Effective Date: April 2026

1.  Introduction & Purpose

Tapits Technologies Pvt. Ltd., operating under the brand name Fingpay (hereinafter referred to as “the Company”, “Fingpay”, “We”, “Our”, or “Us”), is an RBI-authorised Payment Aggregator licensed to facilitate digital payment acceptance, processing, and settlement across online and physical environments. Fingpay serves millions of merchants, enterprises, microfinance institutions, and end consumers across India through products encompassing UPI, AEPS, mATM, Payment Gateway, BBPS, Cash Management Services (CMS), and identity verification APIs.

The security, integrity, and resilience of Fingpay’s systems are fundamental to the trust that our customers, merchants, banking partners, and regulators place in us. We are committed to maintaining a safe and secure environment for all stakeholders, and we recognise that the global security research community plays a valuable and complementary role in identifying vulnerabilities that may not surface through internal processes alone.

This Responsible Disclosure Policy (“Policy” or “RDP”) establishes a formal, structured framework through which independent security researchers, ethical hackers, and cybersecurity professionals (collectively, “Researchers”) may responsibly report security vulnerabilities they discover in Fingpay’s systems. This Policy sets out the terms under which Fingpay will engage with such Researchers, defines the boundaries within which testing is permitted, and articulates the mutual commitments that govern the disclosure relationship.

Fingpay strongly believes that security research conducted in good faith and in accordance with this Policy benefits the Company, our customers, and the broader digital payments ecosystem. We therefore invite responsible disclosure and commit to engaging with all good-faith reports with diligence, transparency, and respect.

NOTE: This Policy does not constitute an invitation to actively attack, probe, or test Fingpay’s systems beyond the scope explicitly defined herein. Unauthorised access to computer systems is a criminal offence under Indian law, including under Sections 43, 43A, 66, 66B, 66C, 66D, and 70 of the Information Technology Act, 2000.

2.  Definitions

For the purposes of this Policy, the following terms shall have the meanings assigned to them below:

1. “Company” / “Fingpay”

Tapits Technologies Pvt. Ltd., its subsidiaries, affiliates, and any entity operating under the Fingpay brand or using Fingpay’s payment infrastructure.

1. “Researcher”

Any individual or group of individuals who independently discover and report a potential security vulnerability in Fingpay’s Systems in good faith, in accordance with this Policy.

1. “Vulnerability”

Any security weakness, flaw, misconfiguration, or bug in Fingpay’s Systems that could be exploited to compromise the confidentiality, integrity, availability, or authenticity of those Systems or the data they process.

1. “System(s)”

Any web application, mobile application (Android or iOS), API endpoint, server, network component, or other digital asset owned, operated, or maintained by Fingpay, including those listed under Section 3 (In-Scope Systems).

1. “Report”

A written submission by a Researcher to Fingpay disclosing a potential Vulnerability in accordance with this Policy.

1. “Personal Information”

Information as defined under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023 (as applicable), including financial data, KYC records, and transaction data.

1. “Good Faith”

Conduct that is honest, not deceptive, and undertaken with the genuine intent of helping Fingpay improve its security, without seeking personal gain or causing harm to any party.

1. “Coordinated Disclosure”

A process whereby a Researcher and Fingpay collaborate to verify a Vulnerability and agree on an appropriate timeline for remediation before any public disclosure.

1. “Hall of Fame”

Fingpay’s public acknowledgement register, where recognised Researchers may, with their consent, be listed for responsible disclosures.

1. “CERT-In”

The Indian Computer Emergency Response Team, the national nodal agency for cybersecurity, established under Section 70B of the Information Technology Act, 2000.

