Security & Responsible Disclosure

Khazen handles money. Security is not a feature for us — it is the foundation. If you have found a vulnerability, we appreciate your help in disclosing it responsibly.

This page covers Khazen specifically. For the umbrella policy covering all KhassinX apps, see khassinx.com/security.

Reporting

Email: [email protected]
Machine-readable disclosure pointer: /.well-known/security.txt (RFC 9116)

Please include: a brief description, reproduction steps, the impact you observed, and any tooling or accounts you used. Do not include real bank credentials or production tokens.

Scope

  • khazen.khassinx.com (this website)
  • khazen-links.khassinx.com (Universal Links + OAuth callback endpoint)
  • Khazen iOS / iPadOS / watchOS / macOS apps on the Apple App Store
  • The Khazen backend that proxies bank connections and serves push notifications

Out of scope

  • Third-party services (Apple App Store, the regulated financial data network we integrate with, your bank) — please report to them directly
  • Volumetric attacks (DDoS, brute force) — not vulnerabilities
  • Reports generated solely by automated scanners without reproducible proof of impact
  • Theoretical issues without a demonstrable attack path
  • Email spoofing on subdomains where we explicitly publish SPF/DKIM/DMARC

Response targets

  • Acknowledgement: within five business days
  • Initial triage: within fourteen days
  • Coordinated disclosure timeline: agreed case by case, typically ninety days for non-critical, expedited for critical

Safe harbor

We will not pursue legal action against researchers acting in good faith — investigating, reporting, and respecting our scope rules. This includes researchers accessing only data necessary to demonstrate the issue, not exfiltrating user data, and giving us reasonable time to remediate before public disclosure.

Recognition

We do not currently offer a monetary bug bounty. We offer:

  • Public acknowledgement on this page (with your consent, in the form you prefer)
  • Direct communication with the engineering team handling the fix
  • A formal credit in our release notes when the fix ships

What we ask you to avoid

  • Do not access, modify, or delete data belonging to other users
  • Do not perform tests that degrade service quality for other users
  • Do not publicly disclose the vulnerability before we have had a reasonable chance to fix it
  • Do not test on production accounts of real customers without explicit written permission

Contact

Security disclosure: [email protected] (PGP key available on request)
General contact: [email protected]