Security & Responsible Disclosure

Doshi App Limited builds financial-engagement products for banks, mutuals, and lenders, and we handle personal and financial data. We take the security of our systems and our users' data seriously, and we welcome reports from security researchers, customers, and users who believe they have found a vulnerability.

Reporting a vulnerability

If you believe you have found a security vulnerability in any Doshi service, please email us at security@doshi.app. To help us triage and resolve the issue quickly, please include, where you can:

• A clear description of the issue and its potential impact
• Step-by-step instructions to reproduce it
• The affected URL, endpoint, or component
• Any proof-of-concept code, scripts, or screenshots
• How we can contact you for any follow-up questions

What to expect

When you report an issue to security@doshi.app, you can expect us to:

• Acknowledge receipt within 3 business days
• Validate the report and assess its severity using CVSS v3
• Work to remediate in line with our vulnerability-management targets — Critical and High-risk issues within 14 days, Medium-risk issues within 30 days, and lower-risk issues at our next scheduled maintenance window
• Keep you informed of our progress and let you know once the issue has been resolved

Scope

In scope are services operated by Doshi App Limited, including our website (www.doshi.app), the Doshi web and mobile applications, and the APIs that power them. The following are out of scope:

• Findings from automated tools or scanners without a demonstrated, exploitable impact
• Denial-of-service (DoS/DDoS), volumetric, or brute-force attacks
• Social engineering of Doshi staff, users, or contractors, and physical attacks against our offices or hardware
• Reports relating to third-party services or software we do not operate
• Missing best-practice hardening (e.g. security headers, TLS configuration, SPF/DKIM/DMARC) without a concrete, demonstrable vulnerability
• Clickjacking on pages with no sensitive actions

Rules of engagement

When researching, please:

• Only test against accounts and data that belong to you, or for which you have explicit permission
• Avoid accessing, modifying, or deleting other people's data
• Avoid actions that could degrade, disrupt, or damage our services or data
• Stop and report immediately if you encounter personal or financial data that is not yours
• Keep the details of any vulnerability confidential until we have had a reasonable opportunity to investigate and remediate

Safe harbour

We consider security research conducted in good faith and in accordance with this policy to be authorised. We will not pursue legal action against you for accessing or reporting a vulnerability in line with this policy, provided you act in good faith and avoid privacy violations, data destruction, and disruption to our services. If a third party initiates legal action against you for activities conducted in accordance with this policy, we will take steps to make known that your actions were authorised.

Coordinated disclosure

We are committed to working with you to understand and resolve issues quickly. We ask that you give us a reasonable opportunity to remediate — typically up to 90 days — before disclosing any vulnerability publicly, and that you coordinate the timing of any public disclosure with us.

Rewards

Doshi does not currently operate a paid bug-bounty programme. We are grateful for every report, and with your permission we are happy to acknowledge researchers who help us keep Doshi safe.

For Doshi users and partners

If you are a Doshi user, or a partner institution, and you believe your account or data may have been compromised, please contact us at security@doshi.app. For general, non-security support, email hello@doshi.app.

security.txt

Our machine-readable security contact information is published at /.well-known/security.txt in line with RFC 9116.