Security Disclosures
Last updated: May 2026
We take security seriously. If you believe you have found a vulnerability in Dir'aa, please report it responsibly using the process below — we will investigate every credible report.
Reporting a vulnerability
Email info@diraa.ae with a clear description, reproduction steps, affected URL or endpoint, and any proof-of-concept. Please do NOT publicly disclose the issue until we have had a chance to fix it. PGP-encrypted reports are welcome on request.
Scope & safe harbor
In scope: diraa.app, *.diraa.app, our published web app, and our public APIs. Out of scope: third-party services we depend on, social engineering of staff, physical attacks, denial-of-service, and automated scanner output without a working PoC. Good-faith research that respects user privacy, avoids data destruction, and follows this policy will not be pursued legally.
Incident response
If a security incident affects user data, we will: contain and remediate the issue, preserve relevant logs, notify affected users by email within 72 hours of confirmation, publish a public post-mortem when appropriate, and rotate any exposed credentials immediately.
Response timeline
• Initial acknowledgement: within 2 business days. • Triage and severity assessment: within 5 business days. • Status update at least every 7 days until resolved. • Public credit (if you wish) once the fix is shipped.
Security contact
Email: info@diraa.ae For urgent issues affecting user safety, mark the subject line with [URGENT].