Responsible Disclosure

Security Policy

EchoLeads takes security seriously. If you discover a vulnerability, we want to hear from you. This policy explains how to report it responsibly and what you can expect from us.

Last updated: April 20, 2026

1. Introduction

At EchoLeads (operated by Rudravega AI Labs), we are committed to protecting our customers, partners, and the broader internet. We believe responsible disclosure of security vulnerabilities helps protect our users and the community at large.

This policy outlines how to report security vulnerabilities to us, what you can expect from us in response, and the legal protections we extend to good-faith security researchers.

Please do not file a public GitHub issue, post on social media, or disclose the vulnerability to third parties before we have had a reasonable opportunity to respond and remediate.

2. Scope

The following systems and services are in scope for vulnerability reports:

https://echoleads.ai — main website and marketing pages
EchoLeads Dashboard
EchoLeads backend API and data services (internal)
EchoLeads mobile applications (if any)
Authentication and session management across all above systems
APIs and integrations exposed by the above domains

The following vulnerability types are of highest priority:

Remote code execution (RCE)
SQL injection / NoSQL injection
Authentication bypass or privilege escalation
Cross-site scripting (XSS) with demonstrated impact
Cross-site request forgery (CSRF) on sensitive actions
Insecure direct object reference (IDOR) exposing private data
Sensitive data exposure (PII, credentials, API keys)
Server-side request forgery (SSRF)
Broken access control / multi-tenant data leakage

3. How to Report

Please send vulnerability reports to our security team via email. Include as much detail as possible so we can reproduce and verify the issue quickly.

Report to:

security@echoleads.ai

Backup: support@echoleads.ai

Your report should include:

A clear description of the vulnerability and its potential impact
The URL or endpoint affected
Step-by-step reproduction instructions
Screenshots, videos, or proof-of-concept code (if applicable)
The tool(s) you used to discover the issue
Your name or alias for acknowledgment (optional)

You may encrypt sensitive reports using PGP. Contact us first to request our public key.

4. Response Timeline

We are committed to the following response timelines after receiving your report:

Initial acknowledgementWithin 48 hours

Confirm or reject the reportWithin 7 days

Provide an estimated fix timelineWithin 14 days

Deploy a patch for critical/high issuesWithin 30 days

Notify you when the issue is resolvedUpon deployment

We will keep you informed of progress throughout the process. If you do not receive an acknowledgement within 48 hours, please follow up at support@echoleads.ai.

5. Safe Harbor

EchoLeads (Rudravega AI Labs) will not pursue civil or criminal action against security researchers who:

Report vulnerabilities in good faith following this policy
Avoid accessing, modifying, or deleting data beyond what is necessary to demonstrate the vulnerability
Do not perform denial-of-service attacks, spam, or social engineering against our users or staff
Do not publicly disclose the vulnerability before we have had a reasonable opportunity to remediate
Do not violate any laws in ways unrelated to security testing
Do not demand payment or compensation before reporting

We consider security research conducted under this policy to be authorized access to our systems. We will not refer researchers to law enforcement for activities that comply with this policy. If a third party initiates legal action against you for research conducted in accordance with this policy, we will make it known that your actions were conducted with our authorization.

Act in good faith and follow this policy — you are protected.

6. Out of Scope

The following are not eligible for vulnerability reports:

Denial of service (DoS/DDoS) attacks
Social engineering or phishing attacks against EchoLeads employees or users
Physical security attacks against our offices or infrastructure
Spam or content injection that does not demonstrate a security risk
Reports on third-party services or libraries we use (report those to the respective vendor)
Vulnerabilities in outdated browsers or operating systems
Missing HTTP security headers with no demonstrated exploitability
Self-XSS that requires a user to be tricked into entering malicious code themselves
Theoretical vulnerabilities without a working proof of concept
Clickjacking on pages with no sensitive actions
Automated scanner results without manual verification

7. Recognition & Rewards

We do not currently operate a paid bug bounty program, but we deeply value the efforts of security researchers. For valid, in-scope reports we offer:

Public acknowledgment on our Security Hall of Fame page (with your permission)
A personal thank-you from our engineering team
EchoLeads swag or credits for critical vulnerability disclosures (at our discretion)
A reference letter for your security portfolio (on request)

We are actively evaluating a formal bug bounty program. Researchers who report valid issues now will be given priority consideration when the program launches.