3.  Scope — In-Scope Systems & Vulnerability Types

3.1 In-Scope Systems

Fingpay welcomes vulnerability reports pertaining to the following systems and platforms:

3.1.1 Web Domains & APIs

• https://www.fingpay.co.in  (corporate website and merchant portal)
• https://api.fingpay.co.in  (API gateway and integration endpoints)
• Any other subdomain or endpoint that directly processes, stores, or transmits payment or personal data on behalf of Fingpay

3.1.2 Mobile Applications

• Fingpay Merchant App (Android)
• Fingpay Agent / BC App (Android)
• Fingpay White-Label Customer App (where Fingpay is the operator)

3.1.3 Core Payment Infrastructure

• UPI QR and payment link processing systems
• AEPS (Aadhaar Enabled Payment System) platform
• mATM / mPOS switching and settlement infrastructure
• BBPS (Bharat Bill Payment System) integration
• Cash Management Services (CMS) platform and tracking APIs
• Virtual Account and reconciliation systems
• Identity verification APIs (PAN, Aadhaar, Bank Account, Voter ID)

3.2 In-Scope Vulnerability Types

Fingpay is particularly interested in, but not limited to, the following categories of vulnerability:

• Remote Code Execution (RCE)
• SQL Injection and NoSQL Injection
• Authentication and authorisation bypass (horizontal and vertical privilege escalation)
• Ability to bypass or manipulate the payment transaction flow
• Confirmed price or transaction-amount manipulation (a valid transaction ID demonstrating the manipulation is required as proof of concept)
• Stored Cross-Site Scripting (Stored XSS)
• Server-Side Request Forgery (SSRF)
• Insecure Direct Object Reference (IDOR) that exposes data belonging to other users or merchants
• Shell / file upload vulnerabilities
• Bulk exposure of sensitive personal data or financial records
• Domain takeover or subdomain hijacking
• Broken cryptographic implementation or weak key management
• Vulnerabilities in KYC / Aadhaar biometric authentication flows
• Any vulnerability that could compromise the integrity, availability, or confidentiality of payment transactions, merchant data, or consumer financial data
• Descriptive server or application error messages that expose sensitive technical details (stack traces, internal IPs, etc.)

NOTE: Automated scanning tools and scripts are STRICTLY PROHIBITED. Any proof-of-concept (POC) submission must include a clear, manual, step-by-step guide to reproduce the issue. Misuse of any vulnerability will expose the Researcher to legal liability.

4.  Out-of-Scope Systems & Exclusions

4.1  Out-of-Scope Systems

The following systems and services are expressly excluded from this Policy and must not be tested:

• Any services hosted or operated by third-party providers that are not exclusively controlled by Fingpay (including cloud infrastructure providers, banking partners, NPCI systems, and third-party SaaS tools)
• Banking partner systems (Axis Bank, ICICI Bank, Kotak Bank, IDFC FIRST Bank, Airtel Payments Bank, Fino Payments Bank, NSDL Payments Bank, or any other partner bank)
• NPCI, UIDAI, RBI, or any Government of India system or portal
• Third-party payment instrument networks (Visa, Mastercard, RuPay)
• Systems or domains not explicitly listed in Section 3.1, even if they carry the Fingpay brand name
• White-label applications for which a third-party merchant is the operator and Fingpay is merely a technology provider

4.2  Out-of-Scope Vulnerability Categories

The following vulnerability types are excluded and will not be accepted or rewarded:

4.2.1  General Exclusions

• Price or transaction-amount manipulation without a corresponding successful transaction and a valid transaction ID
• Clickjacking and issues exploitable only through clickjacking
• Open redirects that do not lead to security impact
• DOM-Based Self-XSS or issues exploitable only through Self-XSS
• Formula Injection / CSV Injection
• Issues without clearly identifiable security impact (e.g., missing security headers in isolation, missing CAA DNS records)
• IDORs for objects that the Researcher is already authorised to access
• Duplicate reports of a vulnerability already being remediated
• Known and publicly disclosed vulnerabilities already tracked by Fingpay
• Multiple reports for the same vulnerability type with minor variations — only the first report will be evaluated
• Rate limiting issues, unless they demonstrably expose a severe threat to data confidentiality or result in quantifiable business loss
• UI and UX bugs, spelling or grammatical errors, and cosmetic defects

