1.1 We, the Adani entities (“Adani” or “We” or “Us”), are cognizant regarding the security of our systems and value the security community. We believe that information security is important and endeavor to handle the same with utmost attention to keep our technical systems safe, secure and robust for all stakeholders including our customers to use.
1.2 We genuinely value the assistance of the security researchers and others in the digital security community to collaborate, coordinate and assist Us in keeping our systems safe and secure. We appreciate security researchers/vulnerability researchers/vulnerability testers/cyber security experts (“Discloser” or “Your” or “You”) contribution and intend to work closely with You to address any reported issues with urgency and will endeavor to acknowledge Your contributions as set out herein.
1.3 Adani’s Responsible Vulnerability Disclosure Policy along with such other policy as referred herein (“Policy”) covers the terms of Your participation in the Responsible Vulnerability Disclosure Program (the "Program"). The Program enables You to submit vulnerabilities and exploitation techniques, as set out in the Scope ("Vulnerability(ies)") to Adani.1.4 Please note that this Policy forms the contractual relationship between You and Adani with respect to the Program and an obligation on You towards maintaining the highest level of confidentiality regarding the Vulnerabilities and information citied by You. Participants in the Program hereby irrevocably, unconditionally, and unequivocally accept and agree to abide by the Policy and shall not have any right or claim on Adani for citing any discrepancies or Vulnerabilities. Participants are advised to revisit the Policy regularly to check the terms and conditions and the updates. Adani reserves the right to make changes to the Policy and/or the Program at its sole discretion which will be effective once they are published and the contractual relationship between You and Adani shall be viewed as per the revised Policy and/or the Program wherever applicable. Participating in the Program after any changes become effective means You agree to the new terms and/or Program. If You do not agree to the new Policy and/ or the Program (or any amendments thereof), You may choose not to participate in the Program. Your participation and this Policy are further subject to applicable laws, regulations, and other policies which may be applicable for any other matter related to cybersecurity, data protection, information technology and information security.
This Policy is applicable to any system which is publicly acknowledged to be a part of Adani’s information technology system including but not limited to websites, mobile applications, network systems, IP addresses (“System”).
The following will be excluded from the scope of this Program:
(a) Any testing process or methodologies that may result in a Denial-of-Service (DOS) or Distributed-Denial-of-Service (DDOS) on our production environment.
(b) UX/ UI related issues or those issues that pertain to system functionality rather than security.
(c) Staging and development environments
You are eligible to participate in the Program if You meet all of the following criteria:
(a) You should be at least 18 (eighteen) years of age;
(b) You should not be resident of any of the countries which are under sanctions or any other country that does not allow participation in this type of Program;
(c) You are either a researcher participating in Your own individual capacity, or You work for an organization that permits You to participate in the Program and You are not in breach of Your employer’s policy with respect to participation in the Program;
(d) You should be at least 18 (eighteen) years of age;You must agree to abide by all the rules and regulations of the Program and/or the Policy.
(e) You should not have any criminal record and not in breach of any applicable law and/or compliance in India or any other country that You are a citizen of or reside in.
(f) You are or were not involved, in the last six months, in any part of the development, administration, and/or execution of Adani’s Systems on which the Vulnerabilities are being reported.
In case You make disclosure of the Vulnerability to any third party or to public at large, without prior written consent from Adani it will result in immediate disqualification from current Program and any of our programs in future. Please note that Adani reserves the right to impose restrictions on Your ability or eligibility to enter the Program depending upon Indian laws and/or any other applicable law.
If You happen to have identified a Vulnerability on any of our System(s), follow the steps outlined below:
Please contact Us immediately by sending an email to - firstname.lastname@example.org with the necessary details to recreate the Vulnerability scenario. This may include screenshots, videos or simple text instructions (“Report”).
Along with the Report, please share the following contact information (fields marked * are mandatory):
|1. Reporter’s Details|
|a. Full Name / Handle *:|
|d. Phone Number:|
|2. Vulnerability Details|
|a. System/ Application name*:||b. Access Source (e.g., URL, IP, Play store source, etc.)*:|
|c. Type of System/ Application (e.g., web, mobile, IP, etc.)*:|
|d. Vulnerability Name*:|
|c. Vulnerability Description*:|
|d. Date when issue found*:|
|e. Steps to Reproduce (PoC)*:|
|f. Impact of Vulnerability:|
|h. Testing Methodology (tools & version used):|
Your contact details shall be used by our cybersecurity team to reach out to You for further input, if needed to identify or close the Report.
