Security & Responsible Disclosure

We take security seriously. If you've found a vulnerability in any KhassinX app or web property, we appreciate your help in disclosing it responsibly.

Reporting

Email: [email protected]
Machine-readable disclosure pointer: /.well-known/security.txt (RFC 9116)

Scope

• khassinx.com and all KhassinX subdomains (asvab.khassinx.com, khazen.khassinx.com, etc.)
• iOS, iPadOS, macOS, watchOS, and visionOS apps published by KhassinX on the Apple App Store

Out of scope

• Third-party services we depend on (Apple App Store, Cloudflare, GitHub) — please report to them directly
• Volumetric attacks (DDoS, brute force) — not vulnerabilities; reach Cloudflare
• Social engineering of KhassinX staff or contractors
• Reports generated solely by automated scanners without reproducible proof of impact

Response targets

• Acknowledgement: within 5 business days
• Initial triage: within 14 days
• Coordinated disclosure timeline: agreed case by case

Safe harbor

We will not pursue legal action against researchers acting in good faith — investigating, reporting, and respecting our scope rules. This includes researchers accessing only data necessary to demonstrate the issue, not exfiltrating user data, and giving us reasonable time to remediate before public disclosure.

Recognition

We don't currently offer a monetary bug bounty. We do offer:

• Public acknowledgement on this page (Hall of Thanks)
• Free lifetime credit for the affected KhassinX app
• A formal letter of recognition you can use in your portfolio