Responsible disclosure

Security & vulnerability disclosure

We take security seriously. If you believe you have found a vulnerability in Sanad, please report it responsibly using the details below.

Report a vulnerability

We respond to initial reports within 2 working days. Critical issues get a triage decision and remediation plan within 5 working days.

In scope

  • The Sanad portal at sanad.cognoshift.in and its public APIs.
  • The Sanad Sentinel agent binaries published under github.com/anupam9091/cognoshift-sentinel-dist.
  • Authentication / authorisation, RLS bypass, cookie-bridge, license-key handling.
  • Cryptographic chain integrity (Ed25519, SHA-256 chain).
  • Data residency / cross-tenant data leakage.

Out of scope

  • Denial-of-service / volumetric attacks. Rate-limit testing OK on a single IP, please don't go further.
  • Physical attacks, social engineering of staff.
  • Public information leakage (e.g. headers / framework banners) without a working exploit.
  • Vulnerabilities in 3rd-party services (Supabase, Vercel, Razorpay, Resend) — please report to those vendors directly.

Disclosure process

  1. You email security@cognoshift.in with reproduction steps + impact analysis.
  2. We acknowledge within 2 working days.
  3. We triage, classify (CVSS), and propose a remediation timeline within 5 working days.
  4. We patch, deploy, and verify with you that the fix works.
  5. After 90 days (or sooner with mutual agreement) you may publish a write-up. We can co-disclose.
  6. If the issue is critical and remediation requires longer than 90 days, we'll explain why and request an extension.

Safe harbour

We will not pursue legal action against good-faith security research that follows this disclosure programme. Specifically: no testing on customer tenants other than your own, no data exfiltration beyond what's needed to demonstrate the vulnerability, and no public disclosure before our triage window closes.

Hall of fame

Researchers who responsibly disclose verified vulnerabilities are credited here (with their permission). The first ten reports earn a Sanad-branded shipped acknowledgment + a small token of appreciation. After that we will design a structured bounty programme.

No reports yet. Be the first.

Compliance & posture

  • Data residency: All customer data resident in India by default. Supabase ap-south-1 (Mumbai) + Vercel edge in Mumbai.
  • Encryption: AES-256-GCM at rest, TLS 1.3 in transit, Ed25519 for artifact signing.
  • Patents: P1, P2 filed; P4, P5 in IDF stage with Lex Orbis.
  • Legal entity: COGNOSHIFT PRIVATE LIMITED · CIN U85499HR2025PTC130446 · Haryana, India.
  • CERT-In empanelment: Application in progress.
  • SOC 2 / ISO 27001: Roadmap; not yet certified.

About CognoShift · Contact · security.txt