Vulnerability Disclosure Program (VDP)
If you have found a security vulnerability on Kahf, we encourage you to let us know right away.
Scope
In Scope
- kahf.com.tr, *.kahf.com.tr
- kahfguard.com
- kahfkids.com/learn
- kahfbrowser.com
- muslimsday.com
- mahfil.net (video-sharing platform)
- hikmah.net (social network)
- Official Kahf apps: Guard, Kids, Browser, Mahfil, Muslims Day, Hikmah (Android, iOS, Windows, MacOS, Web)
- Public APIs and services under the above domains
- Public GitHub repositories (Kahf org)
If you believe a particular asset or activity not mentioned here should be included in the scope, please submit a report with a brief description explaining why you think it should be covered.
Out of Scope
- Third-party vendors, services, and payment processors
- Marketing microsites not under listed domains
- Physical, social engineering, phishing attacks
- DoS/DDoS, brute-force, spam, automated scanning
- Issues requiring jailbroken or rooted devices
Types of Recognition
Hall of Fame
Public acknowledgment on Kahf's security Hall of Fame page.
Swag
Exclusive Kahf merchandise for qualifying reports.
Certificate / Appreciation Letter
A formal letter of appreciation acknowledging your contribution.
Response Targets
Action Target
First Response Within 2 business days
Time to Triage Within 10 business days
Fix Timeline Severity-based, communicated transparently
Rules & Guidelines
- Do not access, alter, or exfiltrate user data
- Do not disrupt or degrade service availability
- Do not perform attacks against Kahf users
- Do not use automated vulnerability scanners against production systems
- Keep all vulnerability details confidential until we issue a fix
- Report findings through the official channel only
- Allow reasonable time for remediation before any public disclosure
- Act in good faith and avoid any actions that could cause harm