Scope of Testing
The following assets are in-scope for vulnerability testing:
• Main Website: https://sochsolar.com
• Subdomains: Any subdomains that end with *.sochsolar.com
• APIs: Any publicly accessible API endpoints
• Web Applications: Any official Soch Solar application hosted under the sochsolar.com domain
• Mobile App: Soch Solar mobile app for iOS and Android
Out-of-Scope
Please refrain from testing or reporting vulnerabilities in the following areas:
• Third-party services integrated with our website or app (e.g., payment gateways or customer support systems)
• Non-production environments or staging servers not ending in .sochsolar.com
• Physical infrastructure
• Social media accounts
• Vulnerabilities found in any out-of-scope assets will not be considered valid, and we encourage researchers to focus on our main digital infrastructure
Mobile App Testing Guidelines
We welcome reports of security vulnerabilities in our Soch Solar mobile app (available on iOS and Android). Please follow the guidelines below when testing our mobile app:
• Platform Compliance: All testing must comply with the Apple App Store and Google Play Store terms and conditions. Any activities that violate the platform's policies (such as distributing malware or unauthorized apps) are strictly prohibited.
• Data Privacy: When conducting research on our mobile app, ensure that you do not extract or misuse personal data of our users. If any user data is unintentionally accessed during testing, please report this immediately to us and do not store, share, or download the data.
• In-App Purchases and Features: Testing should not disrupt live services or transactions, such as interfering with in-app purchases, promotional offers, or other critical app functionalities.
• Authorized Actions:
– Mobile API security, including testing for insecure API calls and data exposure.
– Authentication bypasses or privilege escalation vulnerabilities.
– Issues with mobile storage security, such as improper storage of sensitive information.
• Prohibited Actions:
– Automated vulnerability scanning that could overload our servers or systems.
– Disrupting our app services, such as conducting Denial of Service (DoS) attacks.
– Reverse-engineering the app to access unauthorized areas or manipulate app behavior.
What We Are Interested In
We are particularly interested in vulnerabilities related to:
• Cross-Site Scripting (XSS)
• SQL Injection
• Authentication Bypass
• Cross-Site Request Forgery (CSRF)
• Privilege Escalation
• Remote Code Execution (RCE)
• Sensitive Data Exposure
• Mobile App Security (e.g., insecure API calls, improper storage of sensitive data, and authentication flaws)
Exclusions (Not Considered Valid Vulnerabilities):
• Clickjacking on pages with no sensitive actions
• Unauthenticated/logout CSRF
• Reports on SSL/TLS best practices (e.g., weak ciphers or lack of forward secrecy)
• Vulnerabilities related to missing security headers (unless they result in a real exploit)
• Rate-limiting or denial of service attacks (DoS/DDoS)
• Issues in the mobile app that do not affect security (e.g., UI/UX flaws, bugs not related to security)
Reporting a Vulnerability
If you believe you’ve discovered a security vulnerability in either our website or mobile app, we encourage you to report it to us as follows:
1. Contact: Email us at sales@sochsolar.com.
2. Encryption: If your report contains sensitive information, please use our PGP key for encryption.
3. Information to Include:
• Description of the vulnerability.
• Steps to reproduce the issue.
• Potential impact and severity of the issue.
• Your recommendations for a fix.
• Any relevant screenshots, logs, or app-specific details (such as the app version).
4. Responsible Disclosure: We ask that you provide us with at least 90 days to fix the issue before publicly disclosing it.
You can find more detailed contact information for reporting security vulnerabilities in our security.txt file.
Our Commitment
We take vulnerability reports seriously and commit to the following process:
1. Acknowledge Receipt: We will acknowledge your report within 15 business days.
2. Assessment: Our team will assess the reported vulnerability and work on a fix. This process typically takes 30 to 90 days, depending on the complexity of the issue.
3. Resolution: Once resolved, we will notify you of the fix. If you agree, we will acknowledge your contribution on our Security Acknowledgments page.
4. Safe Harbor: If you comply with this policy, Soch Solar commits not to initiate legal action against you for activities performed within the scope of this policy. We are committed to working with security researchers to resolve vulnerabilities responsibly.
Legal Considerations and Compliance
For Researchers in the EU (GDPR Considerations)
• Under the General Data Protection Regulation (GDPR), personal data breaches must be handled carefully. If your research involves accessing personal data, ensure you do not extract, download, or distribute it.
• If your discovery includes access to personal data, please notify us immediately, and we will follow the proper disclosure and mitigation steps to comply with GDPR, including notifying data subjects if necessary.
For Researchers in India (IT Act Compliance)
• Under the Information Technology Act, 2000 (amended in 2008), unauthorized access to computer systems is illegal in India. By following our security policy, you are authorized to test Soch Solar's digital assets within the scope defined above.
• Do not engage in activities that would violate local laws, such as the illegal extraction of data or unauthorized use of our infrastructure.
• We reserve the right to notify the authorities if research activities are deemed malicious or outside the bounds of this policy.
Global Legal Protections and Responsible Disclosure
Soch Solar follows international best practices in responsible disclosure. Security researchers acting in good faith and in compliance with this policy will be protected from legal action. However, actions that fall outside the scope of this policy (such as attempting to exploit vulnerabilities for personal gain or failing to notify us of a discovered issue) may be subject to legal action.
Recognition and Rewards
If your report leads to a confirmed and remediated vulnerability, we are happy to acknowledge your efforts publicly on our Security Acknowledgments page.
We currently do not offer a formal bug bounty program, but we do offer recognition and may provide discretionary rewards for significant contributions.
Safe Harbor
When conducting vulnerability research in compliance with this policy:
• You are authorized to conduct research on the in-scope assets, including our website and mobile app.
• We consider this research to be lawful, as long as it follows the guidelines outlined in this policy.
• We will not pursue legal action against you if your actions are performed in good faith and within the scope of this policy.
• If legal action is initiated by a third party against you for activities conducted under this policy, we will make it known that your actions were conducted in compliance with our security policy.
Updates to This Policy
This policy may be updated from time to time. The most current version of the policy will always be available at Security Policy. We encourage researchers to review the policy periodically for updates.
Contact Us
If you have any questions or concerns about this policy or need to report a vulnerability, please reach out to us at:
Email: sales@sochsolar.com
PGP Key: Download
Security.txt: View File