# Security Vulnerability Reporting Guidelines

**Vulnerability Disclosure and Contact Information**

eMudhra Limited welcomes reports of security vulnerabilities in emCA Certificate Manager from security researchers, customers, and the broader security community. We are committed to addressing security issues promptly and transparently in accordance with responsible disclosure practices.

### Primary Security Contact

Security Team Email: <security@emudhra.com>

Response Time Commitment:

* Initial acknowledgment: Within 24 hours (business days)
* Preliminary assessment: Within 48 hours
* Detailed response with timeline: Within 5 business days

### Manufacturer Information

**Company Name:** eMudhra Limited\
**Corporate Website:** <https://www.emudhra.com>\
**Product Support Portal:** [emCA Certificate Manager | emCA Certificate Manager Support Center](https://emca.emudhra.com/)\
**General Contact:** <https://emudhra.com/en-in/>\
**Emergency Security Hotline:** +91-80-46156902 (For critical vulnerabilities only - Enterprise customers)

### Accepted Methods for Reporting Vulnerabilities

#### Email Submission (Preferred Method)

To: <security@emudhra.com>

Subject Line Format: \[SECURITY] emCA Vulnerability Report - \[Brief Description]

Required Information:

* Your name and contact information
* Organization affiliation (if applicable)
* Product version affected (e.g., emCA v5.0.0)
* Vulnerability type (e.g., authentication bypass, SQL injection, privilege escalation)
* Detailed description of the vulnerability
* Steps to reproduce the issue
* Proof of concept (PoC) code or screenshots (if available)
* Potential impact assessment
* Suggested remediation (optional)
* Whether you plan to publicly disclose this vulnerability

#### Online Contact Form

URL: <https://emudhra.com/en-in/contact-us>

Instructions:

1. Select "Support" from the inquiry type dropdown
2. Provide all required information as listed above

#### Additional Security Resources

Security Documentation

* Security Support Policy: <security@emudhra.com>
* Security Advisories: <https://emudhra.com/security/advisories>

Security Compliance

* Common Criteria EAL4+ Certification: [eMudhra Certification Authority (emCA) v4.0.3 | Cyber Security Agency of Singapore](https://www.csa.gov.sg/our-programmes/certification-and-labelling-schemes/singapore-common-criteria-scheme/product-list/emudhra-certification-authority--emca--v4-0-3/?utm_source=chatgpt.com)
* GDPR Compliance: [eMudhra | Data Security - India](https://emudhra.com/en-in/data-security)
* eIDAS: [eMudhra | Data Security - India](https://emudhra.com/en-in/data-security)
* ISO 27001 Certification: [eMudhra | Data Security - India](https://emudhra.com/en-in/data-security)

#### Questions About This Policy

If you have questions about our vulnerability disclosure policy or the reporting process:

Email: <security@emudhra.com>\
Subject Line: \[POLICY QUESTION] Vulnerability Disclosure Process

We typically respond to policy questions within 2-3 business days.

#### Legal Safe Harbor

eMudhra commits to not pursue legal action against security researchers who:

1. Follow this vulnerability disclosure policy in good faith
2. Avoid privacy violations, data destruction, and service disruption
3. Do not exploit vulnerabilities beyond what is necessary for demonstration
4. Provide reasonable time for remediation before public disclosure

This safe harbour applies to potential violations of:

* Computer misuse laws
* Anti-circumvention provisions
* Terms of service

Note: This policy does not authorize testing against customer production environments. Always test against your own licensed instance of emCA or coordinate with us for access to test environments.

#### Policy Updates

This vulnerability disclosure policy is reviewed semi-annually and may be updated to reflect:

* Industry best practices evolution
* Legal and regulatory requirement changes
* Feedback from security research community
* Internal process improvements

Last Updated: December 15, 2025\
Next Review Date: June 15, 2026\
Policy Version: 1.0

#### Contact Summary

<table data-header-hidden><thead><tr><th valign="top"></th><th valign="top"></th><th valign="top"></th></tr></thead><tbody><tr><td valign="top"><strong>Purpose</strong></td><td valign="top"><strong>Contact Method</strong></td><td valign="top"><strong>Response Time</strong></td></tr><tr><td valign="top">Report Security Vulnerability</td><td valign="top"><a href="mailto:security@emudhra.com">security@emudhra.com</a></td><td valign="top">24 hours acknowledgment</td></tr><tr><td valign="top">Critical Security Emergency</td><td valign="top">+91-80-46156902</td><td valign="top">Immediate (Enterprise customers)</td></tr><tr><td valign="top">Policy Questions</td><td valign="top"><a href="mailto:security@emudhra.com">security@emudhra.com</a></td><td valign="top">2-3 business days</td></tr><tr><td valign="top">General Product Support</td><td valign="top"><a href="https://emca.emudhra.com/">emCA Certificate Manager | emCA Certificate Manager Support Center</a></td><td valign="top">Per support SLA</td></tr><tr><td valign="top">Business Inquiries</td><td valign="top"><a href="https://emudhra.com/en-in/contact-us">https://emudhra.com/en-in/contact-us</a></td><td valign="top">1-2 business days</td></tr></tbody></table>