Vulnerability Disclosure

The following assets are in scope:

• fitechco.com and all subdomains
• FI Tech production application endpoints accessible via the platform
• Mobile or desktop applications published by FI Tech

FI Tech will not pursue legal action against researchers who:

• Make a good-faith effort to comply with this policy
• Avoid privacy violations, service disruption, and destruction of data
• Use only test accounts they own or have explicit permission to use
• Stop testing and report immediately if customer data is encountered
• Do not publicly disclose details before we have had a reasonable time to remediate (typically 90 days)

This policy does not authorize testing against third-party services or sub-processors. It does not constitute a waiver of any rights against actors who act in bad faith or violate applicable Saudi or international law.

• Email: security@fitechco.com
• Encrypted communication: PGP key fingerprint available on request
• Include: a clear description, reproduction steps, impact, and any proof-of-concept
• Do not include screenshots or extracts of personal data

• Initial acknowledgement within 24 hours
• Triage and severity assessment within 5 business days
• Remediation tracked to defined SLAs (Critical: 7 days; High: 30 days; Medium: 90 days)
• Public acknowledgement (with researcher consent) once remediation is complete
• Monetary rewards Roadmap

• Findings from automated scanners without demonstrated impact
• Volumetric / DoS testing or social-engineering of staff
• Physical attacks against FI Tech offices or staff
• Issues in third-party software where FI Tech is not the maintainer
• Best-practice configuration suggestions without a working exploit
• Missing security headers without demonstrated impact

Our machine-readable security contact is published at /.well-known/security.txt.