View Security Hall of Fame →

8. Contact

For security vulnerability reports or questions about this policy:

Security Reports

security@echoleads.ai

General Support

support@echoleads.ai

EchoLeads is operated by Rudravega AI Labs, T-Hub, Plot No 1/C Sy No 83/1, Raidurgam, Hyderabad Knowledge City, Hyderabad, Telangana 500081, India.

1. Introduction

This policy outlines how to report security vulnerabilities to us, what you can expect from us in response, and the legal protections we extend to good-faith security researchers.

Please do not file a public GitHub issue, post on social media, or disclose the vulnerability to third parties before we have had a reasonable opportunity to respond and remediate.

2. Scope

The following systems and services are in scope for vulnerability reports:

https://echoleads.ai — main website and marketing pages
EchoLeads Dashboard
EchoLeads backend API and data services (internal)
EchoLeads mobile applications (if any)
Authentication and session management across all above systems
APIs and integrations exposed by the above domains

The following vulnerability types are of highest priority:

Remote code execution (RCE)
SQL injection / NoSQL injection
Authentication bypass or privilege escalation
Cross-site scripting (XSS) with demonstrated impact
Cross-site request forgery (CSRF) on sensitive actions
Insecure direct object reference (IDOR) exposing private data
Sensitive data exposure (PII, credentials, API keys)
Server-side request forgery (SSRF)
Broken access control / multi-tenant data leakage

3. How to Report

Please send vulnerability reports to our security team via email. Include as much detail as possible so we can reproduce and verify the issue quickly.

Report to:

security@echoleads.ai

Backup: support@echoleads.ai

Your report should include:

A clear description of the vulnerability and its potential impact
The URL or endpoint affected
Step-by-step reproduction instructions
Screenshots, videos, or proof-of-concept code (if applicable)
The tool(s) you used to discover the issue
Your name or alias for acknowledgment (optional)

You may encrypt sensitive reports using PGP. Contact us first to request our public key.

4. Response Timeline

We are committed to the following response timelines after receiving your report:

Initial acknowledgementWithin 48 hours

Confirm or reject the reportWithin 7 days

Provide an estimated fix timelineWithin 14 days

Deploy a patch for critical/high issuesWithin 30 days

Notify you when the issue is resolvedUpon deployment

We will keep you informed of progress throughout the process. If you do not receive an acknowledgement within 48 hours, please follow up at support@echoleads.ai.

5. Safe Harbor

EchoLeads (Rudravega AI Labs) will not pursue civil or criminal action against security researchers who:

Report vulnerabilities in good faith following this policy
Avoid accessing, modifying, or deleting data beyond what is necessary to demonstrate the vulnerability
Do not perform denial-of-service attacks, spam, or social engineering against our users or staff
Do not publicly disclose the vulnerability before we have had a reasonable opportunity to remediate
Do not violate any laws in ways unrelated to security testing
Do not demand payment or compensation before reporting

Act in good faith and follow this policy — you are protected.

6. Out of Scope

The following are not eligible for vulnerability reports:

Denial of service (DoS/DDoS) attacks
Social engineering or phishing attacks against EchoLeads employees or users
Physical security attacks against our offices or infrastructure
Spam or content injection that does not demonstrate a security risk
Reports on third-party services or libraries we use (report those to the respective vendor)
Vulnerabilities in outdated browsers or operating systems
Missing HTTP security headers with no demonstrated exploitability
Self-XSS that requires a user to be tricked into entering malicious code themselves
Theoretical vulnerabilities without a working proof of concept
Clickjacking on pages with no sensitive actions
Automated scanner results without manual verification

7. Recognition & Rewards

We do not currently operate a paid bug bounty program, but we deeply value the efforts of security researchers. For valid, in-scope reports we offer:

Public acknowledgment on our Security Hall of Fame page (with your permission)
A personal thank-you from our engineering team
EchoLeads swag or credits for critical vulnerability disclosures (at our discretion)
A reference letter for your security portfolio (on request)

We are actively evaluating a formal bug bounty program. Researchers who report valid issues now will be given priority consideration when the program launches.

View Security Hall of Fame →

8. Contact

For security vulnerability reports or questions about this policy:

Security Reports

security@echoleads.ai

General Support

support@echoleads.ai

EchoLeads is operated by Rudravega AI Labs, T-Hub, Plot No 1/C Sy No 83/1, Raidurgam, Hyderabad Knowledge City, Hyderabad, Telangana 500081, India.