RVDP Cyberange × ISAC × CERT-In

Responsible Vulnerability Disclosure Programme.

If you have found a security vulnerability in a Cyberange product or web property, report it here. Submissions are triaged by ISAC Foundation’s response cell and, where appropriate, coordinated with CERT-In under the Indian government’s national vulnerability-disclosure framework.

Report a vulnerability Email [email protected]

About the programme

Run by ISAC. Coordinated with CERT-In.

ISAC Foundation — the Section 8 non-profit founded by the team behind Cyberange — operates the RVDP response cell. Reports submitted here are triaged by ISAC’s incident analysts, validated against the affected Cyberange product or property, and forwarded to the engineering team for remediation.

Where a vulnerability has national-interest implications — critical-infrastructure exposure, mass-impact misconfiguration, or systemic supply-chain risk — reports are coordinated with CERT-In, the Indian Computer Emergency Response Team under MeitY. Coordination follows CERT-In’s published responsible-disclosure framework.

Scope

What you can — and can’t — test against.

In scope

· Web properties under cyberange.io and subdomains
· AttackWiz, TAW, Virtual Labs, Cyberbay product surfaces
· ISAC Foundation web properties on isacfoundation.org
· APIs documented at api.cyberange.io
· Mobile applications published under Cyberange or ISAC
· Documented integrations with partner systems (with the partner’s consent)

Out of scope — will not be accepted

· Findings against customer-deployed instances (report to the customer directly)
· Denial-of-service or volumetric testing against production systems
· Social engineering against employees, partners, or vendors
· Physical security testing of any Cyberange or partner facility
· Findings that require actively exploiting another user’s account or data
· Spam, missing security headers, or low-severity informational issues
· Anything that violates Indian law — including the IT Act, 2000, Section 43 and 66

Data sharing

Your submission is shared with ISAC and, where appropriate, CERT-In.

By submitting this form, you understand that the information you provide — including your name, contact details, the vulnerability description, proof-of-concept, and any attachments — will be shared with ISAC Foundation’s incident response cell. ISAC uses this information to validate, triage, and coordinate remediation with Cyberange’s engineering team.

Where the vulnerability has implications beyond Cyberange — critical-infrastructure exposure, cross-vendor impact, or national-interest considerations — ISAC may share the report with CERT-In under the Indian government’s responsible-disclosure framework. CERT-In may, in turn, coordinate with the affected operators. You will be notified if your report is escalated to CERT-In.

Submit a report

Tell us what you found.

Required fields are marked with an asterisk. If a field doesn’t fit your finding, use the free-form notes at the bottom. Average response time: within 48 hours; critical reports acknowledged within 24.

Your name *

Reply-to email *

Affiliation

Affected asset / URL *

Vulnerability surface *

Self-assessed severity *

Description *

Steps to reproduce *

Proof of concept

Credit preference

Anything else

I consent to my submission — including name, contact details, vulnerability description, and proof-of-concept — being shared with ISAC Foundation for triage and with CERT-In where coordinated disclosure is appropriate. I have read the data-sharing notice above.

Form submissions are currently routed via email while the in-app handler is wired up. If you don’t get a reply within 48 hours, email [email protected].

Alternative channels

Prefer encrypted email?

Security inbox

[email protected]

Acknowledged within 24 hours. PGP key fingerprint available on request — reply to the acknowledgement with “PGP” in the subject and we’ll send it.

CERT-In direct

cert-in.org.in

For national-interest vulnerabilities that you want CERT-In to coordinate independently, report at the CERT-In Vulnerability Reporting Portal. We’ll still cooperate on remediation.

Response timeline

Within 24 hours — acknowledgement
Within 5 business days — triage outcome
90 days — standard remediation window before public disclosure (longer for systemic / critical-infra issues, by coordination)
On fix — public credit per your preference + CVE where applicable