ClickToAutomate is committed to strengthening the security of our platform and services. We welcome security researchers who responsibly disclose vulnerabilities they discover in our in-scope assets.

This Vulnerability Disclosure Policy (VDP) describes how we work with the security community to find and report issues. Reading this policy before submitting a report is required. Reports that do not follow these guidelines may receive a limited response and may not qualify for recognition on our Security Hall of Fame.

Last updated: May 24, 2026

Only the following hosts and domains are in scope for this program. Testing outside this list is not authorized under this policy.

• preview.clicktoautomate.in

  Preview and staging environment for ClickToAutomate products.

• *.ctastore.in

  All subdomains under the CTA Store platform (*.ctastore.in).

• dashboard.clicktoautomate.in

  Customer dashboard and authenticated application surfaces.

Security researchers must not:

• Disrupt ClickToAutomate systems or services.
• Modify or destroy data on our systems or services.
• Disclose any found vulnerabilities to the public or third parties before we resolve them.
• Violate the privacy of our users, employees, systems, or services.
• Use high-intensity invasive, automatic, or destructive scanning or exploit tools.
• Require financial compensation under threat of withholding or releasing vulnerabilities publicly.
• Use malware or social engineering, spam, or phishing techniques.
• Use a discovered vulnerability beyond proving or demonstrating its existence (e.g., pivoting to internal systems or maintaining persistent access).

To protect our customers and services, please securely delete any data retrieved during research as soon as it is no longer required, or within one month of the vulnerability being resolved—whichever comes first.

If you believe you have discovered a security vulnerability in an in-scope asset, email us at support@clicktoautomate.in. For sensitive findings involving personal or financial data, include urgency in the subject line.

Your report should include:

• A detailed description of the vulnerability and its potential impact.
• The date and time when the vulnerability was discovered.
• Step-by-step instructions to reproduce the issue.
• Proof-of-concept scripts or sample code, if applicable.
• Screenshots, screen recordings, or any additional supporting material.

We will investigate and verify reported issues, assess severity, develop fixes when appropriate, and notify you when a vulnerability has been addressed. We ask for reasonable time to respond and remediate. You may inquire about status no more than once every 14 days.

• TLS/SSL configuration weaknesses without demonstrated exploitability.
• Vulnerabilities obtained via compromise of customer or employee accounts.
• Denial of Service (DoS / DDoS) attacks against our systems or services.
• User interface bugs, typos, or cosmetic issues.
• Login / logout CSRF.
• Missing HTTP security headers that do not lead directly to a vulnerability.
• Password, email, and account policy suggestions without security impact.
• Open redirectors, clickjacking, or CSRF with no practical attacker use.
• Exposed metrics or other non-confidential data.
• Missing best-practice or configuration suggestions without a clear vulnerability.
• Issues requiring a man-in-the-middle scenario to exploit.
• Assets and domains not listed in our in-scope program.

Valid vulnerabilities reported in accordance with this policy may qualify for public recognition on our Security Hall of Fame, depending on criticality and your preference. Compensation may be considered but is not guaranteed and depends on impact and available budget.

Researchers who submit valuable reports may be invited to a private bug bounty program in the future. Previously reported or internally known issues are not eligible for duplicate recognition.

ClickToAutomate will not pursue legal action against researchers who submit vulnerability reports in good faith and in accordance with this policy, including accidental violations, provided the circumstances are clearly explained in the report.

We reserve the right to modify this policy at any time. By reporting a vulnerability on or after the effective date of an update, you agree to the then-current terms. For general security practices, see our Security page and Privacy Policy.