Introduction

At Almountakhab, the security of our systems and the data of our customers is a top priority. We welcome reports from the security community about potential vulnerabilities that could affect our services. This policy explains the guidelines and procedures for responsible disclosure of security vulnerabilities.

Scope

This policy applies to any digital assets owned, operated, or managed by Almountakhab, including but not limited to:

  • Web applications;
  • Mobile applications;
  • APIs;
  • Network infrastructure;
  • Any other relevant services or platforms;

Reporting a Vulnerability

If you discover a security vulnerability in any of our systems, please follow the guidelines below to report it:

  1. Contact Information:
    • Email: security@almountakhab.com
    • PGP Key (for encrypted communications): [Link to PGP key]
  2. Required Information:
    • The website or page in which the vulnerability exists.
    • A detailed description of the vulnerability.
    • Steps to reproduce the issue, including any code, screenshots, or proof of concept (PoC) examples.
    • The impact of the vulnerability (e.g., data access, system control, etc.).
    • Your contact information for any follow-up questions.
    • Please ensure that you do not send your proof of exploit in plaintext email, if the vulnerability is still exploitable. But over encrypted communications
  3. Please Do Not:
    • Access, modify, or delete any data that is not your own.
    • Disrupt our services (e.g., through DDoS attacks).
    • Share the vulnerability details with anyone before we have addressed it.
    • Engage in any illegal activities.

What We Commit To:

  1. Acknowledgment:
    • We will acknowledge receipt of your report within 02 business days.
    • The acknowledgment email will include a ticket reference number which you can quote in any further communications with our Security Team.
    • Attached to the acknowledgement email will be a PGP key which you can use to encrypt future communications containing sensitive information.
  2. Investigation:
    • We will investigate your report promptly and provide updates on the status of the issue.
  3. Resolution:
    • We will work to resolve the issue as quickly as possible. Depending on the severity, this may involve patching systems, updating policies, or other corrective actions.
  4. Recognition:
    • If your report leads to a change, we are happy to publicly acknowledge your contribution, with your permission. You may also be eligible for inclusion in our Hall of Fame, or other recognition programs.

Bug Bounty

Unfortunately, due to our current funding structure, we are unable to offer a paid bug bounty program. However, we greatly appreciate the efforts of security researchers who take the time to investigate and report vulnerabilities responsibly. As a token of our gratitude, we are happy to offer recognition and acknowledgment for your valuable contributions.

Vulnerabilities Accepted

  • OWASP Top 10 vulnerability categories
  • Other vulnerabilities with demonstrated impact  

Out of Scope

Some vulnerabilities may fall outside the scope of this policy, (please don’t report them) including:

  • social engineering attacks;
  • issues with third-party services;
  • Volumetric/Denial of Service vulnerabilities (i.e. simply overwhelming our service with a high volume of requests);
  • TLS configuration weaknesses (e.g. "weak" cipher suite support, TLS1.0 support, sweet32 etc.);
  • Reports indicating that our services do not fully align with "best practice" (e.g. missing security headers or suboptimal email-related configurations such as SPF, DMARC etc.);
  • Issues surrounding the verification of email addresses used to create user accounts;
  • Clickjacking vulnerabilities;
  • Self XSS (i.e. where a user would need to be tricked into pasting code into their web browser);
  • CSRF where the resulting impact is minimal;
  • CRLF attacks where the resulting impact is minimal;
  • Host header injection where the resulting impact is minimal;
  • Network data enumeration techniques (e.g. banner grabbing, existence of publicly available server diagnostic pages);
  • Reports of improper session management / session fixation vulnerabilities.

Safe Harbor

We commit to not pursuing legal action against you or involving law enforcement if you:

  • Act in good faith to find and report a vulnerability.
  • Adhere to this disclosure policy and any applicable laws.
  • Avoid compromising the privacy or data of others.

However, if your actions deviate from this policy or involve illegal activity, we reserve the right to take appropriate legal action.

Third-Party

Vendors If your report involves a vulnerability in a third-party service or vendor that Almountakhab uses, we will coordinate with the vendor to ensure the issue is addressed appropriately.

Feedback and Updates

We strive to improve our security processes continuously. If you have suggestions on how to improve this policy, please let us know. We may update this policy periodically, so please review it regularly.

Thank You

We greatly appreciate your contribution to the security of Almountakhab. Your efforts help us protect our visitors and provide a safer online environment for everyone.

Almountakhab

- 15/08/2024
- 02/03/2024
- 07/05/2023
- 11/12/2020
- 14/01/2017