Responsible Disclosure Policy

Introduction

lovexa.ai (“Lovexa”) is committed to safeguarding the security of our platform and user data. We value the assistance of the security community and encourage responsible reporting of any vulnerabilities discovered in our websites, mobile apps (Android/iOS), or other services. This Responsible Disclosure Policy outlines how security researchers and members of the public can report vulnerabilities in good faith, our expectations for responsible behavior, and our promise not to pursue legal action against those who follow these guidelines.

Scope

This policy applies to any security vulnerabilities in Lovexa’s owned and operated digital assets, including our official website (lovexa.ai), mobile applications, and other publicly accessible services. We ask that researchers focus their testing on these in-scope systems. Please do not target third-party systems, company partners, or any service not explicitly owned by Lovexa. Testing should not extend to physical security measures, social engineering of Lovexa employees or customers, or any networks beyond our control.

Out of Scope: While we welcome reports of genuine security flaws, certain issues are considered out of scope for this policy. These include vulnerabilities on outdated browsers or platforms, denial-of-service (DoS) attacks, spam or email spoofing issues without a direct security impact, and findings that do not demonstrably affect security (for example, reports solely about best practices or theoretical weaknesses without proof of concept). If you are unsure whether a bug is in scope, feel free to contact us for clarification before proceeding with extensive testing.

Guidelines for Responsible Testing
When researching and testing for vulnerabilities, we expect you to act responsibly and avoid any actions that could harm Lovexa, our users, or others. The following guidelines define acceptable conduct:

• Do:
• Work within the scope outlined above and diligently avoid privacy violations. Stop testing and report immediately if you encounter personal data of others.
• Use only your own accounts when testing (e.g. create a test user account) and do not access data that isn’t yours.
• Keep impact minimal – test vulnerabilities in ways that do not degrade our services (for instance, find a vulnerability without overwhelming the server).
• Document your findings thoroughly, including steps to reproduce the issue, the affected URLs or endpoints, and any relevant screenshots or proof-of-concept code. This helps us verify and fix the issue faster.
• Allow reasonable time for resolution – after reporting, give Lovexa’s team a fair chance to investigate and patch the vulnerability before making any information public (coordinated disclosure).

• DoNot:
• Do not exploit a vulnerability beyond what is necessary to demonstrate it. For example, do not download excessive data, modify data, or pivot to other systems after confirming a weakness.
• Do not engage in destructive activities, such as launching brute force attacks, planting malware/backdoors, or using techniques that could disrupt our services (e.g. DoS/DDoS attacks).
• Do not target others – avoid social engineering (phishing, pretexting) against Lovexa staff or users, and do not attack third-party services, networks, or applications of our partners.
• Do not reveal or share any vulnerability details with anyone outside of Lovexa’s security team until we have addressed it and given you permission. This includes not posting about it on public forums or social media while it remains unresolved.
• Do not demand compensation or attempt extortion. Lovexa does not offer a bug bounty or monetary reward for disclosures under this policy, and any threats (e.g. to release information if not paid) will result in disqualification from protection and possible legal action.

By adhering to these guidelines, your actions are considered authorized by Lovexa, meaning we will view them as legitimate, good-faith security research and not as an attack. This authorization extends to relevant anti-hacking laws; for instance, we will not pursue action under cybercrime statutes (such as the Indian Information Technology Act, 2000) provided you abide by this policy.

Reporting a Vulnerability

If you discover a security vulnerability in Lovexa’s platform, please report it to us as soon as possible via our dedicated security email: [email protected]. In your report, include the following details (without exposing any sensitive data you may have accessed):

1. Summary: A brief description of thevulnerability and its potential impact. (What type of issue is it? Whatcould an attacker do with it?)
2. Scope: The specific URL, APIendpoint, or part of the application where the issue occurs. Include thename of the product (website, Android app, iOS app, etc.) and version ifapplicable.
3. Stepsto Reproduce: Astep-by-step explanation of how to trigger or recreate the vulnerability.If possible, provide relevant scripts or screenshots that illustrate theexploit process.
4. Expectedvs. Actual Outcome: What security behavior you expected and whatactually happened (for example, “Expected the system to refuse access tounauthorized users, but was able to access another user’s data”).
5. YourContact Information: An email address or other method by which wecan reach you for further questions or clarifications. You may reportanonymously if you prefer, but then we may not be able to follow up orgive recognition.
6. Optional- Suggested Fix (if known): If you have any thoughts on how to fix theissue, feel free to share. This is not required but can be helpful.

