Preamble

CodeFryDev welcomes the responsible disclosure of security vulnerabilities affecting its Digital Properties and open source repositories, in accordance with practices analogous to those published by GitHub, Google, and the Open Source Security Foundation (OpenSSF) .

Researchers are expressly prohibited from exploiting vulnerabilities beyond the minimum scope necessary to demonstrate reproducibility. Researchers must not access, modify, or exfiltrate data belonging to other users.

Scope of Engagement

In Scope

  • codefrydev.in and associated subpaths;
  • official CodeFryDev mobile applications;
  • published open source repositories under the CodeFryDev organisation; and
  • application programming interfaces and authentication mechanisms operated by CodeFryDev.

Out of Scope

  • third-party services not under CodeFryDev’s operational control;
  • social engineering directed against individuals;
  • denial-of-service attacks against production infrastructure;
  • physical security vulnerabilities.

Reporting Procedure

Correspondence should be directed to codefrydev@gmail.com with the subject line “Security Vulnerability Report”, incorporating:

  1. a description of the vulnerability and its prospective impact;
  2. the affected product URL or repository identifier;
  3. reproducible steps to demonstrate the issue;
  4. proof-of-concept artefacts, if available; and
  5. contact particulars of the reporter (optional for anonymous submissions).

The Service Provider aims to acknowledge substantiated reports within a commercially reasonable timeframe and shall coordinate remediation upon validation.

Safe Harbour Provisions

The Service Provider shall not pursue legal action against researchers who:

  • exercise good-faith efforts to avoid privacy violations and service disruption;
  • restrict disclosure to the Service Provider until an agreed publication timeline; and
  • comply with the present Policy.

Open Source Dependencies

Vulnerabilities residing in third-party dependencies should be reported upstream where appropriate; the Service Provider appreciates coordinated disclosure where its products are materially affected.

Effective: 24 May 2026