Nazm-AI takes the security of its software seriously. This policy applies to every repository in the Nazm-AI organization that does not define its own SECURITY.md.

We develop on a rolling basis: fixes land on main. We do not backport security fixes to older branches.

Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.

Instead, use GitHub's private vulnerability reporting:

1. Go to the Security tab of the affected repository.
2. Click Report a vulnerability (under Advisories).
3. Fill in the form with as much detail as you can.

If private reporting is not enabled on a given repository, open a minimal issue that says only "I'd like to report a security issue privately" — without details — and a maintainer will open a private channel.

Please include:

1. A description of the vulnerability and its potential impact.
2. Steps to reproduce (proof-of-concept code is welcome).
3. Any suggested mitigations, if you have them.

• Acknowledgement within 48 hours.
• An initial assessment and a resolution timeline within 7 days.
• We will keep you informed as we work on a fix, and we will coordinate disclosure with you before publishing.
• With your permission, we will credit you in the resulting security advisory. If you prefer to remain anonymous, just let us know.

We follow a 90-day coordinated disclosure model. If a fix cannot be shipped within 90 days, we will communicate the timeline and the reason. We ask that you give us a reasonable opportunity to resolve the issue before any public disclosure.

Because Nazm-AI projects integrate AI models, OAuth flows, and external Quran-data APIs, the following are typically in scope:

• Authentication or authorization bypass, including OAuth2 / PKCE flaws (CSRF, token leakage).
• Injection vulnerabilities in API routes (SQL, command, prompt injection with security impact).
• Exposure of secrets — API keys, client secrets, or user access tokens.
• Cross-site scripting (XSS), especially via externally sourced content rendered in the browser.
• Server-side request forgery (SSRF) in routes that proxy to external services.
• Dependency vulnerabilities with a CVSS score ≥ 7.0.

Generally out of scope:

• Denial-of-service achieved purely through volume (e.g., excessive AI calls), unless it bypasses documented rate limits.
• Theoretical issues with no demonstrated, practical exploit path.
• Vulnerabilities in third-party services we depend on (report those to the respective vendor).

When in doubt, report it — we would rather triage a non-issue than miss a real one.

We will not pursue or support legal action against researchers who, in good faith:

• Make a sincere effort to avoid privacy violations, data destruction, and service degradation.
• Only interact with accounts they own or have explicit permission to test.
• Give us reasonable time to remediate before any disclosure.

Thank you for helping keep Nazm-AI and its users safe.