Responsible disclosure
Security Policy
سياسة الأمن
Effective 2026-04-22
Scope
النطاق
This policy covers fencing.om and every API and subdomain operated by the Oman Fencing Committee. Reports against clubs, athletes or third-party services hosted elsewhere are out of scope, please raise those with the affected operator first.
How to report
طريقة الإبلاغ
Email [email protected] with a short description, proof of concept (curl, screenshots, or a short video) and the earliest time we may publish an acknowledgement. We aim to reply within 48 hours. Machine-readable pointer: /.well-known/security.txt (RFC 9116).
Examples of issues we want to hear about
أمثلة على البلاغات التي نرحّب بها
Remote code execution, command injection, server-side request forgery (SSRF), authentication bypass or privilege escalation, missing authorisation on board or admin endpoints, insecure direct object references, stored or reflected XSS that survives our sanitisation, sensitive data exposure in logs or cache headers, and cryptographic weaknesses in sessions or OTP delivery.
Out of scope
خارج النطاق
Denial-of-service floods, social-engineering attempts against volunteers, physical attacks, cookie flags that do not alter the security posture (e.g. missing Secure on a public asset), SPF/DMARC gaps on non-mail subdomains, missing headers on immutable static assets, and output from automated scanners without a working proof of concept.
Safe harbour
الملاذ الآمن
If you act in good faith, avoid data destruction, avoid degrading service for others, and stop testing as soon as you confirm the issue, we will not pursue legal action or law-enforcement referral. Touch only your own test data, never live athlete or medical records.
Acknowledgments
شكر وتقدير
We publish a short thank-you to researchers who report a real issue and accept disclosure coordination. If you would rather stay anonymous, let us know in your first email. We do not currently run a paid bounty programme, but for high-impact findings we send an OFC branded gift as a token of thanks.
Machine-readable pointer for security researchers: /.well-known/security.txt (RFC 9116). Preferred contact: [email protected].
