How to report an issue
Send a detailed report to security@hamraofficial.com. We acknowledge every report within 72 hours and aim to resolve verified issues within 30 days.
A good report includes: the URL or endpoint, a description of the issue, reproduction steps, and any proof-of-concept. Please don't share details publicly until we've had a chance to fix the issue.
In scope
hamraofficial.comand any subdomain- The HAMRA Companion Chrome extension
- Any HAMRA-owned API endpoint
Out of scope
- Denial-of-service attacks (please don't test these).
- Social engineering against HAMRA staff or users.
- Physical attacks against HAMRA infrastructure or staff.
- Issues in third-party services we use (Supabase, Vercel, Resend, Razorpay, Dodo, Google Vertex AI) — report those to the respective vendor.
- Reports generated by automated scanners with no human triage (low-quality noise; we delete these unread).
What we ask of you
- Make a good-faith effort not to access or modify other users' data.
- Don't exfiltrate data beyond the minimum needed to demonstrate the issue.
- Give us reasonable time to fix the issue before public disclosure.
- One reporter per finding — if you report something we're already aware of, we'll let you know.
What we offer
We don't run a paid bug bounty yet. For valid, novel reports we offer public credit (with your permission) and HAMRA Pro credit. As the company grows we'll formalize a paid program.
Machine-readable policy
See /.well-known/security.txt for the RFC 9116 contact entry.