Responsible disclosure

Found a security issue?

We treat every report seriously — a kid-facing platform with content authoring and a scholar review queue gets a lot of researcher attention, and we'd rather hear from you than from Twitter. Here's the policy.

How to report

Send a clear write-up (what, where, repro steps, impact) to moderation@azhar-platform.example. Include a screen recording or HTTP trace if you have one. Please do NOT post the finding publicly until we've had a chance to fix it.

Send a report

What we promise

  • We acknowledge every report within 2 business days.
  • We triage and assign a severity within 5 business days.
  • We fix critical issues within 7 days; high issues within 30 days; medium and low on the next regular release cycle.
  • We credit you publicly (in our changelog and security.txt) once the fix is shipped, if you want — anonymous is also fine.

In scope

  • Authentication / session bypasses
  • Authorization holes — reading or writing data you shouldn't (per-user, per-family, scholar-admin)
  • Injection (SQL, NoSQL, prompt-injection that escapes our system prompt)
  • Stored XSS or HTML injection on any rendered surface
  • Bypasses of the rate limiter, the abuse-report queue, or the scholar review pipeline

Out of scope

  • Social-engineering or phishing of staff
  • Physical attacks against infrastructure
  • DoS / DDoS demonstrations against our production deployment (please test locally)
  • Findings on third-party services we depend on (report directly to Firebase, Pinecone, Anthropic, OpenAI)

Thank you for keeping families and scholars safe. We're a small team and your reports make the platform better.