Security Vulnerability Reporting Guidelines

Vulnerability Disclosure and Contact Information

eMudhra Limited welcomes reports of security vulnerabilities in emCA Certificate Manager from security researchers, customers, and the broader security community. We are committed to addressing security issues promptly and transparently in accordance with responsible disclosure practices.

Primary Security Contact

Security Team Email: [email protected]

Response Time Commitment:

• Initial acknowledgment: Within 24 hours (business days)

• Preliminary assessment: Within 48 hours

• Detailed response with timeline: Within 5 business days

Manufacturer Information

Company Name: eMudhra Limited Corporate Website: https://www.emudhra.com Product Support Portal: emCA Certificate Manager | emCA Certificate Manager Support Center General Contact: https://emudhra.com/en-in/ Emergency Security Hotline: +91-80-46156902 (For critical vulnerabilities only - Enterprise customers)

Accepted Methods for Reporting Vulnerabilities

Email Submission (Preferred Method)

To: [email protected]

Subject Line Format: [SECURITY] emCA Vulnerability Report - [Brief Description]

Required Information:

• Your name and contact information

• Organization affiliation (if applicable)

• Product version affected (e.g., emCA v5.0.0)

• Vulnerability type (e.g., authentication bypass, SQL injection, privilege escalation)

• Detailed description of the vulnerability

• Steps to reproduce the issue

• Proof of concept (PoC) code or screenshots (if available)

• Potential impact assessment

• Suggested remediation (optional)

• Whether you plan to publicly disclose this vulnerability

Online Contact Form

URL: https://emudhra.com/en-in/contact-us

Instructions:

1. Select "Support" from the inquiry type dropdown

2. Provide all required information as listed above

Additional Security Resources

Security Documentation

• Security Support Policy: [email protected]

• Security Advisories: https://emudhra.com/security/advisories

Security Compliance

• Common Criteria EAL4+ Certification: eMudhra Certification Authority (emCA) v4.0.3 | Cyber Security Agency of Singapore

• GDPR Compliance: eMudhra | Data Security - India

• eIDAS: eMudhra | Data Security - India

• ISO 27001 Certification: eMudhra | Data Security - India

Questions About This Policy

If you have questions about our vulnerability disclosure policy or the reporting process:

Email: [email protected] Subject Line: [POLICY QUESTION] Vulnerability Disclosure Process

We typically respond to policy questions within 2-3 business days.

Legal Safe Harbor

eMudhra commits to not pursue legal action against security researchers who:

1. Follow this vulnerability disclosure policy in good faith

2. Avoid privacy violations, data destruction, and service disruption

3. Do not exploit vulnerabilities beyond what is necessary for demonstration

4. Provide reasonable time for remediation before public disclosure

This safe harbour applies to potential violations of:

• Computer misuse laws

• Anti-circumvention provisions

• Terms of service

Note: This policy does not authorize testing against customer production environments. Always test against your own licensed instance of emCA or coordinate with us for access to test environments.

Policy Updates

This vulnerability disclosure policy is reviewed semi-annually and may be updated to reflect:

• Industry best practices evolution

• Legal and regulatory requirement changes

• Feedback from security research community

• Internal process improvements

Last Updated: December 15, 2025 Next Review Date: June 15, 2026 Policy Version: 1.0

Contact Summary