Security Vulnerability Disclosure Policy

At UXcue, we value the efforts of security researchers who help us keep our platform secure. If you believe you have discovered a security vulnerability affecting our services, we encourage you to report it responsibly.

How to Report a Vulnerability

Please include as much information as possible, including:

  • Description of the vulnerability
  • Affected URL(s), endpoint(s), or service(s)
  • Steps required to reproduce the issue
  • Proof of concept or screenshots (if applicable)
  • Your contact information for follow-up questions

Responsible Disclosure Guidelines

We ask that you:

  • Act in good faith and avoid violating the privacy of our users.
  • Do not access, modify, or delete customer data.
  • Avoid actions that could disrupt or degrade our services.
  • Do not perform denial-of-service (DoS/DDoS) attacks.
  • Give us a reasonable opportunity to investigate and resolve the issue before public disclosure.

Our Commitment

When you report a legitimate security issue, we will:

  • Acknowledge receipt of your report.
  • Review and investigate the issue promptly.
  • Keep you informed of significant progress where appropriate.
  • Work to resolve confirmed vulnerabilities in a timely manner.

Scope

This policy applies to services owned and operated by UXcue, including:

  • UXcue.co.in
  • castlestack.uxcue.co.in
  • prism.uxcue.co.in
  • rtls.uxcue.co.in
  • Official APIs api.uxcue.co.in
  • Official web applications

Out of Scope

The following activities are outside the scope of this policy:

  • Social engineering or phishing attacks
  • Physical attacks against infrastructure
  • Spam or email abuse
  • Denial-of-service attacks
  • Automated scanning without evidence of an exploitable vulnerability
  • Reports involving vulnerabilities in third-party services outside our control

Bug Bounty

UXcue currently does not operate a public bug bounty program. Responsible disclosure is appreciated, but financial rewards are not guaranteed.

Legal Safe Harbor

We will not pursue legal action against researchers who make a good-faith effort to comply with this policy, avoid harming users or systems, and promptly report discovered vulnerabilities to us.

Last updated: July 2026