Responsible Disclosure

• I. Introduction

  The security of our platform matters to us and to our users. If you find a security vulnerability, we want to hear about it. This policy describes how to report vulnerabilities to us and what to expect in return.

• II. Scope

  This policy applies to vulnerabilities found in:
  The Lalaaji web application (app.lalaaji.com).
  The Lalaaji API.
  The Lalaaji mobile applications (iOS and Android).
  Any subdomain of lalaaji.com.

• III. How to Report

  If you discover a security vulnerability, please report it to us at [email protected]. Please include:
  A description of the vulnerability and its potential impact.
  Steps to reproduce the issue.
  Any supporting evidence (screenshots, logs, proof of concept).
  Your contact information for follow-up.

• IV. Our Commitment

  When you report a vulnerability in good faith, we commit to:
  Acknowledging receipt of your report within 3 business days.
  Providing an initial assessment within 10 business days.
  Keeping you informed of our progress toward resolving the issue.
  Not pursuing legal action against researchers who comply with this policy.
  Crediting you (if desired) when the vulnerability is resolved.

• V. Guidelines

  We ask that you:
  Do not access, modify, or delete data belonging to other users.
  Do not perform actions that could degrade the availability of our services (e.g., denial of service).
  Do not publicly disclose the vulnerability before we have had a reasonable opportunity to address it.
  Make a good-faith effort to avoid privacy violations and disruption to others.
  Only interact with accounts you own or with explicit permission from the account holder.

• VI. Out of Scope

  The following are generally considered out of scope:
  Reports from automated vulnerability scanners without manual validation.
  Social engineering attacks (e.g., phishing) against Lalaaji employees or users.
  Physical security issues at our offices.
  Denial-of-service attacks.
  Issues in third-party services we use (report those to the respective vendor).

• VII. Recognition

  We do not currently run a formal bug bounty program, but we may offer recognition or rewards at our discretion for significant reports. We are happy to publicly credit you if you wish.

• VIII. Contact

  For security-related reports: [email protected]
  For general inquiries: [email protected]