Security & responsible disclosure

We take the security of our systems seriously. If you believe you have discovered a vulnerability in any property operated by GetIt Express Private Limited, please report it to us privately and give us a reasonable opportunity to fix it before any public disclosure.

1. How to report

• Email security@getit.express with a clear description of the issue, the affected URL or component, and steps to reproduce.
• Where possible, include proof-of-concept material (screenshots, request payloads). Avoid testing techniques that could degrade service for others.
• A machine-readable copy of this contact is available at /.well-known/security.txt per RFC 9116.

2. What you can expect from us

• Acknowledgement within 3 working days.
• An initial triage assessment within 10 working days.
• Updates as we work through validation, fix, and deployment.
• Public credit, with your consent, in any subsequent advisory we publish.

3. Safe-harbour

We will not pursue civil or criminal action against good-faith researchers who comply with this policy and who:

• Avoid privacy violations, destruction of data, and degradation of service.
• Do not access more data than is necessary to demonstrate the issue.
• Give us reasonable time to remediate before disclosing publicly.
• Comply with all applicable laws.

4. Out of scope

• Reports based solely on automated scanner output without proof-of-impact.
• Denial-of-service or resource-exhaustion attacks.
• Issues on third-party services we depend on (please report directly to the vendor concerned).
• Social engineering of employees, vendors, or customers.

5. Bounty

We do not currently operate a paid bug-bounty programme. Acknowledgement and public credit are offered in lieu of monetary compensation.

6. Grievance Officer

For grievances under the IT Intermediary Rules, 2021, contact:

• Name: Ajay Pawar
• Designation: Director — designated Grievance Officer
• Email: grievance@getit.express
• Phone: +91 93025 25332