# Jabr — Security Policy
# RFC 9116 (https://www.rfc-editor.org/rfc/rfc9116)
#
# If you have found a security vulnerability in Jabr, please report it
# to the address below before disclosing it publicly. We aim to
# acknowledge reports within 48 hours and provide an initial assessment
# within 5 business days.

Contact: mailto:security@jabr.sa
Preferred-Languages: en, ar
Canonical: https://jabr.sa/.well-known/security.txt
Policy: https://jabr.sa/en/legal/security
Hiring: https://jabr.sa/en/careers

# Out of scope:
# - Self-XSS that requires a victim to paste attacker-controlled text into the console
# - Reports from automated scanners without a working proof-of-concept
# - Issues affecting outdated browsers (last two major versions of evergreen browsers only)
# - Denial-of-service via resource exhaustion at sustained rates exceeding normal merchant traffic
#
# In scope:
# - Authentication / authorization bypasses
# - Cross-tenant data leaks (one merchant seeing another's data)
# - Injection (any vector that escapes intended boundaries)
# - Server-side request forgery, remote code execution, privilege escalation
# - Insecure direct object references on companies / users / journal entries
# - Cryptographic weaknesses in stored secrets (e.g. ZATCA private keys)