4.2.2  Infrastructure & Network Exclusions

• Software patches released within the preceding 30 days from the date of the Report
• Networking misconfigurations that reflect accepted industry standards or known trade-offs
• Password complexity policy weaknesses
• HTTP 404 / non-200 error pages
• Fingerprinting or banner disclosure on public or common services
• Disclosure of publicly accessible files or directories (e.g., robots.txt)
• Cacheable HTTPS pages

4.2.3  Email & DNS Exclusions

• SPF, DKIM, or DMARC record configurations (unless exploitable to demonstrate material impact)
• Email bombing or subscription abuse
• Gmail “+” alias and dot-address acceptance
• Missing DMARC enforcement policies

4.2.4  Login, Session & Account Exclusions

• Lack of account lockout or brute-force protection on password reset pages (unless leading to demonstrated account takeover)
• Browser-level auto-complete or saved password functionality
• Session timeout configurations
• Cookie flags (HttpOnly, Secure) — these will only be considered if exploitation beyond their absence can be demonstrated

5.  Researcher Eligibility & Conditions

5.1  Who May Participate

This Policy is open to any individual security researcher worldwide, subject to the following conditions:

• The Researcher must be acting in their personal capacity or as part of a legitimate security research team, and not as an employee, contractor, or agent of a direct competitor of Fingpay.
• Employees of Tapits Technologies Pvt. Ltd. (Fingpay), their immediate family members, and persons employed by Fingpay’s contracted security auditors are not eligible to submit Reports under this Policy or to receive any associated recognition or reward.
• The Researcher must be 18 years of age or older. Minors may participate only with the written consent of a parent or legal guardian.
• The Researcher must not be located in, or a national of, a country subject to applicable Indian export control laws or international sanctions.
• The Researcher must not have a prior criminal conviction related to computer hacking, fraud, or data theft.

5.2  Testing Conditions

• A Researcher may only conduct testing against accounts, systems, or environments for which they are the registered owner, or for which they have obtained explicit prior written authorisation from the account owner.
• Testing must be performed using the Researcher’s own registered accounts, created with their real name and contact details. The use of fictitious or borrowed credentials is prohibited.
• The Researcher must include a custom HTTP header in all outbound test requests to identify their testing traffic. 
• Testing must be conducted in a manner that avoids disruption to production systems, degradation of service quality, corruption of data, or privacy violations affecting real users or merchants.
• The Researcher must immediately cease testing and notify Fingpay upon discovering any personal, financial, or sensitive data belonging to real users or merchants.

6.  How to Report a Vulnerability

6.1  Reporting Channel

All vulnerability reports must be submitted by email to:

info@tapits.in

Subject Line: [SECURITY] Suspected Vulnerability — Fingpay

Fingpay does not accept vulnerability reports via social media, public issue trackers, or any channel other than the email address specified above.

7.  Information to Include in Your Report

To enable Fingpay to assess and reproduce the reported vulnerability efficiently, every Report must include the following information:

NOTE: Do not include actual passwords, full card numbers, Aadhaar numbers, or other live sensitive data belonging to real individuals in your report. Redact or mask such data before submission.

8.  Fingpay’s Commitments to Researchers

When a Researcher submits a Report in compliance with this Policy, Fingpay commits to the following:

9.  Researcher Obligations & Code of Conduct

By submitting a Report under this Policy, the Researcher agrees to comply with the following obligations and code of conduct:

9.1  Conduct During Testing

• Make every reasonable effort to avoid privacy violations, service disruptions, data destruction, and degradation of performance during testing.
• Do not attempt to access, download, copy, or modify data that does not belong to you or for which you have not received explicit authorisation.
• Do not access another user’s or merchant’s account without that person’s prior express written consent.
• Limit the scope of testing to what is strictly necessary to demonstrate the existence of the Vulnerability. For example, if Shell Upload is discovered, upload only a basic script that prints a benign string (such as the server hostname) — and stop there. Do not escalate beyond demonstrating the vulnerability.
• Do not perform attacks that could harm the reliability, integrity, or availability of Fingpay’s Services, including DDoS attacks, spam floods, or data-deletion exploits.
• Do not use automated vulnerability scanners, fuzzing tools, or crawlers against Fingpay’s production systems. Use of such tools may result in automatic IP bans and account suspension, and will disqualify the Report.

