Note : we have paused accepting submissions to focus on solving the large number of pending issues. We will resume within the next weeks after fixing the noted matters and rewarding the researchers.

No technology is perfect, and Anghami believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

• Please review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.

Eligibility and Responsible Disclosure Policy

• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
• Any issue disclosed by social media is considered void and we wouldn't be able to work with the security researcher any longer.
• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
• You must be the first reporter of a vulnerability.
• The vulnerability must be a qualifying vulnerability associated with a site or application in scope
• You may not publicly disclose the vulnerability prior to our resolution.

Bounty Program

To show our appreciation of responsible security researchers, Anghami offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion.

We do not accept public disclosures.

Scope

• Anghami's current mobile application for IOS [here] (https://itunes.apple.com/us/app/anghami-play-discover-arabic/id545395155?mt=8) and Android [here] (https://play.google.com/store/apps/details?id=com.anghami&hl=en)
• Anghami's main server-side application under *.anghami.com

Non-Qualifying Vulnerabilities

Depending on their impact, not all reported issues may qualify for a monetary reward. However all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive Hall of Fame recognition.

The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):

• Attacks requiring physical access to a user's device or clipboard
• Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)
• Login/logout CSRF
• Password and account recovery policies, such as reset link expiration or password complexity
• Missing security headers which do not lead directly to a vulnerability
• Invalid SPF (Sender Policy Framework) records
• Cickjacking on static websites
• Content spoofing / text injection
• Cookies missing secure flag set
• Use of a known-vulnerable library (without evidence of exploitability)
• Descriptive / unique error pages (we require evidence of actual vulnerability)
• Issues related to software or protocols not under Anghami control
• Reports from automated tools or scans
• Reports of spam (see here for more info)
• Bypass of URL malware detection
• Vulnerabilities affecting users of outdated or unpatched browsers and platforms
• Social engineering (including phishing)
• Spamming

Important Note

You must comply with all applicable laws in connection with your participation in this program. We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.

Thank you for helping keep Anghami and our users safe!