Taani Responsible Disclosure Policy

If you identify vulnerabilityin any of our web properties, please follow these steps:

• Report Immediately–Send an email to security@chikdozi.comwith details to reproduce the vulnerability. This may include screenshots, videos, or step-by-step instructions.
• Provide Contact Details–Share your email and phone numberso that our security team can reach out if further information is needed.
• Ensure Reproducibility–Provide sufficient details so we can verify and resolve the issue quickly.
• Confidentiality–Do not disclose the vulnerability to anyone until we have resolved it.
• Responsible Conduct–Do not engage in attacks involving:
o Physical security breaches o Social engineering tactics o Distributed Denial of Service(DDoS) attacks o Spam or unauthorized access attempts

We evaluate reported vulnerabilities based on their severity and impact. Eligibility for recognition is at our sole discretion. Below are the vulnerability categories that are typically considered:

Vulnerability Categories

• Cross-Site Request Forgery (CSRF)
• Cross-Site Scripting (XSS)
• Code Execution Vulnerabilities
• SQL Injections
• Server-Side Request Forgery (SSRF)
• Privilege Escalation
• Authentication Bypasses
• File Inclusion (Local & Remote)
• Bypassing Protection Mechanisms (e.g., CSRF bypass)✔Sensitive Data Exposure
• Directory Traversal Attacks
• Payment Manipulation
• Unprotected Admin Portals
• Open Redirects Leading to Token/Secret Theft

• Do not violate user privacy or destroy data.
• Do not disrupt services or exploit vulnerabilities beyond necessary testing.
• Do not target other users' accounts or attempt unauthorized access.
• Do not engage in attacks on our physical security measures, social engineering, spam, or DDoS.
• If you discover a severe vulnerability allowing system access, you must stop testing immediately.
• Only Taani/FabAlley will determine when and how vulnerabilities are fixed.
• Do not disclose vulnerabilities to any third party. All reports remain confidential.
• Threatening behavioror exploitation of vulnerabilities for personal gain will result in immediate disqualification from recognition.
• Bug disclosure communications with our Security/Technology Team must remain strictly confidential.
• All artifacts (POC code, screenshots, videos) must be deleted after the bug report is closed

We do not offer cash rewards or participate in bug bounty programs. However, we are happy to issue a certificate of recognition to individuals who responsibly disclose security vulnerabilities and contribute to enhancing the security of systems.

Contributors –Taani Responsible Disclosure Program

We extend our gratitude to all ethical security researchers who have responsibly disclosed vulnerabilities in the system. Your technical expertise, security knowledge, and responsible engagementare truly valued.

For further inquiries, reach out to us at security@chikdozi.com.