Responsible Disclosure Process

At Nooks, protecting our customers’ data and maintaining their trust is one of our highest priorities. We view security as a shared responsibility and welcome contributions from the security research community. If you discover a potential vulnerability, we encourage you to report it through our Vulnerability Disclosure Program (VDP), powered by Bugcrowd. Valid submissions are eligible for reputation points on the Bugcrowd platform, and researchers who report impactful issues may be considered for future invitation-only bug bounty programs.

Our Commitment

If you report a valid security vulnerability in accordance with this policy, we commit to:

●  Treating you with respect and professionalism throughout the process

●  Maintaining confidentiality of your report and personal information

●  Investigating and validating findings in a timely and responsible manner

●  Working with you to address confirmed vulnerabilities to protect our users

●  Prioritizing remediation based on the severity and impact of the issue

We appreciate your efforts to help keep Nooks and our customers safe

Scope

This process applies to:
‍
●  https://app.nooks.in

If you're unsure whether a system is covered, please contact us at vulnerabilities@nooks.in.

Reporting Guidelines

When submitting a report:

●  Do not exploit the vulnerability beyond what is necessary to confirm its existence.

●  Do not access, modify, or delete data that does not belong to you.

●  Do not perform actions that degrade our services (e.g., denial-of-service attacks).

Your report should include:

●  A clear and concise description of the issue

●  Steps to reproduce the vulnerability

●  A description of the potential impact

●  Screenshots, logs, or proof-of-concept code (if available)

Submit your report using the Bugcrowd submission form on this page or contact vulnerabilities@nooks.in.

Out of Scope

The following activities and issues are outside the scope of this program:

●  Denial-of-service (DoS) attacks or resource exhaustion

●  Social engineering or phishing of  staff, users, or partners

●  Physical security testing

●  Vulnerabilities in third-party systems not owned or controlled by Nooks

●  Clickjacking on pages without sensitive interactions

●  Missing security headers or TLS best practices without demonstrated impact

●  Rate limiting or brute-force issues on non-sensitive endpoints

●  Automated scanning or fuzzing that generates excessive traffic

If you're unsure whether something is out of scope, please reach out for clarification.

Safe Harbor

We support and encourage responsible security research.

●  If you act in good faith and in accordance with this policy, we commit that:Your activities will be considered authorized under the Computer Fraud and Abuse Act (CFAA) and similar laws.

●  We will not pursue legal action or law enforcement involvement for accidental, good-faith violations.

●  We consider your activities exempt from the DMCA and similar laws concerning circumvention.

●  We waive relevant restrictions in our Terms & Conditions for research done under this policy.

This document does not provide immunity from actions by third parties or violations of applicable laws.

Disclosure Policy

Please do not publicly disclose any vulnerability — even after it has been resolved — without explicit written permission from Nooks.