Responsible Disclosure

Index is fully committed to keeping customer data safe and secure. We value any inputs from the community to help us detect vulnerabilities and further improve our security posture.

How to report an issue

If you believe you have found a security vulnerability, please send an email to with the following details:

  • A general description of the vulnerability
  • The URL where this vulnerability was found
  • The steps to reproduce the vulnerability, including screenshots or videos if relevant

What we expect from you

  • Do not execute a Denial of Service (DoS) attack.
  • Do not run any automated tools against our servers.
  • Do not access or modify any data that does not belong to you.
  • Do not publicly disclose the vulnerability until we have had a reasonable amount of time to fix it.

What you can expect from us

  • We will respond to your report within 24 hours.
  • We will perform our own risk assessment for every reported vulnerability.
  • If your report is not eligible, we will let you know.
  • If your report is valid, we will prioritize the issue and inform you once it has been fixed.
  • We will let you decide whether you want to be publicly acknowledged or not.

In scope


Out of scope

  • Automated scanning
  • Social engineering
  • Password brute force
  • Clickjacking on pages with no sensitive actions
  • Missing security headers (unless you can demonstrate an exploit)
  • Security issues only reproducible under highly unlikely conditions (using outdated browsers, operating systems, or insecure internet connections)

Safe Harbour

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorised in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected to comply with all applicable laws at all times.

If you have concerns or are uncertain whether your security research is consistent with this policy, please contact us at and we'll be happy to answer any of your questions.

Bug Bounty Program

Index operates a private bug bounty program. Security researchers can receive cash payments in exchange for a qualifying vulnerability report submitted to Index via our bug bounty program, depending on the severity of the security issue and the quality of the report. Vulnerability reports should be submitted to to be eligible for the Bug Bounty Program.

Please note that the reward is contingent upon the security issue being both serious and previously unidentified by Index.