Vulnerability Disclosure Program (VDP)

If you have found a security vulnerability on Kahf, we encourage you to let us know right away.

Important Notice:

Vulnerabilities involving user data, PII, or finance-related information are considered CRITICAL. Exploitation is strictly prohibited.

Scope

  • In Scope
  • kahf.com.tr, *.kahf.com.tr
  • kahfguard.com
  • kahfkids.com/learn
  • kahfbrowser.com
  • muslimsday.com
  • mahfil.net (video-sharing platform)
  • hikmah.net (social network)
  • Official Kahf apps: Guard, Kids, Browser, Mahfil, Muslims Day, Hikmah (Android, iOS, Windows, MacOS, Web)
  • Public APIs and services under the above domains
  • Public GitHub repositories (Kahf org)
If you believe a particular asset or activity not mentioned here should be included in the scope, please submit a report with a brief description explaining why you think it should be covered.
  • Out of Scope
  • Third-party vendors, services, and payment processors
  • Marketing microsites not under listed domains
  • Physical, social engineering, phishing
  • DoS/DDoS, brute-force, spam, automated scanning
  • Issues requiring jailbroken/rooted devices

Types of Recognition​

  • 🏆 Hall of Fame: Public acknowledgment on Kahf’s site
  • 🎁 Swag: Exclusive merchandise
  • 📜 Certificate / Appreciation Letter

Response Targets

Action

Target

First Response

Within 2 business days

Time to Triage

Within 10 business days

Fix Timeline

Severity-based, communicated transparently

Rules & Guidelines

  • Do not access or alter user data
  • No service disruption (DoS, DDoS, brute force, spam)
  • No phishing, social engineering, or insider abuse
  • Use only accounts you own or test accounts provided
  • Disclose only via shared email / Form (need to finalize)
  • Keep reports confidential until closure
  • Delete PoC data after issue resolution

Exclusions (Not Eligible)

  • Clickjacking without impact
  • Missing/known headers
  • Open ports, verbose error messages
  • Self-XSS, logout CSRF
  • Open redirects unless part of a chained exploit
  • Outdated browsers/software
  • Non-exploitable information disclosures
  • Vulnerabilities that have no impact
  • Host header injection without a demonstrable impact

Reporting a vulnerability

Submit report

For any queries about VDP mail us to info@kahf.com.tr

Thank you for helping keep Kahf secure!

©2025 Kahf Yazılım A.Ş. All rights reserved. Türkiye | info@kahf.com.tr