Responsible disclosure policy.

In scope

• Vulnerabilities in safua.ai (including all subdomains)
• Vulnerabilities in the Safua product (signup, signin, Mission Control, IDE, Review Engine)
• Account takeover, privilege escalation, or data exposure issues
• Payment flow vulnerabilities (when payments go live)
• Email injection, SPF/DKIM bypass, or phishing risk vectors
• Third-party dependency vulnerabilities affecting Safua directly

Out of scope

• Social engineering attacks targeting Safua staff
• Physical attacks or denial-of-service
• Vulnerabilities in third-party services (report to them directly)
• Missing security headers without demonstrated exploit
• Self-XSS or clickjacking without demonstrated impact

If you act in good faith, we commit to:

• Not pursuing legal action against you
• Not reporting you to law enforcement
• Acknowledging your contribution (with your permission) on a public Hall of Fame
• Working with you on coordinated disclosure timing

Good faith means: you don’t access data beyond what’s needed to prove the vulnerability, you don’t degrade service for other users, you don’t exfiltrate data you shouldn’t have, and you give us reasonable time to fix before public disclosure.