# Mahara security contact — RFC 9116
# https://mahara.sy/security

Contact: mailto:support@mahara.sy
Preferred-Languages: ar, en
Canonical: https://mahara.sy/.well-known/security.txt
Policy: https://mahara.sy/security
Hiring: https://mahara.sy/security/researchers
Acknowledgments: https://mahara.sy/security/researchers
Expires: 2027-05-18T00:00:00.000Z

# We commit to:
# - Acknowledging your report within 72 hours.
# - Keeping you posted while we investigate.
# - Crediting you publicly once the issue is fixed (with your consent).
# - Not pursuing legal action against good-faith researchers who follow
#   this policy.
#
# Out of scope:
# - Reports that require physical access to a victim's device.
# - Findings purely affecting the development environment.
# - Outdated browser engines / hardware.
#
# In scope:
# - Mahara web platform (mahara.sy and any subdomain).
# - Mahara-operated APIs.
# - Authentication, authorization, payouts, dispute resolution, AI
#   matching, identity verification, file uploads.
#
# Please do not run automated scanning against production at rates above
# 1 request/second. Avoid touching real user data. If you need a
# realistic target, ask us — we can set up a test account.