Adani shall retain such information for administrative purposes. Recognition to Your reporting of Vulnerabilities to Us is subject to You being the first reporter of the Vulnerability. Adani reserves the right and discretion to recognize the Vulnerability, on a case-by-case basis.
Adani will examine and validate the Vulnerability Report and acknowledge whether or not the Report will be escalated further by Adani as per its escalation process.
Upon successful validation, if required, Adani may initiate the escalation process for remediation and closure of the issue. Adani may resolve the Vulnerability on its own and may at its discretion consider You for support. In case Adani seeks assistance from trusted third parties for remediation of the Vulnerability, Adani may request You to support such third parties upon a prior intimation by Adani.
The Program is a recognition-based program only and not part of any cash/ bug bounty program, and You will not be entitled to any monetary, cash or cash equivalent reward. Adani shall not be granting any monetary, cash or cash equivalent reward at any time.
Upon acceptance and validation of the Report as per escalation process, Adani shall issue an acknowledgement to You for reporting Vulnerability issues responsibly and helping Us in making Adani’s systems more safe and secure. Further, Adani at it is discretion may acknowledge You on public communications or other printed materials unless You explicitly ask Us not to include Your name.
REPRESENTATION AND WARRANTIES
You hereby represent, warrant, undertake and covenant to:
(a) Refrain from privacy violations, degradation of user experience, disruption to our systems, and destruction of data during security testing.
(b) Perform research only within the scope set out in this Policy.
(c) Keep information about any Vulnerabilities You have discovered confidential between You and Adani.
(d) Not publicly disclose the Vulnerability on any online or physical platform before it is fixed and without prior written approval from Adani to publicly disclose such Vulnerability.
(e) Have the right, title, and interest to disclose any Vulnerability found and to submit any information, including documents, codes, among others, in connection therewith.
(f) Be held responsible for the accuracy, completeness, appropriateness, and authenticity of any data or Vulnerabilities You upload and/or provide through your participation in the Program.
(g) Waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure accepted by Adani.
(h) Not perform any attack that could harm the confidentiality, integrity, and availability of Our digital infrastructure.
(i) Not undertake directly or indirectly any denial of service/spam attacks in any manner whatsoever.
(j) Follow the principles of responsible disclosure, which includes reporting vulnerabilities to the Adani promptly, not disclosing the Vulnerability publicly or to a third party until a resolution is published, and not using the Vulnerability to exploit or harm the System.
(k) Keep the Report confidential and not share it with any third party other than the parties nominated by Adani.
GRANT OF LICENSE
You hereby grant Adani and/ or any of its vendor or third-party nominated by it, the following exclusive, irrevocable, perpetual, royalty-free, worldwide, sub-licensable license to the intellectual property, in Your Report:
(a) to use, review, assess, test, and otherwise analyze Your Report;
(b) to reproduce, modify, distribute, display, adapt and perform publicly, and commercialize and create derivative works of Your Report and all its content, in whole or in part; and
(c) to feature Your Report and all of its content in connection with the marketing or promotion of this Program or other programs (including internal and external meetings, conference presentations, tradeshows, and screen shots of the submission in press releases) in all media (now known or later developed).
You shall protect all information from being disclosed to any third party, hold the same in trust and strict confidentiality and not disclose it in any manner. Restricted information shall mean and include any and all information obtained or observed by You in any form while participating in the Program (“Restricted Information”).
You shall not access, store, modify or reproduce in writing our users’ data or other Restricted Information. Further, You agree that you shall:
(a) not use any such Restricted Information except solely for the purpose of this Program;
(b) not divulge any such Restricted Information to any third party; and
(c) not copy or reverse engineer any such Restricted Information or use/exploit such Restricted Information in any manner whatsoever.
All Restricted Information furnished to You by Adani shall remain the exclusive property of Adani and Adani shall have the sole and exclusive ownership of all right, title, and interest in and to the Restricted Information, including ownership of all copyrights, patents and trade secrets pertaining thereto, subject only to the rights and privileges expressly granted by Adani under the terms of this Program.