Please do NOT include sensitive information (such as actual user data or personal identifiers) in your report. If you have obtained sensitive data, describe its nature (e.g., “I was able to see another user’s email address and order history”) without sharing the data itself. We may request more details if needed through a secure channel.

What to Expect After Reporting

Lovexa’s security team is grateful for your report and is committed to working with you. Here is what will happen once you submit your disclosure:

• Acknowledgment: We will acknowledge that wereceived your report within 3 business days. If you don’t hear back in that time,please feel free to send a follow-up message (in rare cases emails mightbe caught by spam filters).
• InitialReview: Ourteam will review the report and may reach out to you for clarification oradditional information. Please be responsive to questions – collaborationhelps us resolve issues faster.
• Assessmentand Fix: Lovexa will verify the vulnerability and determine its severity andimpact. Our engineering teams will then work on patching the issue. Thetimeframe for resolution can vary depending on complexity, but we striveto fix critical issues as a priority. We kindly ask that you refrain fromdisclosing the issue publicly during this period and give us a reasonabletime to deploy a fix.
• Notification: We will inform you when thevulnerability has been validated and fixed. We may also ask you to re-testthe issue to confirm our patch was effective, if you’re willing.
• Feedbackand Coordination: Throughout the process, we are committed totransparency. We will notify you of the resolution status and, ifappropriate, provide an explanation or remediation details. If for some reasonwe decide not to address a reported issue (e.g., if it’s deemed low riskor informational), we will explain why. We also welcome any furtherinsights you may have.
• Disclosure: Once the issue is resolved,if you wish to publicly disclose your findings (for example, in a blogpost), we generally welcome this and appreciate the contribution to thesecurity community. We request that you coordinate with us on the timingof any public disclosure to ensure the fix is fully deployed and users areprotected. We may also choose to publicly announce the fix (withoutexposing how to exploit it) as part of our security advisories.

Safe Harbor and Legal Protections

Lovexa pledges that if you act in good faith and in line with this Responsible Disclosure Policy, we will not initiate any legal action against you. Specifically:

• NoLegal Action: Youhave our permission to conduct limited, good-faith security researchinvolving our in-scope services. We will not file lawsuits or lawenforcement complaints for accidental, good-faith violations of thispolicy. This means that as long as your testing stays within the bounds ofacceptable behavior described above, we consider it authorized and willnot accuse you of hacking or unauthorized access.
• NoRetaliation: Wewill not take any punitive action (such as account suspension orrestriction) against researchers who find and report vulnerabilitiesresponsibly. Your Lovexa accounts will remain in good standing, and wewill not seek to block or punish you for helping improve our security.
• Confidentiality: We will keep your identityand report details confidential to the extent possible. We won’t publiclyreveal your name or contact information without your permission. The onlyexception would be if required by law (for example, a court order) – butin such unlikely cases, we would inform you.
• Protectionfrom Third Parties: If a third party initiates legal actionagainst you for activities conducted under this policy, and you havecomplied with our guidelines, Lovexa will make it known that your actionswere authorized and undertaken in good faith. (For example, if a serviceprovider or someone else mistakenly interprets your Lovexa-directedresearch as unlawful, we will clarify that it was sanctioned under ourvulnerability disclosure program.)

Please note that this Safe Harbor is contingent on your cooperation and honesty. If your actions are malicious, beyond the scope, or violate the clear “do not” rules above, Lovexa reserves the right to withdraw these protections and pursue appropriate remedies.

No Monetary Reward (No Bug Bounty)

At this time, Lovexa does not offer a formal bug bounty program or financial compensation for vulnerability reports. Our responsible disclosure program is voluntary and meant for the security community to help us fortify our systems. By submitting a report, you acknowledge that you are not entitled to a reward or payment. We believe in engaging with the community out of mutual respect and commitment to security, rather than as a paid service.
While we cannot offer bounties, we deeply appreciate your effort. If you are the first to report a significant vulnerability, we would be happy to provide public recognition of your contribution, with your consent. This could include thanking you in a public advisory or adding your name (and a link, if desired) to a Security Acknowledgements section on our site. We understand some researchers prefer to remain anonymous, and we will always respect your preference.

Conclusion

Your security research can help protect our users and improve Lovexa’s services. We thank you for taking the time to responsibly disclose vulnerabilities. By working together in a constructive manner, we keep our community safe. If you have any questions about this policy or need clarification on any point before testing, please reach out to us at [email protected]. We are here to help and ready to listen.