Security policy

Scope

In scope: hamdanakram.com, its subdomains, public APIs, and the booking system. Out of scope: third-party SaaS dashboards, social media accounts, and any system belonging to companies I work for or own. Report those through the relevant company's own programme.

Safe harbour

I will not pursue legal action against good-faith research that respects user privacy, avoids data destruction, and does not degrade service. Do not attempt social engineering, physical intrusion, or denial-of-service.

Response targets

• Initial acknowledgement: within 3 working days.
• Status update: within 14 days.
• Public credit on request, on /security-thanks.

How to report

Email security@hamdanakram.com, ideally encrypted with my PGP key linked from /.well-known/security.txt. Include reproduction steps, impact, and any suggested remediation.

What I will not do

I will not pay bounties on this site. I will not publicly disclose your details without consent. I will not take action against researchers who follow this policy.