Skip to main content

Security

Responsible disclosure policy and contact channels.

How to report an issue

Send a detailed report to security@hamraofficial.com. We acknowledge every report within 72 hours and aim to resolve verified issues within 30 days.

A good report includes: the URL or endpoint, a description of the issue, reproduction steps, and any proof-of-concept. Please don't share details publicly until we've had a chance to fix the issue.

In scope

  • hamraofficial.com and any subdomain
  • The HAMRA Companion Chrome extension
  • Any HAMRA-owned API endpoint

Out of scope

  • Denial-of-service attacks (please don't test these).
  • Social engineering against HAMRA staff or users.
  • Physical attacks against HAMRA infrastructure or staff.
  • Issues in third-party services we use (Supabase, Vercel, Resend, Razorpay, Dodo, Google Vertex AI) — report those to the respective vendor.
  • Reports generated by automated scanners with no human triage (low-quality noise; we delete these unread).

What we ask of you

  • Make a good-faith effort not to access or modify other users' data.
  • Don't exfiltrate data beyond the minimum needed to demonstrate the issue.
  • Give us reasonable time to fix the issue before public disclosure.
  • One reporter per finding — if you report something we're already aware of, we'll let you know.

What we offer

We don't run a paid bug bounty yet. For valid, novel reports we offer public credit (with your permission) and HAMRA Pro credit. As the company grows we'll formalize a paid program.

Machine-readable policy

See /.well-known/security.txt for the RFC 9116 contact entry.