9.2  Confidentiality Obligations

• The Researcher must keep all information relating to a discovered Vulnerability strictly confidential between themselves and Fingpay, from the time of discovery until Fingpay has remediated the issue and provided written approval for disclosure.
• The Researcher must not publicly disclose the Vulnerability — whether on security blogs, social media, conference talks, public issue trackers, or any other platform — before receiving written approval from Fingpay.
• The minimum confidentiality period shall be 90 days from the date of Fingpay’s written acknowledgement of the Report, unless Fingpay and the Researcher mutually agree to a different timeline in writing. If remediation requires more time due to technical complexity or third-party dependencies, Fingpay will notify the Researcher and request a reasonable extension.
• If Fingpay fails to respond or remediate within the agreed timeline without justification, the Researcher may, after providing Fingpay at least 7 business days’ additional written notice, proceed with responsible public disclosure.

10.  Safe Harbor & Legal Protections

10.1  Authorised Conduct

Security research conducted in strict compliance with this Policy constitutes “authorised” conduct under Fingpay’s interpretation of applicable computer access laws. Fingpay will not pursue civil action or initiate criminal complaints against Researchers for activities that constitute accidental, good-faith violations of this Policy, provided that:

• The Researcher’s actions are limited to the in-scope systems and permitted testing methodologies defined in this Policy;
• The Researcher does not intentionally access, retain, or misuse data that does not belong to them;
• The Researcher promptly reports the discovered Vulnerability to Fingpay and does not exploit it further; and
• The Researcher has not engaged in any of the Prohibited Actions listed in Section 12 of this Policy.

10.2  Scope of Safe Harbor

Fingpay’s safe harbor protection extends to the following:

• Fingpay will not bring any DMCA-related claim against a Researcher for circumventing technological protection measures solely for the purpose of, and to the extent necessary for, legitimate security research under this Policy.
• Activities conducted consistently with this Policy will be treated by Fingpay as authorised access for the purposes of the Information Technology Act, 2000 (as amended) and applicable Rules thereunder.
• If third-party legal action is initiated against a Researcher who has demonstrably complied with this Policy, Fingpay will take reasonable steps to communicate that the Researcher’s actions were consistent with this Policy.

10.3  Limits of Safe Harbor

The safe harbor protections described in this Section do not apply where the Researcher has:

• Violated any of the Prohibited Actions set out in Section 12;
• Intentionally accessed, downloaded, or exfiltrated data beyond what is necessary to demonstrate the Vulnerability;
• Failed to report the Vulnerability to Fingpay before disclosing it publicly;
• Engaged in any form of extortion, demand for payment, or threat to Fingpay;
• Violated applicable Indian law or the laws of any other jurisdiction, in any manner unrelated to the good-faith discovery and reporting of the Vulnerability.

NOTE: Nothing in this Section limits or waives any rights Fingpay may have under the laws of India or any other jurisdiction in relation to conduct that falls outside the scope of good-faith security research as defined in this Policy.

11.  Disclosure Timeline & Coordinated Disclosure

11.1  Coordinated Disclosure Process

Fingpay follows a coordinated disclosure model. Upon receiving a Report, the following timeline applies:

11.2  Timeline Extensions

Fingpay may request a reasonable extension to the standard remediation timelines where the vulnerability involves third-party dependencies, regulatory coordination, complex architectural changes, or coordination with CERT-In or RBI under their respective cybersecurity frameworks. Fingpay will notify the Researcher of any such extension request in writing and will provide a revised estimated remediation date.

