سياسة الإفصاح المسؤول

Security and privacy of our users are very important to us. We take utmost care to ensure that our systems are protected, and our developers strive to write secure code. We understand that there is no silver bullet when it comes to security, and that security bugs can slip through despite our best efforts. We ensure that all security issues reported are reviewed and resolved promptly.

Reporting a security issue

If you believe that you have found a security issue that can adversely impact Alaan, please do contact our security team at security@alaan.com and send your submissions. A member of our security team will reach out to you and will work with you to validate, qualify, and resolve the issue.

The security issue report from you must contain:

• A detailed description of the issue
• Steps to reproduce the issue
• You will follow responsible disclosure guidelines (see below)
• Collaborative spirit
• No malicious activities (**)

Our promise to you:

• Prompt acknowledgement of the report
• Transparency throughout the process
• Adequate mitigation of the issue
• Entry in the Hall of Fame for accepted reports (if preferred) 
• Monetary reward for qualified reports as per the following criteria 

‍

Severity Rating & Reward

‍

Final severity will be determined based on exploitability, impact, and scale of affected users/data. The value of the reward would be based on the impact and Alaan’s decision on payment is final.

Responsible Disclosure

We at Alaan believe that with great knowledge comes great responsibility. We expect that you will give us reasonable lead time to respond to your report before making any information public and that you will make a good-faith effort to avoid privacy violations, data destruction, and interruptions or degradations of our services during your research. We will reciprocate the gesture by working with you to mitigate the issue to the satisfaction of both parties.

We would prefer that interested researchers coordinate their efforts with our security team so that we can avoid any untoward incidents that could affect confidentiality, integrity, or availability of Alaan’s systems.

Program Rules:

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

• Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.
• Do not run any automated scans against Alaan targets.
• When duplicates occur, we award only the first report received (provided it can be fully reproduced).
• Ask the Alaan team before submitting vulnerabilities on unscoped subdomains
• Only interact with accounts you own or with the explicit permission of the account holder.

Scope

Alaan Websites

• https://www.alaan.com/
• https://app.alaanpay.com/

Mobile Apps

• Alaan Android
• Alaan iOS

Excluded Bug Submission

Following bug submissions are excluded because they are malicious and/or because they have low security impact on the program owner. This section contains issues that are not accepted under this program and will be immediately marked as invalid.

The following findings are specifically excluded and will be considered invalid:

• Security issues in third-party apps or websites that integrate with Alaan
• Descriptive error messages (e.g., Stack Traces, application or server errors).
• HTTP codes/pages or other HTTP non-codes/pages.
• Fingerprinting/banner disclosure on common/public services.
• Disclosure of known public files or directories (e.g., robots.txt).
• Clickjacking and issues that are only exploitable through social engineering.
• CSRF in forms that are available to anonymous users (e.g., the contact form).
• Logout Cross-Site Request Forgery (logout CSRF).
• Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
• Lack of Security Speedbump when leaving the site.
• Weak Captcha / Captcha Bypass
• OPTIONS HTTP method enabled
• HTTPS Mixed Content Scripts
• Self-XSS
• Username/email enumeration
  
  1. via Login Page error message
  2. via Forgot Password error message
• Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers),
  e.g.
  
  1. Strict-Transport-Security
  2. X-Frame-Options
  3. X-XSS-Protection
  4. X-Content-Type-Options
  5. Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
  6. Content-Security-Policy-Report-Only
• SSL Issues, e.g.
  
  1. SSL Attacks such as BEAST, BREACH, and Renegotiation attack
  2. SSL weak/insecure cipher suites

Out of Scope bugs for Android apps:

• Shared links leaked through the system clipboard.
• Any URIs leaked because a malicious app has permission to view URIs opened
• Absence of certificate pinning
• Sensitive data in URLs/request bodies when protected by TLS
• User data that is stored unencrypted on external storage
• Lack of obfuscation is out of scope
• OAuth & App secret hard-coded/recoverable in APK
• Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope)
• Any kind of sensitive data stored in app's private directory
• Lack of binary protection control in Android app
• Runtime hacking exploits using tools like, but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)

Out of Scope bugs for iOS apps

• Lack of Exploit mitigations, i.e., PIE, ARC, or Stack Canaries
• Absence of certificate pinning
• Path disclosure in the binary
• User data that is stored unencrypted on the file system
• Lack of obfuscation is out of scope
• Lack of jailbreak detection is out of scope
• OAuth & app secret hard-coded/recoverable in IPA
• Crashes due to malformed URL Schemes
• Lack of binary protection (anti-debugging) controls
• Snapshot/Pasteboard leakage
• Runtime hacking exploits using tools like, but not limited to Frida/Appmon (exploits only possible in a jailbroken environment)

**Appendix: We classify malicious activities as follows

• Any kind of DoS attack
• Deliberate attempts at harming Alaan’s systems
• Introduction of backdoors/trojans/malware in Alaan’s systems
• Attempts to breach confidential data
• Publicly disclosing the vulnerability prior to our resolution.
• Physical testing, such as office access (e.g., open doors, tailgating).
• Observations derived primarily from social engineering (e.g., phishing, vishing).
• Any testing on any other application/systems not mentioned in ’Target’ scope.

Note: All attempts to cause harm to Alaan’s systems and data that do not follow responsible disclosure will be pursued legally to the full extent permitted by law.

Payment Terms & Conditions

• If you are deemed eligible for a monetary reward, you may be required to provide additional verification, identification, and tax-related information to facilitate payment.
• Rewards will be issued only after successful validation of the reported vulnerability and completion of all required verification and eligibility checks.
• Eligibility for payment is subject to compliance with all program rules, including responsible disclosure guidelines, legal and withholding taxation requirements.
• Any taxes, duties, or levies arising from monetary rewards are the sole responsibility of the recipient.
• Alaan reserves the right to withhold or adjust rewards in cases of incomplete information, non-compliance, or duplicate submissions.
• By submitting the report referenced in this document, you unconditionally accept this policy and waive any right to pursue legal action or to disclose publicly the report, any related communications, or any associated documents or information. 

‍