Responsible disclosure

Help us keep Islamic Open Finance™ banking-grade. Report a vulnerability to security@islamicopenfinance.com (PGP key at /.well-known/security.txt). Acknowledgement within 1 business day.

Non-monetary recognition programme

IOF currently operates a recognition-only responsible-disclosure programme — Hall of Fame, signed disclosure letter, swag, and priority routing onto the paid programme when funded. We do not yet pay cash bounties. Programme upgrade to monetary bounties is on the roadmap; researchers in good standing get priority intake once funding lands.

Recognition tiers

Severity	Recognition	Examples
Critical	Hall-of-Fame entry (top-tier badge) Signed CTO disclosure letter IOF swag pack (T-shirt, stickers, notebook) Priority routing onto the paid programme when funded Public LinkedIn shout-out (researcher consent required)	Authentication bypass / privilege escalation to super-admin Cross-tenant data leak in rail-api Cerbos policy bypass enabling unauthorised contract execution Remote code execution on rail-api / ledger-service Cryptographic key extraction or rotation bypass
High	Hall-of-Fame entry (high badge) Signed disclosure letter IOF swag pack Priority routing onto the paid programme when funded	Single-tenant data leak via unauthorised endpoint Webhook-signing bypass enabling forged events Server-side request forgery in document-renderer Authorisation flaw in /v1/admin/* endpoints
Medium	Hall-of-Fame entry (medium badge) Signed disclosure letter IOF stickers	Stored XSS in tenant-scoped UI surface CSRF in non-state-changing endpoints Information disclosure (stack traces, internal IDs) Rate-limit bypass that does not enable other classes
Low	Hall-of-Fame entry (low badge) Acknowledgement letter	Self-XSS, low-impact information disclosure Misconfigured CORS without exploitable impact Outdated dependency without exploitable path
Informational	Acknowledgement letter (no Hall-of-Fame entry)	Best-practice deviations without a vulnerability Theoretical concerns without proof-of-concept Known accepted risks documented in our risk register

In scope

*.islamicopenfinance.com production surfaces
rail-api, ledger-service, analytics-api endpoints
Cloudflare Workers under workers/*
@iof/* npm SDK packages
Cerbos ABAC policy bypass / privilege escalation
Webhook signing + verification chain

Out of scope

Sandbox-only services without production impact (sandbox.* subdomains)
Third-party integrations not authored by IOF (Onfido, ComplyAdvantage, Stripe, etc.)
Social-engineering / phishing of IOF staff or customers
Physical attacks on IOF infrastructure
DoS / load attacks (test in sandbox; coordinate with security@)
Self-XSS / clickjacking without a meaningful impact path
Rate-limit findings on public marketing pages
Reports generated by automated scanners without human-verified PoC

Safe harbour

Researchers acting in good faith under this programme will not be subject to civil or criminal action by Islamic Open Finance™. We require:

1. No exfiltration of personal or financial data beyond what is needed to demonstrate the vulnerability.
2. No degradation of service for other users.
3. No public disclosure before our co-ordinated disclosure date.
4. Submissions to security@islamicopenfinance.com only — not via social media, public bug trackers, or third-party platforms.

We commit to:
- Acknowledgement within 1 business day.
- Triage within 5 business days.
- Recognition decision within 14 days of triage close.
- Public disclosure on coordinated date (default: 90 days from initial report; configurable).

Submission process

Email security@islamicopenfinance.com (PGP-encrypted preferred for sensitive findings)
Include: scope, repro steps, impact analysis, suggested fix
Acknowledgement within 1 business day
Triage within 5 business days; recognition decision within 14 days
Public disclosure on coordinated date (default: 90 days from initial report; configurable)