Revision History: v2026.05
Welcome to XC0MRADE, a technology-enabled vulnerability management marketplace operated by XC0MRADE Technologies Private Limited (the company, we, us, or our), incorporated under the Companies Act, 2013 with CIN U62099BR2025PTC079540.
This GCU governs your access to and use of xcomrade.tech, including related applications, APIs, and services. By creating an account, clicking I Agree, or using the services, you agree to be legally bound by this GCU and the Privacy Policy.
If you do not agree to these terms, you must stop using the platform.
Attack Surface Management - continuous discovery and monitoring of an organisation's external digital assets.
Bug Bounty Programme where an organisation offers rewards for qualifying vulnerabilities in defined scope.
Indian Computer Emergency Response Team under Section 70B of the IT Act, 2000.
Company fee retained from reward disbursement, presently 15% to 20% [TBC], subject to notice.
Any legal entity registered on the platform to host programmes or procure services.
Digital Personal Data Protection Act, 2023, including applicable rules and directions.
Platform ledger account holding organisation funds pending researcher disbursement.
These General Conditions of Use, as amended from time to time.
Know Your Business verification for organisations, including CIN/GST and bank validation.
Know Your Customer verification for researchers, including Aadhaar/PAN/bank validation.
Multi-factor authentication using TOTP or email OTP for account login security.
Any testing against assets not explicitly listed in the programme scope.
Three-level reputation system (P3, P2, P1) based on Sketch Score and conduct.
xcomrade.tech infrastructure, software, APIs, dashboards, and associated services.
Any BBP, VDP, or PTM engagement hosted through the platform.
Penetration Test Management service for structured tests by vetted researchers.
In-scope, reproducible, non-duplicate vulnerability meeting programme thresholds.
Submission by a researcher containing technical details, PoC, impact, and remediation.
Monetary or non-monetary consideration offered for accepted qualifying reports.
Legal protection for authorised, in-scope testing as per Section 12 of this GCU.
Specific systems, applications, IP ranges, and parameters defined by organisation.
Independent individual registered to discover and responsibly disclose vulnerabilities.
Reputation score calculated as per Schedule A points and deductions.
Platform visual tool for exploit-chain diagrams attached to reports.
Vulnerability Disclosure Programme with responsible disclosure but no reward obligation.
Researcher wallet tracking reward credits, deductions, and payout status.
Platform learning module for CTFs, educational paths, and skill development.
Platform usage is restricted to individuals at least 18 years of age.
Security Researchers are independent contractors, not employees, agents, or partners of the company.
Organisations must be valid legal entities and authorised representatives must have authority to bind them to this GCU.
Users must provide accurate information. Roles include Security Researcher, Organisation, Verifier, Admin, and Superadmin.
MFA (TOTP or email OTP) must be enabled within 72 hours of registration.
Organisation-run programmes with rewards for qualifying vulnerabilities.
Non-monetary disclosure channel with recognition and reputation impacts.
Managed penetration testing engagements under separate statements of work.
Continuous external attack surface monitoring for subscribed organisations.
Learning and CTF module for capability growth and community participation.
Diagramming tool for exploit chain visuals attached to reports.
Testing must remain strictly inside programme scope.
| Period | Description |
|---|---|
| Day 0 | Report submitted via platform |
| Day 1-3 | Initial triage by verifier |
| Day 4-7 | Organisation notified; acknowledgement required |
| Day 8-30 | Organisation remediation window |
| Day 31-90 | Extended remediation for complex/critical issues |
| Day 91+ | Researcher may request disclosure with company approval |
All platform software, tooling, branding, and proprietary systems are company intellectual property.
Accepted reports grant organisations a non-exclusive, irrevocable, perpetual, worldwide, royalty-free licence for remediation and security improvement purposes.
De-identified aggregate vulnerability pattern outputs are owned by the company.
Platform commission applies per programme terms, currently 15% to 20% [TBC] where applicable.
TDS may be deducted as applicable law requires. Rates and treatment are subject to statutory requirements.
| Category | Examples | Legal Basis (DPDPA) |
|---|---|---|
| Identity Data | Name, Aadhaar token, PAN, selfie | Consent; Legitimate Use |
| Contact Data | Email, phone, address | Consent |
| Financial Data | Bank account, UPI ID, TDS records | Legal Obligation |
| Technical Data | IP address, logs, device info | Legitimate Use |
| Usage Data | Reports, zerod activity, actions | Legitimate Use |
| KYC/KYB Documents | CIN, GST, board resolution | Legal Obligation |
| Communications | Support tickets, legal appeals | Consent / Legitimate Use |
| Data Category | Retention | Basis |
|---|---|---|
| KYC/KYB Documents | 5 years after closure | PMLA requirements |
| Financial and TDS Records | 7 years | Income tax requirements |
| Security Logs | 180 days rolling | CERT-In directions |
| Accepted Reports | As required by law or contract | Compliance obligations |
| General Account Data | Account duration + 2 years | Legitimate use |
| Support Communications | 3 years | Business purpose |
To the maximum extent permitted by law, liability is limited as specified in this GCU and applicable law. Indirect, incidental, consequential, or special damages are excluded to the extent legally permitted.
Programme scope authorisation is a legal consent instrument for permitted testing. Safe Harbour applies only to authorised, in-scope testing and does not protect out-of-scope actions.
CRITICAL: Out-of-scope testing is not protected and may create civil and criminal exposure under applicable law.
| Tier | Label | Sketch Score | Benefits |
|---|---|---|---|
| P3 | Newcomer | 0-499 | Public programmes; core features |
| P2 | Trusted | 500-1,999 | Private programmes; priority verifier flow |
| P1 | Elite | 2,000+ | PTM eligibility; advanced trust features |
| Activity | Points | Notes |
|---|---|---|
| Critical Severity Report Accepted | +500 | Verifier + admin confirmation |
| High Severity Report Accepted | +200 | Verifier confirmation |
| Medium Severity Report Accepted | +100 | Standard verifier review |
| Low Severity Report Accepted | +30 | Standard review |
| Informational Report Accepted | +10 | Standard review |
| Sketch submitted with accepted report | +20 | Linked accepted report required |
| First blood in programme | +100 | First valid submission |
| CVE assignment for reported issue | +150 | Verified CVE required |
| CTF challenge completed | +15 / +40 / +100 | Per unique challenge |
| Skill badge earned | +50 | Per badge |
| Community learning module completed | +25 | Per completion |
| Duplicate report | -10 | Deduction rule applies |
| Out-of-scope report (unintentional) | -25 | Admin discretion |
| Low-quality insufficient report | -15 | Verifier reviewed |
| Confirmed fraudulent report | -500 | Human review required |
| Confirmed out-of-scope testing | -1000 | Human review; suspension risk |
| Breach of confidentiality | -2000 | Human review required |
| 10 accepted reports milestone | +200 | Cumulative milestone |
| 50 accepted reports milestone | +500 | Cumulative milestone |
| P2 tier attained | +100 | Upgrade bonus |
| P1 tier attained | +300 | Upgrade bonus |
Every security researcher certifies at programme enrolment: