Report vulnerabilities privately and responsibly
Security research can help protect members when it is conducted lawfully, minimally, and without accessing another person's data. This policy describes the reporting route; it is not permission to test production beyond your own account.
Never include passwords, session tokens, private photos, message content, or unnecessary member data in an ordinary email. If sensitive evidence is essential, first ask for a protected transfer method.
How to report
Email support@yahalaly.com with the subject prefix [SECURITY]. Include the affected URL or feature, the date observed, a concise impact statement, steps that use only your own test account, and the minimum redacted evidence needed to understand the issue.
Do not publish the issue or notify unrelated third parties before Yahalaly has had a reasonable opportunity to investigate and protect members.
Safe reporting boundaries
- Use only accounts and data you own or have explicit written authorization to test.
- Stop immediately if you encounter another member's personal data and report the exposure without copying more.
- Do not download photos, messages, database records, backups, secrets, or logs beyond the minimum your own account legitimately returns.
- Do not use automated scanners, high-volume requests, denial of service, social engineering, phishing, malware, credential attacks, or persistence.
- Do not alter, delete, lock, extort, threaten, or degrade any account or service.
What helps triage
- Clear distinction between what you observed and what impact you infer.
- A reproducible request sequence with tokens and personal values removed.
- Browser, operating system, endpoint, and account role used.
- Whether the issue still reproduces after signing out or in a new session.
- A safe remediation suggestion, if you have one.
Response and disclosure
Yahalaly will prioritize credible reports by member impact and exploitability. The founding-member service does not yet promise a bounty, reward, response deadline, safe-harbor agreement, or public credit. Receipt is not confirmation that a report is valid.
Coordinated disclosure timing must be agreed in writing. Yahalaly may limit technical detail where disclosure would expose member data or create an unresolved exploitation path.
Account safety is not vulnerability research
If you are reporting harassment, impersonation, a scam, unwanted contact, or suspicious access to your own account, use the in-app safety controls or safety@yahalaly.com instead. For immediate danger, contact local emergency services.