At upGrad Education Private Limited (together with its subsidiaries, and international affiliates, hereinafter "upGrad," "us," "we," "our" or “the Company”), we are always looking to improve continuously which directly translates into our information security program enabling the protection of our customer's data as a top priority. The upGrad Security Team acknowledges the valuable role that honest, independent security researchers and bug reporters play in the overall security of connected systems. As a result, we encourage the responsible reporting of any vulnerability on our company website and services. upGrad is committed to working with security researchers to verify and address potential vulnerabilities that are reported to us.

If you believe you have found a qualifying security vulnerability in the upGrad product or website, please submit a report following the guidelines below. We value the positive impact of your work and thank you in advance for your contribution.

• Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
• Please provide detailed reports with reproducible steps. If the report needs to be more detailed to reproduce the issue, the issue may not be marked as triaged.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).
• Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Make a reasonable faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

The scope of issues is limited to technical vulnerabilities in the upGrad website or mobile apps. Please do not attempt to compromise the safety or privacy of our users (so please use test accounts), or the availability of upGrad through DoS attacks or spam. We also request you to not use vulnerability testing tools that generate a significant volume of traffic.

When reporting vulnerabilities, please consider (1) the attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:

• Clickjacking on pages with no sensitive actions
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
• Attacks requiring MITM or physical access to a user's device.
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration.
• Any activity that could lead to the disruption of our service (DoS).
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Rate limiting or brute force issues on non-authentication endpoints
• Missing best practices in Content Security Policy.
• Missing HttpOnly or Secure flags on cookies.
• Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)
• Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
• Tabnabbing
• Open redirect - unless an additional security impact can be demonstrated.
• Issues that require unlikely user interaction.