We, “SUPER6 FANTASY SPORTS PRIVATE LIMITED” having Corporate Identification Number U62099GJ2025PTC159869 and having its place of business at “C – 1008, Rajyash Rise, Near Vishala Hotel, Near APMC Market, Sarkhej Road, Ahmedabad – 380 007, Gujarat, Republic of India” (hereinafter referred to as the “Company”, for the sake of brevity), are committed to the Cyber and Information security of our Application “SUPER6” as well as all of our allied services in relation thereto. We recognize and appreciate the valuable role being played by our Company’s security researchers and security community in helping us identify and mitigate the potential vulnerabilities in our Application.

This Vulnerability Disclosure Policy outlines the guidelines and procedures for the responsible reporting, by our users or Company’s security researchers or certified ethical hacker, of potential security issues in our Application. By reporting any potential security flaws in our Application to us, it shall be deemed that you have read, understood, accepted and agreed to be bound by and complied with this Vulnerability Disclosure Policy.

The Company, however, reserves the right to change or revise this Vulnerability Disclosure Policy at any time by posting any changes or a revised Vulnerability Disclosure Policy on the Application. The Company shall alert you to the effect that changes or revisions have been made by indicating on the top of this Vulnerability Disclosure Policy the date it was last revised. The changed or revised Vulnerability Disclosure Policy shall be effective immediately after it is posted on this Application. Your incessant use of the Application, following the posting of any such changes or of a revised Vulnerability Disclosure Policy, shall constitute your continuous acceptance of any such changes or revisions.

You hereby acknowledge and agree that this Application is the exclusive property of the Company and by reporting the potential security vulnerabilities in the Application to the Company, you are helping the Company to maintain the trust of our users and are contributing to the continuous improvement of the security program of the Company.

1. Scope

• a) That this Policy is applicable to all the users of the Application, including the Company’s security researchers and Certified Ethical Hackers, who discover and wish to report potential cyber and information security vulnerabilities within the Application. However, the following test methods are excluded from the scope and are not permissible:
  • i) Network denial-of-service testing or other tests that impair access to or damage a system or data;
  • ii) Social engineering i.e., phishing, vishing etc. or any other non-technical vulnerability testing.
• b) That you acknowledge and agree that while testing to discover and identify any potential vulnerability in the Application, you are not violating any law or disrupting or compromising any data.
• c) That this Policy shall not apply to any third party software or services, which is integrated with or designed to modify the Application. Vulnerabilities found in such third party software or services should be reported to the respective third party in accordance with their vulnerability disclosure policy, if any.
• d) That this Policy shall not apply to any physical security vulnerabilities, related to the security of our infrastructure or amenities.
• e) That you are advised to contact the Company at “[email protected]” , before starting your research, in case you are not sure whether a vulnerability falls within the scope or not.

2. Guidelines for Reporting Vulnerability

• a) Reporting Process: That if you believe that you have identified and discovered a cyber and information security vulnerability in our Application, it is expected by the Company that you report the said vulnerability to the Company as soon as possible by sending an electronic mail to “[email protected]” or by filling up the online “Submission Form” provided below and include the following information in your mail / online submission form:
  • i) a detailed description of the potential vulnerability and its possible impact on the Application;
  • ii) supporting evidence such as screenshots, steps to replicate the vulnerability, logs, proof-of-concept code, or a video demonstration in case the vulnerability is a complicated issue;
  • iii) purge any data, stored while identifying and discovering the vulnerability, to the Company along with reporting of the said vulnerability;
  • iv) your contact information if you wish to be kept informed regarding the progress of remediation in respect of the said vulnerability.
• b) Responsible Conduct: That while identifying and reporting any cyber & information security vulnerabilities to the Company, it is expected that the users or the Company’s security researchers or certified ethical hackers, as the case may be, adhere to the following principles:
  • i) do not disclose the said vulnerability to any third party until the said vulnerability is properly addressed and remediated by the Company;
  • ii) do not exploit the vulnerability to gain unauthorized access or cause harm to the Application and / or its data, as the case may be, and to cause harm to the Company or its third party associates;
  • iii) do not use an exploit to establish persistent command line access or pivot to other applications. It is expected that the exploits may be used to the extent necessary to confirm vulnerability’s presence.
  • iv) do not infringe the intellectual property rights of the Company in or to the Application;
  • v) do not violate the privacy rights or degrade the experience of the users in the Application or exfiltrate any data from the Application.
  • vi) do not employ any sort of testing/s beyond the scope of this Policy.
  • vii) do not request or demand compensation or engage in extortion for time and materials utilized for identifying and discovering vulnerabilities in the Application.

3. Handling Vulnerability Reports

• a) Investigation: That upon receiving of the cyber or information security vulnerability report, the Company shall acknowledge its receipt within 48 to 72 hours. The Company shall, thereafter, initiate the investigation process to confirm the reported issue. The Company may contact you to seek clarification on the reported issue, if required. The Company shall keep you informed about its progress on the reported issue and shall provide updates regarding its remediation.
• b) Remediation and Recognition: That the Company shall make every reasonable efforts to address and remediate the reported vulnerability at the earliest. The Company shall inform you once the vulnerability has been successfully remediated. It may be noted that the Company does not pay rewards for identifying and reporting security vulnerabilities. However, the Company recognizes and appreciates the valuable role being played by you in helping us to identify and remediate the potential vulnerabilities in the Application.

4. Legal Protections:

That the Company shall not undertake any legal actions against the users or the Company’s security researchers or certified ethical hacker, for reporting potential vulnerabilities to the Company, as long as they adhere to the provisions as outlined in this Policy, abide by the applicable laws and regulations, and act in good faith. However, the Company shall take appropriate steps in case any legal action is initiated by a third party, against you, for activities which are in compliance with this Policy and the Company shall make such third party as well as the legal authorities understand that the said activities were conducted in good faith and in compliance with this Policy.

5. Contact:

That if you have any queries related to this Policy, it is advised to contact the Company at “[email protected]” .