Security
Responsible Disclosure
We take security seriously and appreciate the work of security researchers who help us keep our systems and users safe.
Scope
This policy applies to vulnerabilities in:
- arazon.io and all subdomains
- api.arazon.io
- Arazon mobile applications
- Arazon open-source projects
Qualifying Vulnerabilities
We're interested in hearing about:
- Remote code execution
- SQL injection
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Authentication/authorization bypass
- Sensitive data exposure
- Server-side request forgery (SSRF)
Out of Scope
The following are not eligible:
- Denial of service attacks
- Social engineering attacks
- Physical attacks against Arazon offices or data centers
- Vulnerabilities in third-party services
- Issues already known or previously reported
- Theoretical vulnerabilities without proof of concept
Reporting Guidelines
When reporting a vulnerability:
- Provide detailed steps to reproduce the issue
- Include proof-of-concept code if applicable
- Describe the potential impact
- Do not access or modify other users' data
- Do not perform destructive testing
- Keep vulnerability details confidential until resolved
Our Commitment
When you report a vulnerability in good faith:
- We will acknowledge receipt within 24 hours
- We will provide an initial assessment within 5 business days
- We will keep you informed of our progress
- We will not pursue legal action against you
- We will credit you in our security acknowledgments (if desired)
Submit a Report
Report security vulnerabilities to:
For sensitive reports, use our PGP key available at arazon.io/pgp-key.txt
Bug Bounty
We offer monetary rewards for qualifying vulnerability reports. Reward amounts are determined based on severity, impact, and quality of the report. Contact us for current bounty ranges.