Calculate your SIP Returnexplore announcement button
Open Demat Account
Open Demat Account Login
Open Demat Account Login
Download App
  1. Home
  2. Responsible Disclosure of Security Vulnerabilities

Purpose

Angel One Limited (“AngelOne”, “we”, “us”, or “our”) is committed to maintaining the confidentiality, integrity, and availability of our systems, platforms and customer data. We recognize that security researchers and members of the public may identify potential vulnerabilities in our applications, infrastructure, or services. This Responsible Disclosure Policy (“Policy”) is intended to establish (i) a clear, lawful, and collaborative framework for reporting such vulnerabilities so they can be addressed promptly and responsibly, (ii) encourage good-faith security research; and (iii) enable Angel One to investigate, validate, and remediate security issues in a timely manner.

This Policy does not create any contractual obligation, employment relationship, or entitlement to compensation

This Policy is issued in alignment with:

  1. The Information Technology Act, 2000 and applicable rules;
  2. CERT-In Directions on cybersecurity incidents;
  3. The Digital Personal Data Protection Act, 2023 and applicable rules; and
  4. Applicable SEBI and stock exchange cybersecurity expectations.

Nothing in this Policy limits Angel One’s rights or obligations under applicable law.

Scope

This Policy applies to vulnerabilities in Angel One – owned or managed web properties, mobile applications, APIs, trading platforms and infrastructure. It covers vulnerabilities that may impact customer data, trading operations, financial integrity, or regulatory compliance. This Policy does not apply to vulnerabilities identified in third-party platforms, vendors, or services that are not owned, operated, or controlled by Angel One, nor does it cover issues relating solely to denial-of-service or stress-testing activities. It also excludes social engineering, phishing attempts, or any form of physical security testing, as well as vulnerabilities that require or involve unauthorised access to customer accounts, personal data, or other confidential information.

Safe Harbor (Legal Protections for Good – Faith Research)

Angel One encourages responsible and ethical security researchers to identify vulnerabilities and report as per the due process detailed in this Policy. When reporting a vulnerability, researchers are expected to:

  1. Act in good faith and avoid activities that could disrupt services, trading operations, or customer experience.
  2. Refrain from exploiting vulnerabilities beyond what is strictly necessary to demonstrate the issue.
  3. Avoid accessing, modifying, deleting, or exfiltrating customer data, financial records, or personally identifiable information.
  4. Do not pivot into third party systems and integrations.
  5. Not publicly disclose the vulnerability or share it with third parties until Angel One has completed its investigation and remediation or has provided written consent.
  6. Comply with all applicable laws, regulations, and contractual obligations.
  7. Provide sufficient details to allow us to reproduce and validate the issue

If you comply with this Policy and meet the above mentioned expectations we will not initiate civil or criminal action against you for accidental or goodfaith violations of this Policy. We consider research conducted under this Policy to be authorized under applicable anticircumvention and computer misuse laws to the extent we can grant such authorization; this does not bind any third party. This safe harbour does not apply to actions involving wilful misconduct, gross negligence, or violations of law, including unauthorized access to personal data or financial records.

If you are unsure whether an action is permitted, ask us first at the contact provided below.

How to Report

Security vulnerabilities should be reported promptly via:

Email: responsibledisclosure@angelone.in

While reporting any vulnerability and to facilitate effective assessment and remediation, please include:

  • A clear description of the vulnerability and its potential impact
  • The affected URL, application, API, or system component
  • Step-by-step reproduction details or proof of concept, where feasible
  • Screenshots, logs, or other supporting evidence
  • Your Contact information for follow-up communication

Angel One’s Commitment

Upon receiving a valid vulnerability report, Angel One commits to:

  1. Acknowledge receipt within a reasonable timeframe.
  2. Conduct a risk-based evaluation to validate and classify the reported issue.
  3. Remediate confirmed vulnerabilities in accordance with internal security standards, regulatory requirements, and business impact.
  4. Provide status updates to the reporter where appropriate.

Recognition

Angel One values contributions from the research community and Angel One may, at its sole discretion, acknowledge and recognise the researcher for eligible vulnerability disclosures in our quarterly Hall of Fame . Any such recognition will be governed strictly by the Angel One’s internal policies, risk classification criteria, and regulatory considerations. Please note that any recognition is contingent on adherence to this Policy, absence of malicious intent, and following eligibility factors including, but not limited to:

  1. Severity and impact of the vulnerability
  2. Quality and clarity of the report
  3. Compliance with this Responsible Disclosure Policy
  4. Absence of prior public disclosure or malicious intent

Angel One does not currently operate a public bug bounty or reward programme. Submission of a vulnerability report does not entitle the reporter to any compensation, reward, or recognition, unless expressly agreed in writing.

Confidentiality and disclosure restrictions

All vulnerability reports and related communications must be treated as confidential. Researchers must not, at any time:

  • Publicly disclose vulnerabilities
  • Sharing findings with third parties
  • Publish proof-of-concept details
  • Discuss vulnerabilities before receiving explicit written authorization from Angel One.

Angel One being a SEBI regulated financial institution, prohibits and discourages any testing activity that risks regulatory non-compliance, user harm, data exposure, or operational disruption. Any personal data shared as part of a vulnerability report will be processed by Angel One solely for the purpose of investigating and responding to the report, in accordance with applicable data protection laws and Angel One’s Privacy Policy. Researchers are requested to avoid sharing personal or sensitive data unless strictly necessary

Any breach of confidentiality will result in permanent disqualification and may lead to legal action.

Governing Law and Jurisdiction

This Policy shall be governed by and construed in accordance with the laws of India. Courts at Mumbai, Maharashtra shall have exclusive jurisdiction

Policy Changes

Angel One may update, modify, suspend, or terminate this Policy or program at any time, without prior notice. Angel One reserves the right to modify or update this Policy at any time. The revised Policy will be effective upon publication on Angel One’s website and your continued participation after any update constitutes acceptance of the revised terms.

Open Free Demat Account!

Join our 3.5 Cr+ happy customers

Start an SIP at just ₹100!

Get the link to download the App

Send App Link
Download Angel One App on Google Play Store Download Angel One App on Google Play Store

₹0 brokerage for first 30 days*

Join our 3.5 Cr+ happy customers