Security

Security at Aamey

We take security seriously. If you discover a vulnerability, we want to hear from you — and we will treat your report with respect and urgency.

Built by Joorus Inc.

🔍

Report a vulnerability

How to report

Email a detailed description of the vulnerability to [email protected]. Include steps to reproduce, potential impact, and any proof-of-concept. Encrypt sensitive reports with our PGP key (available on request).

We acknowledge all reports within 2 business days.

Responsible disclosure

  • 90-day disclosure window from acknowledgement
  • We will notify you before any public disclosure
  • We ask that you do not publish details until we patch
  • Do not access, modify, or delete user data
  • Do not perform denial-of-service attacks
  • Do not test against production users without consent

Safe harbour

Joorus Inc. will not pursue legal action against security researchers who discover and report vulnerabilities in good faith and in accordance with this policy.

We consider responsible disclosure activities to be authorised and will work with your legal team if needed to confirm this in writing.

🛡️

Our security posture

🔒

HTTPS everywhere

All traffic is served over HTTPS. HTTP connections are permanently redirected. HSTS is enforced with a 2-year max-age and includeSubDomains.

🔐

TLS 1.3

We support TLS 1.3 exclusively on all endpoints. TLS 1.0 and 1.1 are disabled. Forward secrecy is enabled via ECDHE key exchange.

💾

Encryption at rest

Sensitive fields are encrypted at the database level using pgcrypto (AES-256). Disk-level encryption is applied to all storage volumes.

📋

Audit logging

All privileged actions, data access events, and auth events are written to an append-only audit log. Logs are retained for 12 months.

🏢

SOC 2 readiness

We are targeting SOC 2 Type II certification within 18 months of our v1.0 general availability launch. Controls are actively instrumented.

🔍

Dependency scanning

Automated vulnerability scanning runs on every pull request. Known CVEs in dependencies trigger blocking alerts before any code ships.

🚪

Access controls

Role-based access control (RBAC) with least-privilege enforcement. All production access is MFA-gated and session-time-limited.

🧪

Security testing

OWASP Top 10 checks are part of our CI pipeline. Penetration testing is scheduled quarterly by an independent third party.

💰

Bug bounty

We are launching a formal bug bounty programme within 6 months of our v1.0 GA release, hosted on HackerOne or YesWeHack. Until then, we honour the reward tiers below for responsibly disclosed vulnerabilities.

Critical

RCE, auth bypass, mass data exposure

$5,000+

High

Privilege escalation, PII leakage, payment data

$1,000 – $3,000

Medium

CSRF, stored XSS, IDOR with limited scope

$250 – $750

Low

Non-exploitable info leaks, UI redressing

Swag

Rewards are at our sole discretion. Duplicate reports, out-of-scope findings, and reports that violate this policy are not eligible. Payments are made via bank transfer or PayPal.

🏆

Hall of fame

Our researcher acknowledgements will appear here after launch.

Be the first to find a vulnerability and earn your place here.

Questions about this policy? Email [email protected]

Joorus Inc. · [email protected] · 250 Consumers Road, Suite 719, Toronto ON M2J 4V6