Promptly upon the Adani’s request at any time, You shall return, cause to be returned to Adani or destroy all the Restricted Information, including all materials or documents, any copies, summaries and notes of the contents thereof (whether in hard or soft copy form) without limitation, all copies of any analyses, compilations, studies or other documents prepared by and/or for Adani, containing or reflecting any Restricted Information and give written certification accordingly.
Notwithstanding anything to the contrary stated elsewhere, the Policy does not allow any public disclosure of any Vulnerabilities, Report or Restricted Information without prior written consent of Adani.
You shall not release any information mentioned in Paragraph 9.5 above to the public or any third parties, failing which You shall be liable for appropriate legal action.
Nothing contained in this Program shall be construed to obligate Adani to disclose any information to You.
You shall be solely responsible for any action performed by You for discovering any Vulnerability whatsoever. You shall, on first demand, indemnify, defend and hold Adani and its affiliates, officers, employees and agents harmless from and against any claims, liabilities, losses, costs, expenses, damages, including reasonable legal fees, of whatsoever nature which may be incurred or suffered by Adani, arising out of or as a result of any breach of the Program including negligence, misconduct, fraud, breach of representation and warranties and breach of confidentiality obligation and/ or any breach of intellectual property rights or otherwise of any of Your obligations contained herein.
GOVERNING LAW AND JURISDICTION
This Policy/Program shall be governed by and construed exclusively in accordance with the laws of India. The Parties agree that the courts at Ahmedabad, Gujarat, India shall have exclusive jurisdiction to settle any disputes arising out of or in connection with this Policy/Program.
Adani, and any of its affiliates, subsidiary, assigns, and any other group companies, make no warranties, express or implied, guarantees or conditions with respect to the Program. You understand that Your participation in the Program is completely voluntary and at Your own risk. We exclude any express or implied warranties in connection with the Program.
RIGHT TO INJUNCTIVE RELIEF
You understand and acknowledge that any misappropriation or disclosure of any of the Restricted Information or any other information in violation of the confidentiality obligations and the terms and conditions of the Program will cause Adani grave and irreparable harm, loss and injury, the amount of which may be difficult to ascertain. Adani shall be entitled to apply for injunctive relief in addition to any and all other legal or equitable remedies available to it, in the event of any breach or threatened breach of this Policy by You. You expressly waive the defence that a remedy in damages will be adequate.
Appropriate legal recourse shall be taken against You, if the identified Vulnerabilities are exploited for unlawful gains or getting access to restrict customer or system information or impairing Adani’s systems or Program guidelines are not followed. This Policy is the entire agreement between You and Adani for Your participation in the Program. It supersedes any prior agreements between You and Adani regarding Your participation in the Program. All parts of this Policy apply to the maximum extent permitted under applicable law. If a court holds that Adani cannot enforce a part of this Policy as written, Adani may replace those terms with similar terms to the extent enforceable under the relevant law, but the rest of these terms shall not change and remain enforceable.
If any legal action is initiated by a third party, including law enforcement, against You because of Your participation in this program, and you have sufficiently complied with our Policy (i.e., have not made intentional or bad faith violations), We will take steps to make it known that Your actions were conducted in compliance with this Program as long as your actions are within the scope of the program. This is not, and should not be understood as, any agreement on our part to defend, indemnify, or otherwise protect You from any third-party action based on Your actions.
We shall not be liable to You for any damages, claims, expenses, or other costs You suffer or incur as a result of third-party claims relating to Your use of the Program.
You shall relinquish all rights associated with the Report including but not limited to intellectual property rights.
We shall not confirm Your eligibility for participating in the Program. You accept that You shall only participate in the Program if You fall within the eligibility criteria.
Under no circumstances will We be liable for any indirect, special, incidental, punitive, or consequential damages.
Adani will make all attempts to expedite the Vulnerability resolution, however no fixed deadlines can be assigned due to involvement of handling processes, cooperation, and priorities as well as uncertainties surrounding the complexity of solution which are well beyond the control of Adani.
You must ensure to comply with all the extant laws and regulations while discovering the Vulnerabilities. Reporting a Vulnerability to Adani does not exempt You from any compliance. You shall be responsible for any action performed by You for discovering the Vulnerability whatsoever.
You must ensure that You are not in contravention to the Information Technology Act, 2000 and any amendments thereof.
IF YOU DO NOT AGREE TO THESE TERMS, PLEASE DO NOT SEND US ANY SUBMISSIONS OR OTHERWISE PARTICIPATE IN THIS PROGRAM.