1. WELCOME
Ahlan is committed to security and welcomes responsible vulnerability disclosure. If you discover a security vulnerability, we want to hear from you! We aim to resolve security issues quickly and fairly.
2. SCOPE
This program covers:
- All Ahlan domains and services (ahlan.app, api.ahlan.app, etc.)
- Core web and mobile applications
- Backend APIs and infrastructure (where publicly accessible)
- Authentication and data protection systems
Out of scope: Third-party services, outdated browsers, physical security, social engineering
3. ELIGIBLE VULNERABILITIES
Critical (Up to $2,500)
- Remote code execution (RCE)
- SQL injection with data exfiltration
- Authentication bypass
- Privilege escalation
- Unencrypted data exposure
High (Up to $1,000)
- XSS affecting account functionality
- CSRF with user action
- Sensitive information disclosure
- Session hijacking
- Unauthorized data access
Medium (Up to $500)
- Stored XSS with limited impact
- Account enumeration
- Rate limiting bypass
- Information disclosure
- Subdomain takeover
Low (Up to $250)
- Reflected XSS
- Open redirect
- Security header misconfiguration
- Weak password policy
4. NOT ELIGIBLE
- Vulnerabilities in outdated browser versions
- Vulnerabilities requiring physical access
- Social engineering or phishing attacks
- Issues already known or publicly disclosed
- Denial of service (DoS) attacks
- Email spoofing without impact
- Missing HTTP headers without exploitability
- Username enumeration (low risk)
- Findings from automated tools only (no manual verification)
5. HOW TO REPORT
Email your vulnerability report to:
security@ahlan.app
Include:
- Clear description of vulnerability
- Steps to reproduce
- Proof of concept (if applicable)
- Potential impact
- Proposed fix (optional)
- Your contact information
6. RESPONSIBLE DISCLOSURE
Please:
- Do not publicly disclose the vulnerability before we fix it
- Do not access other users' data or accounts
- Do not modify or delete data on our systems
- Do not perform denial of service attacks
- Do give us reasonable time to fix (90 days minimum)
- Do test in a safe, non-destructive manner
- Do report only to security@ahlan.app initially
7. RESPONSE TIMELINE
- 1-2 hours: Acknowledgment of report
- 24 hours: Initial assessment and severity determination
- 48 hours: Plan for fix (critical) or update on progress
- 7 days: Fix deployed (most high/critical)
- 90 days: Public disclosure allowed if unfixed
8. REWARD DETAILS
- Rewards paid via PayPal or bank transfer within 30 days of fix deployment
- Bounty amount determined by severity, impact, and quality of report
- Duplicate submissions: First reporter receives bounty
- Combined reports: One bounty awarded to lead researcher
- Multiple vulnerabilities in one report: Separate bounty for each
9. LEGAL SAFE HARBOR
If you follow our policy and act in good faith, we will not:
- Pursue civil or criminal charges
- Violate laws against unauthorized computer access
- Take legal action for your testing activities
- Hold you liable for damages
This does not apply if you exceed the scope or violate the conditions above.
10. DISCLOSURE POLICY
- Vulnerability details disclosed only after fix is deployed
- You may disclose after 90 days if unfixed (with notice)
- Researchers credited publicly (unless you prefer anonymity)
- We may mention the vulnerability in security advisories
- Timeline negotiable for complex issues
11. ANNUAL REPORT
Ahlan publishes an annual security report including: total bounties paid, common vulnerability types, response times, and participating researchers (with permission).
12. FREQUENTLY ASKED QUESTIONS
Q: Can I test without permission?
A: Yes, as long as you stay within scope and follow responsible disclosure. You do not need permission before reporting.
Q: What if I find the same vulnerability as someone else?
A: The first person to report receives the bounty. Report quickly!
Q: Can I publicly disclose before you fix it?
A: No. Wait at least 90 days after your initial report.
13. CONTACT
Security vulnerabilities: security@ahlan.app
Bug bounty questions: bounty@ahlan.app
General support: support@ahlan.app
Response time: < 2 hours during business hours, 24 hours otherwise