address without bypassing SPF, DKIM or DMARC.
  • Vulnerabilities requiring a rooted or jailbroken device, or a pre-existing malicious browser extension, or physical access to a signed-in device.
  • Reports about missing security headers without demonstrated impact.
  • Self-XSS — that is, vulnerabilities exploitable only by getting the victim to paste content into their own browser console.
  • Denial-of-service attacks based on volumetric request floods. A rate-limit bypass with downstream impact is in scope.

5. Severity and remediation timelines

We use the CVSS 3.1 base score to classify findings. Our published target remediation timelines for the production Platform are:

Severity (CVSS)DescriptionRemediation target
9.0 — 10.0CriticalProduction patch within 72 hours
7.0 — 8.9HighProduction patch within 14 days
4.0 — 6.9MediumProduction patch within 60 days
0.1 — 3.9LowBest effort, typically the next release window

We may exceed the target where a fix requires breaking-change coordination with a customer or a subprocessor; we will keep the reporter informed if so.

6. Personal data and breach notification

Where a vulnerability you report has resulted in unauthorised access to, alteration of, or disclosure of personal data, the personal data breach notification provisions of the LogHat Privacy Policy Section 10 are triggered. We will, in that event, comply with the Data Protection Board notification timelines under DPDP §8(6) and, where required, the six (6) hour CERT-In reporting timeline under the Indian Computer Emergency Response Team Directions dated 28 April 2022.

Reporters who handle data discovered during testing are asked to delete that data after submitting the report and not to retain a copy.

7. Updates to this Policy

We will update this Policy as the Platform evolves. The published copy at the time you submit a report governs that report.

This Policy was last updated on 9 June 2026.