Responsible disclosure
Help us keep Shomar secure
Security researchers are valued partners. If you believe you have found a vulnerability in Shomar, please report it responsibly so we can investigate and remediate quickly.
How to report
Email security@shomarsec.com with a clear description, affected URL or endpoint, reproduction steps, expected impact, and any safe proof-of-concept details. Avoid including real customer data in reports.
In scope
- - Shomar public web application
- - Shomar APIs
- - Authentication and session handling
- - Customer data exposure risks
Out of scope
- - Social engineering
- - Physical attacks
- - Denial-of-service testing
- - Automated noisy scanning without permission
Research guidelines
Use test accounts where possible, avoid accessing or modifying customer data, do not disrupt service availability, and give Shomar reasonable time to remediate before public disclosure.
Response timeline
We aim to acknowledge valid reports within two business days, provide triage updates as investigation progresses, and coordinate remediation timelines based on severity.