12.  Prohibited Actions

The following actions are strictly prohibited under this Policy. Engaging in any Prohibited Action will result in immediate disqualification of the Report, loss of safe harbor protection, and may result in civil or criminal legal action:

• Accessing, copying, downloading, retaining, or exfiltrating personal data, financial data, transaction records, KYC documents, or Aadhaar-linked biometric data belonging to real users or merchants.
• Conducting Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) attacks against any Fingpay system or infrastructure.
• Sending spam, phishing emails, or conducting social engineering attacks targeting Fingpay employees, users, merchants, agents, or banking partners.
• Physical security testing, including attempting to gain unauthorised physical access to Fingpay’s offices, data centres, or network infrastructure.
• Using automated scanning tools, fuzzers, or crawlers against Fingpay’s production systems.
• Executing or deploying malware, ransomware, or any destructive or disruptive payload on Fingpay’s systems.
• Exploiting a discovered Vulnerability for personal gain — including, but not limited to, conducting actual financial transactions, diverting payments, or manipulating balances — beyond what is strictly necessary to produce a proof of concept.
• Sharing discovered vulnerabilities or Fingpay’s confidential technical information with any third party without Fingpay’s prior written consent.
• Demanding or soliciting monetary compensation, cryptocurrency, or any other consideration from Fingpay as a condition of reporting or not publicly disclosing a Vulnerability (extortion).
• Publicly disclosing a Vulnerability before the agreed disclosure embargo period has expired.
• Testing systems owned or operated by Fingpay’s banking partners, NPCI, UIDAI, or any Government of India entity.
• Making false or misleading statements about the nature, severity, or scope of any discovered or alleged Vulnerability.

13.  Governing Law & Jurisdiction

13.1  Applicable Law

This Policy and all matters arising from or in connection with it shall be governed by and construed in accordance with the laws of India, including but not limited to:

• The Information Technology Act, 2000 (as amended), and the Rules and Regulations made thereunder, including the IT (Amendment) Act, 2008;
• The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011;
• The Digital Personal Data Protection Act, 2023 (as notified and enforced);
• The Reserve Bank of India’s Master Directions on Payment Aggregators and Payment Gateways (as amended from time to time);
• CERT-In Directions on Cyber Security Incident Reporting (2022) and related guidelines;
• The Indian Penal Code, 1860 (as applicable), and the Bharatiya Nyaya Sanhita, 2023;
• Any other applicable Indian law, regulation, or regulatory direction applicable to Fingpay as an RBI-authorised Payment Aggregator.

13.2  Jurisdiction

Any legal action or proceeding arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the competent courts and tribunals located in Indore, Madhya Pradesh, India. By submitting a Report under this Policy, the Researcher irrevocably submits to the personal jurisdiction of such courts and tribunals.

13.3  CERT-In Reporting Obligations

Fingpay acknowledges its obligations under the CERT-In Directions on Cyber Security Incident Reporting (April 2022) to report certain categories of cybersecurity incidents to CERT-In within prescribed timelines. Where a reported Vulnerability constitutes or gives rise to a reportable cybersecurity incident under applicable CERT-In directions or RBI guidelines, Fingpay shall fulfil its statutory reporting obligations. Where permissible by law, Fingpay will inform the Researcher that such reporting has been undertaken.

14.  Policy Updates & Contact Information

14.1  Policy Updates

Fingpay reserves the right to modify, update, or terminate this Policy at any time, at its sole discretion. Any changes to this Policy will be effective upon publication of the revised version on Fingpay’s website at www.fingpay.co.in. Material changes will be indicated by a revision to the Policy version number and the effective date.

Any amended Policy terms will not apply retroactively to Reports already submitted and acknowledged prior to the effective date of the amendment. Researchers who have submitted Reports under an earlier version of this Policy will continue to be governed by the terms of that version with respect to their submitted Reports.

Fingpay strongly recommends that Researchers review this Policy before submitting any Report to ensure they are acting in accordance with the most current version.

14.2  Contact Information

For questions, clarifications, or to submit a vulnerability report under this Policy, please contact:

DISCLAIMER

This Policy is published for informational purposes and to provide a structured framework for responsible vulnerability disclosure. It does not constitute a waiver of any rights or remedies available to Fingpay under applicable law. Fingpay’s failure to exercise any right under this Policy shall not be construed as a waiver of that right. If any provision of this Policy is found to be unenforceable, the remaining provisions shall continue in full force and effect. This Policy constitutes the entire agreement between Fingpay and any Researcher with respect to the subject matter hereof and supersedes all prior discussions, representations, and agreements relating thereto.