Skip to content
سراج | Siraj
Security

Security & Vulnerability Disclosure

Last updated: July 1, 2026

1. Our Commitment

At Siraj, the security and privacy of our users' data is a top priority. We are committed to protecting the confidentiality, integrity, and availability of the information entrusted to us. We continuously invest in security infrastructure, conduct regular assessments, and foster a culture of security awareness across our team. We welcome the help of security researchers in making our platform safer for everyone.

2. Security Measures

We implement a comprehensive set of security measures to protect our platform and user data:

  • Encryption at Rest: All sensitive user data is encrypted using industry-standard AES-256 encryption.
  • Encryption in Transit: All communications with our platform are secured via TLS 1.3 or higher.
  • Access Controls: Strict role-based access controls (RBAC) with multi-factor authentication (MFA) for all administrative accounts.
  • Continuous Monitoring: 24/7 monitoring of infrastructure for suspicious activity using intrusion detection and log analysis systems.
  • Regular Audits: Periodic internal and third-party security audits, vulnerability scans, and penetration testing.
  • Data Minimization: We collect only the data necessary to provide our services, in compliance with Saudi PDPL.

3. Responsible Disclosure Policy

We encourage security researchers and the public to report potential vulnerabilities in Siraj's platform responsibly. If you discover a security issue, we ask that you disclose it to us privately and allow us a reasonable period to investigate and remediate before any public disclosure. We commit to acknowledging receipt of vulnerability reports within 48 hours.

4. Reporting a Vulnerability

To report a security vulnerability, please send a detailed report to our security team at security@siraj.sa. Your report should include:

  • A description of the vulnerability and its potential impact
  • Step-by-step instructions to reproduce the issue
  • Any relevant screenshots, logs, or proof-of-concept code
  • Your preferred contact information for follow-up

Please do not submit vulnerabilities through public channels or GitHub issues. We use PGP for encrypted communications — our security team's public key is available upon request.

5. What We Promise

When you report a vulnerability in accordance with our Responsible Disclosure Policy, we commit to:

  • Responding to your report within 48 hours (business days)
  • Investigating and validating the reported issue promptly
  • Keeping you informed of progress and estimated remediation timelines
  • Not pursuing legal action against good faith security research
  • Giving you credit for the discovery (with your permission)

6. Scope

The following are considered in scope for our vulnerability disclosure program:

  • The Siraj web application and all subdomains under siraj.sa
  • Siraj mobile applications (iOS and Android)
  • Siraj API endpoints

The following are out of scope and will not qualify for recognition:

  • Social engineering attacks against Siraj staff or users
  • Denial-of-service (DoS) attacks
  • Physical security breaches
  • Vulnerabilities in third-party services not controlled by Siraj
  • Self-XSS or issues requiring unlikely user interaction
  • Theoretical vulnerabilities without practical exploitability

7. Recognition

We maintain a Security Hall of Fame to acknowledge researchers who help us improve our security posture. With your permission, we will list your name or pseudonym in recognition of your contribution. We do not currently offer monetary bounties, but we deeply appreciate responsible disclosures and may provide Siraj swag as a token of gratitude.

8. Contact

For security-related inquiries or to submit a vulnerability report:

Siraj Platform
Security Team
King Abdullah Financial District
Riyadh, Saudi Arabia
security@siraj.sa