Security Disclosure Notice

Intended for: Security researchers, customers, vendors, ethical hackers, and any member of the public who has incidentally identified a security concern involving CALI’s systems, applications, or digital channels. CreditAccess Life Insurance Limited (CALI) is committed to maintaining the security and integrity of its systems and protecting the interests of its customers. This notice establishes the process for responsibly reporting security concerns to CALI.

Important: Unauthorised Testing is Not Permitted

This notice does not constitute permission to test, scan, probe, or assess CALI’s systems in any form. CALI has not granted consent for any active security testing of its website, applications, APIs, or infrastructure. Any individual who conducts unauthorised testing, including automated scanning or deliberate probing, without prior written consent from CALI does so entirely at their own risk and is not covered by the Safe Harbour provisions of this notice.

Report Security Concerns to: security@calife.in

This mailbox is under direct oversight of the Chief Information Security Officer (CISO). All reports will be acknowledged within 48 hours of receipt.

What to Report

Report only what you have incidentally discovered through normal use. The following categories are accepted:

  • Software vulnerabilities in CALI’s website, mobile application, APIs, or infrastructure.
  • Phishing emails, fraudulent SMS, or other communications impersonating CALI.
  • Security fraud or financial fraud involving CALI’s products or services.
  • Any other security weakness posing a risk to customers or CALI’s systems.
Resolution

Upon confirmation of a report as a true positive, resolution will be carried out in accordance with CALI’s Information and Cyber Security Policy and the timelines prescribed under IRDAI Information and Cyber Security Guidelines 2026. The reporter will be notified upon closure of the reported concern.

Safe Harbour

This protection applies exclusively to those who have incidentally discovered a security concern through normal use of CALI’s systems and who report it responsibly, without exploiting or publicly disclosing the issue prior to remediation. Safe Harbour does not extend to individuals who have conducted active, deliberate, or automated testing of CALI’s systems without prior written consent. CALI reserves the right to take appropriate action in such cases.

Reporting a New Vulnerability to CERT-In

The Indian Computer Emergency Response Team (CERT-In) is the national nodal agency for cybersecurity in India, operating under the Ministry of Electronics and Information Technology (MeitY). CERT-In is designated as a CVE Numbering Authority (CNA), it is authorized to formally assign Common Vulnerabilities and Exposures (CVE) identifiers to newly discovered vulnerabilities within Indian cyberspace.

If you believe you have discovered a previously unknown vulnerability - one that does not yet carry a CVE identifier, we encourage you to report it to CERT-In so that it may be formally catalogued, assigned a CVE ID, and officially acknowledged. This is separate from your report to CALI.

CERT-In Vulnerability Reporting Portal: https://cert-in.org.in/Vulnerability-Reporting.jsp