Security Policy
Supported Versions
MuslimNest is a web application. Only the live version at muslimnest.co.uk is actively maintained and receives security fixes.
Reporting a Vulnerability
Do not open a public GitHub issue for security vulnerabilities.
Email: hello@muslimnest.co.uk
Subject line: [SECURITY] <short description>
Please include:
- A clear description of the vulnerability
- Steps to reproduce
- The potential impact
- Any suggested mitigations or fixes
We will acknowledge receipt within 7 days. If you do not receive a response within 7 days, follow up by reply to your original email.
Response Timeline
| Stage | Target |
|---|---|
| Acknowledgement | 7 days from receipt |
| Status update (investigating / confirmed / not a bug) | 30 days |
| Fix or mitigation shipped | 90 days for critical issues, longer for low severity |
Scope
In scope:
- muslimnest.co.uk and all subdomains (status.muslimnest.co.uk, etc.)
- The MuslimNest GitHub repository and its CI/CD pipelines
Out of scope:
- Third-party services used by MuslimNest (Vercel, Supabase, Mapbox, Sentry, PostHog)
- Denial-of-service attacks
- Social engineering attacks against team members
- Automated scanner results without manual verification
- Vulnerabilities requiring physical device access
PGP Key
A PGP public key is not currently published. For highly sensitive reports, email first and request it.
Safe Harbour
MuslimNest will not pursue legal action against security researchers who:
- Report vulnerabilities directly and responsibly to us before any public disclosure
- Give us a reasonable time to respond (at least 30 days) before disclosing publicly
- Only access data necessary to demonstrate the vulnerability
- Do not cause service disruption for other users
- Do not exfiltrate, modify, or destroy data
We consider responsible disclosure a service to the community and will acknowledge reporters (by name or pseudonym, as preferred) in our release notes where applicable.