Back to Home

Bug Bounty & Vulnerability Disclosure

Last updated: January 2026

1. WELCOME

Ahlan is committed to security and welcomes responsible vulnerability disclosure. If you discover a security vulnerability, we want to hear from you! We aim to resolve security issues quickly and fairly.

2. SCOPE

This program covers:

  • All Ahlan domains and services (ahlan.app, api.ahlan.app, etc.)
  • Core web and mobile applications
  • Backend APIs and infrastructure (where publicly accessible)
  • Authentication and data protection systems

Out of scope: Third-party services, outdated browsers, physical security, social engineering

3. ELIGIBLE VULNERABILITIES

Critical (Up to $2,500)

  • Remote code execution (RCE)
  • SQL injection with data exfiltration
  • Authentication bypass
  • Privilege escalation
  • Unencrypted data exposure

High (Up to $1,000)

  • XSS affecting account functionality
  • CSRF with user action
  • Sensitive information disclosure
  • Session hijacking
  • Unauthorized data access

Medium (Up to $500)

  • Stored XSS with limited impact
  • Account enumeration
  • Rate limiting bypass
  • Information disclosure
  • Subdomain takeover

Low (Up to $250)

  • Reflected XSS
  • Open redirect
  • Security header misconfiguration
  • Weak password policy

4. NOT ELIGIBLE

  • Vulnerabilities in outdated browser versions
  • Vulnerabilities requiring physical access
  • Social engineering or phishing attacks
  • Issues already known or publicly disclosed
  • Denial of service (DoS) attacks
  • Email spoofing without impact
  • Missing HTTP headers without exploitability
  • Username enumeration (low risk)
  • Findings from automated tools only (no manual verification)

5. HOW TO REPORT

Email your vulnerability report to:

security@ahlan.app

Include:

  • Clear description of vulnerability
  • Steps to reproduce
  • Proof of concept (if applicable)
  • Potential impact
  • Proposed fix (optional)
  • Your contact information

6. RESPONSIBLE DISCLOSURE

Please:

  • Do not publicly disclose the vulnerability before we fix it
  • Do not access other users' data or accounts
  • Do not modify or delete data on our systems
  • Do not perform denial of service attacks
  • Do give us reasonable time to fix (90 days minimum)
  • Do test in a safe, non-destructive manner
  • Do report only to security@ahlan.app initially

7. RESPONSE TIMELINE

  • 1-2 hours: Acknowledgment of report
  • 24 hours: Initial assessment and severity determination
  • 48 hours: Plan for fix (critical) or update on progress
  • 7 days: Fix deployed (most high/critical)
  • 90 days: Public disclosure allowed if unfixed

8. REWARD DETAILS

  • Rewards paid via PayPal or bank transfer within 30 days of fix deployment
  • Bounty amount determined by severity, impact, and quality of report
  • Duplicate submissions: First reporter receives bounty
  • Combined reports: One bounty awarded to lead researcher
  • Multiple vulnerabilities in one report: Separate bounty for each

9. LEGAL SAFE HARBOR

If you follow our policy and act in good faith, we will not:

  • Pursue civil or criminal charges
  • Violate laws against unauthorized computer access
  • Take legal action for your testing activities
  • Hold you liable for damages

This does not apply if you exceed the scope or violate the conditions above.

10. DISCLOSURE POLICY

  • Vulnerability details disclosed only after fix is deployed
  • You may disclose after 90 days if unfixed (with notice)
  • Researchers credited publicly (unless you prefer anonymity)
  • We may mention the vulnerability in security advisories
  • Timeline negotiable for complex issues

11. ANNUAL REPORT

Ahlan publishes an annual security report including: total bounties paid, common vulnerability types, response times, and participating researchers (with permission).

12. FREQUENTLY ASKED QUESTIONS

Q: Can I test without permission?

A: Yes, as long as you stay within scope and follow responsible disclosure. You do not need permission before reporting.

Q: What if I find the same vulnerability as someone else?

A: The first person to report receives the bounty. Report quickly!

Q: Can I publicly disclose before you fix it?

A: No. Wait at least 90 days after your initial report.

13. CONTACT

Security vulnerabilities: security@ahlan.app
Bug bounty questions: bounty@ahlan.app
General support: support@ahlan.app

Response time: < 2 hours during business hours, 24 hours otherwise