Skip to content

Aditi Consulting Vulnerability Disclosure Policy

Last Updated: February 13, 2026

Introduction

Aditi Consulting (“Aditi,” “we,” “our,” or “us”) is committed to operating secure, trustworthy digital products and services and to protecting the confidentiality, integrity, and availability of our systems and data. We recognize that security researchers, clients, customers, and third parties play a valuable role in improving security by responsibly reporting potential vulnerabilities they may discover.

This Vulnerability Disclosure Policy (“Policy”) is intended to provide a clear and transparent process for reporting potential security vulnerabilities in Aditi’s digital assets in good faith, and to explain our expectations and commitments regarding the receipt and handling of these reports. 

By participating in this program, you agree to comply with this Policy.

Scope

  1. This Policy applies to vulnerabilities discovered in the following:
    • Aditi’s publicly accessible websites (including but not limited to www.aditiconsulting.com) and web applications.
    • APIs, web services, and related infrastructure that support those public assets.
    • Digital services offered or operated by Aditi are expressly covered by this Policy.
  2. This Policy does not authorize testing of internal systems, services not owned by, controlled or provided by Aditi, or systems for which you do not have explicit permission to test. Any testing outside the scope of this Policy is prohibited and may be unlawful. In addition, and unless explicitly authorized in writing, the following is out of scope for this Policy:
    • Denial-of-service (DoS/DDoS) attacks, load testing, or other availability-impacting tests.
    • Social engineering (phishing, vishing), physical security testing, or attempts to access facilities.
    • Spam or content injection on public forms without demonstrating a security impact.
    • Issues solely related to outdated browsers/devices or missing security headers without practical exploitability.
    • Third-party services not controlled by Aditi (e.g., external platforms, vendor systems), unless the issue is demonstrably exploitable through an Aditi-controlled asset.
    • If you are unsure whether a target is in scope, report it and we will work with you to address it.

What Is a Vulnerability

For the purposes of this Policy, a “vulnerability” is a flaw or weakness in a system, application, or infrastructure that could allow an attacker to gain unauthorized access, disclose or alter data, disrupt services, or otherwise compromise the security or privacy of a system or its users.

Examples of vulnerability categories include (but are not limited to):

  • Cross-site scripting (XSS), injection flaws, broken authentication;
  • Server misconfigurations, insecure direct object references;
  • Logic flaws, privilege escalation issues.
  • This list is illustrative and not exhaustive.

Reporting a Vulnerability

How to Report

To report a potential vulnerability, please provide an email to: info@aditiconsulting.com.

Your report should include:

  • A clear description of the vulnerability and its potential impact;
  • The affected systems, pages, endpoints, parameters, configurations, or URLs affected;
  • Steps to reproduce the issue (detailed enough for our team to verify);
  • Any supporting proof-of-concept, logs or screenshots (if available);
  • Your contact information and preferred method to communicate with you (so we may follow up for clarification).
  • Whether you believe data may have been accessed (and what type).

Please do not publicly disclose any details of the vulnerability until Aditi has had a reasonable opportunity to investigate and remediate the issue. If your report involves privacy or personal information, you may also contact: privacy@aditiconsulting.com.

Acknowledgment and Response

We aim to:

  • Acknowledge receipt of your submission typically within three (3) to five (5) business days;
  • Provide an initial assessment of the reported issue;
  • Work actively with you to understand, validate, and address the issue, as appropriate.

We may reach out for clarification or additional details as part of our resolution process.

Remediation and Disclosure Timeline

We will work in good faith to remediate valid vulnerabilities in a timely manner. We will determine a reasonable timeframe for remediation based on the severity and complexity of the issue. 

Responsible public disclosure of the vulnerability details will be coordinated with the reporter (if they choose to be credited), and only after a fix has been released or a reasonable remediation period has elapsed. 

If you wish to publish your findings, we ask that you coordinate timing with Aditi, remove or redact code that could be used to harm users, and exclude any sensitive personal data from public write ups or disclosures. 

Rules of Engagement and Expectations

  1. When conducting testing for potential vulnerabilities, you agree to: 
    • Act in good faith and avoid actions that are destructive, invasive, or malicious and avoid privacy violations, data destruction, and service disruption; 
    • Refrain from accessing, modifying, or destroying data that is not your own and only access data that is necessary to validate the vulnerability; 
    • Avoid activities that degrade or interrupt services, including denial-of-service attacks; 
    • Only interact with systems that are within the Scope of this Policy. 
  2. The following guidelines apply to researchers, and we respectfully ask that you: 
    • Do not attempt to access, modify, exfiltrate, or delete data that does not belong to you; 
    • Do not violate any applicable law or regulation; 
    • Do not perform actions that degrade service availability (DoS/DDoS); 
    • Do not use automated scanners aggressively against production systems; 
    • Do not pivot to other systems or accounts; 
    • Do stop testing once you have established that a vulnerability exists; 
    • Do report promptly with enough detail to reproduce the issue. 
  3. Please note that unauthorized scanning, exploitation, or disruptive behavior could expose you to legal liability. This Policy does not apply to actions that are malicious, intentionally disruptive, or involve theft, extortion, or other unlawful conduct. 
  4. Handling of Personal Information
    If you encounter personal information during testing: 
    • Stop immediately; 
    • Do not save, copy, transfer or share the data; 
    • Notify Aditi via the channels and links provided in this Policy and include only minimal information needed to locate the affected area; 
    • Please contact: privacy@aditiconsulting.com

Safe Harbor

To the extent permitted by applicable law, if you comply in good faith with this Policy and act responsibly in reporting potential vulnerabilities, Aditi will not pursue legal action against you for such activities. We commit to working transparently and collaboratively with researchers who act ethically and cooperate fully. 

However, this Policy does not create legal rights or obligations, and participation is voluntary. 

Confidentiality and Use of Reported Information

We will treat vulnerability reports and related communications as confidential to the extent permitted by law, and any published disclosures will be coordinated with the reporter. 

Governing Law

This Policy and any disputes arising from or relating to it are governed by the laws of the State of Washington, United States. 

Changes to This Policy

Aditi reserves the right to update this Policy from time to time. When we do, we will revise the “Last Updated” date at the top of this page. Continued submission of vulnerability reports after such updates constitutes acceptance of those changes. 

Contact Us

If you have questions about this Policy or how to report a vulnerability, please contact: 

Email: infosec@aditiconsulting.com