Security
This page covers our security contact, responsible disclosure programme, bug bounty policy, and Hall of Fame. If you have found a vulnerability, please follow the guidelines below.
Report a vulnerabilityContact
All security reports must be sent to [email protected]. Do not use general support channels for security-sensitive disclosures.
We follow a 90-day coordinated disclosure standard. You may publish your findings after coordinated disclosure is complete or after 90 days from initial report — whichever comes first.
For machine-readable details, see /.well-known/security.txt.
Programme
We are in soft-launch phase. Monetary bounties are not offered yet. Valid Critical and High findings are rewarded with HalalCrypto platform credit + swag. Medium and Low findings earn a permanent Hall of Fame listing.
In scope: the production site, all API endpoints (/rest/v1/*, /api/*), webhook endpoints (Lemon Squeezy, NowPayments), Supabase RLS policies, and bot credential handling paths.
Out of scope: social-engineering, physical attacks, denial-of-service, third-party services we do not operate (Paddle, Lemon Squeezy, Cloudflare), and any test conducted against accounts or data not your own.
SLAs
Encryption
We support encrypted email for sensitive disclosures. Request our PGP public key by emailing [email protected] with the subject line “PGP key request”.
Fingerprint: [to be published at launch]
Key will be available at /.well-known/security-pgp.asc
PGP key is available on request at [email protected] until the public key server listing is live.
Recognition
We maintain a permanent record of researchers who have responsibly disclosed valid vulnerabilities. Each entry includes the researcher name or handle, severity, and disclosure date. Entries are permanent and researcher-controlled.
No entries yet
Be the first researcher credited in the HalalCrypto Hall of Fame. Submit a valid vulnerability report to get started.
Submit a reportHalalCrypto will not initiate or support legal action against researchers who discover and report security vulnerabilities in good faith, comply with our full bug bounty policy, and coordinate disclosure with us before publishing. If a third party initiates legal action against a researcher acting in compliance with this programme, HalalCrypto will make clear that the research was authorised.
Rules of engagement: coordinate disclosure before publishing, do not access or modify data belonging to others, do not run denial-of-service tests, and limit any pen-testing to accounts you control. Reports that violate these rules will be handled outside the safe-harbor commitment.