Disclose first. We’ll talk fast.

Pinegrass Technologies Pvt. Ltd. operates a small fleet of consumer products covering financial, health, and educational data. Security is not a feature of those products — it is the price of building them. The studio runs a single canonical disclosure channel and keeps the loop tight.

In scope:

• pinegrass.in and any subdomain hosted by Pinegrass.
• Pinegrass-published mobile and web applications across the studio (Ari, Darelight, CredPact, Zenelva, and any sibling product listed on the home page).
• Pinegrass-controlled APIs, including authentication and data endpoints used by those applications.

Out of scope:

• Third-party services Pinegrass consumes (Clerk, Supabase, Sentry, BetterStack, Vercel, Razorpay, RevenueCat). Report those to the vendor.
• Social-engineering tests against employees, contractors, or the founder.
• Denial-of-service, volumetric, or rate-limit-bypass tests.
• Physical security of the Moreh studio.

Send a single message to privacy@pinegrass.in with the subject prefix Security — followed by a short advisory id of your choice. Include:

• A reproduction path or proof of concept.
• The product, URL, or endpoint affected.
• Your assessment of impact and any suggested remediation.
• How you would like to be credited, if at all.

Pinegrass commits to: acknowledging within 72 hours; triaging and replying with a remediation timeline within 7 days; and disclosing publicly only after a fix has shipped, in coordination with the reporter.

Do not file public GitHub issues, social-media posts, or press disclosures before reaching the address above. A studio of this size cannot react to disclosure-by-tweet, and users are best served by a quiet fix shipped quickly.

Pinegrass will not pursue legal action against researchers who act in good faith, stay within the scope above, avoid privacy violations, avoid degrading service for real users, and give Pinegrass reasonable time to remediate before disclosure.

Fingerprint —

-----BEGIN PGP PUBLIC KEY BLOCK-----

(public key goes here — see TODO above)

-----END PGP PUBLIC KEY BLOCK-----

Key changes will be announced in this section and dated.

Researchers who responsibly disclose a vulnerability that Pinegrass confirms and remediates are listed here, in chronological order, with their preferred handle and the shipping date of the fix.

1. No disclosures yet. Be the first.

• /.well-known/security.txt — RFC 9116 machine-readable contact.
• /privacy — DPDPA notice and grievance officer.