Introduction

At Arabot, the security of our platform and users is our top priority. We welcome responsible disclosure of potential vulnerabilities and appreciate the efforts of security researchers who help us improve our systems.

This policy outlines how to report vulnerabilities to us, how we handle them, and what researchers can expect in return.

Scope

This policy applies to:

• Our main platform and services under the domain(s): *.arabot.io
• Any official mobile applications published by us.

This policy does not cover:

• Third-party services, plugins, or libraries not owned by us.
• Social engineering, phishing, or physical attacks.
• Denial of Service (DoS), spam, or brute force attempts.

Reporting Guidelines

• Submit vulnerabilities responsibly by emailing: csoc@arabot.io
• Include as much detail as possible: steps to reproduce, screenshots, proof-of-concepts.
• Do not exploit the vulnerability beyond what is required to prove its existence.
• Do not disclose the issue publicly until we have resolved it.

Our Commitment

When you report a valid issue in scope, we commit to:

1. Acknowledge receipt within 7 business days.
2. Provide a validation update within 14 business days.
3. Work to remediate the issue in a timely manner.
4. Notify you when the issue has been resolved.
5. Publicly acknowledge your contribution (if you wish) on our Security Hall of Fame page.

No Compensation Policy

We currently do not offer monetary rewards or bug bounties. Submissions are voluntary and at your own discretion. Your reward will be recognition in our Security Hall of Fame.

Safe Harbor

We will not initiate legal action against researchers who:

• Follow this Responsible Disclosure Policy in good faith.
• Avoid privacy violations, destruction of data, or interruption of service.