Security Policy

How we protect your data and how to report vulnerabilities responsibly.

Vulnerability Disclosure Policy

We take security seriously. If you discover a security vulnerability, we encourage you to report it responsibly using the process below.

Report via Email

security@syriahub.org

48-Hour Response

We acknowledge all reports within 48 hours

Resolution

Timeline provided within 7 days

What to Report

In Scope

•Authentication and authorization vulnerabilities
•Data exposure or leakage issues
•Cross-site scripting (XSS) attacks
•Server-side request forgery (SSRF)

Out of Scope

•Denial of service (DoS) attacks
•Social engineering attacks
•Physical security issues

Our Commitment

Acknowledge your report within 48 hours

Provide a resolution timeline within 7 days

Credit you publicly (if desired) after resolution

Never take legal action against good-faith reporters

Security Infrastructure

Our platform undergoes regular security reviews. Here are the security measures implemented as of January 2026:

Origin Validation

All mutation endpoints are protected with origin validation to prevent Cross-Site Request Forgery (CSRF) attacks.

Rate Limiting

IP-based rate limiting on all endpoints protects against abuse and brute-force attacks.

Turnstile Verification

Bot protection on public forms with fail-closed behavior in production mode.

Cryptographic Tokens

All public tokens are generated using secure cryptographic functions (gen_random_bytes).

Protected Endpoints

All sensitive endpoints are protected with origin validation and rate limiting:

PostsCommentsReportsModerationVotesBookmarksPollsSurveys

Machine-readable security policy available at

security.txt

Security Policy

How we protect your data and how to report vulnerabilities responsibly.

Vulnerability Disclosure Policy

We take security seriously. If you discover a security vulnerability, we encourage you to report it responsibly using the process below.

Report via Email

security@syriahub.org

48-Hour Response

We acknowledge all reports within 48 hours

Resolution

Timeline provided within 7 days

What to Report

In Scope

•Authentication and authorization vulnerabilities
•Data exposure or leakage issues
•Cross-site scripting (XSS) attacks
•Server-side request forgery (SSRF)

Out of Scope

•Denial of service (DoS) attacks
•Social engineering attacks
•Physical security issues

Our Commitment

Acknowledge your report within 48 hours

Provide a resolution timeline within 7 days

Credit you publicly (if desired) after resolution

Never take legal action against good-faith reporters

Security Infrastructure

Our platform undergoes regular security reviews. Here are the security measures implemented as of January 2026:

Origin Validation

All mutation endpoints are protected with origin validation to prevent Cross-Site Request Forgery (CSRF) attacks.

Rate Limiting

IP-based rate limiting on all endpoints protects against abuse and brute-force attacks.

Turnstile Verification

Bot protection on public forms with fail-closed behavior in production mode.

Cryptographic Tokens

All public tokens are generated using secure cryptographic functions (gen_random_bytes).

Protected Endpoints

All sensitive endpoints are protected with origin validation and rate limiting:

PostsCommentsReportsModerationVotesBookmarksPollsSurveys

Machine-readable security policy available at

security.txt

About SyriaHub

Security Policy

Vulnerability Disclosure Policy

What to Report

In Scope

Out of Scope

Our Commitment

Security Infrastructure

Origin Validation

Rate Limiting

Turnstile Verification

Cryptographic Tokens

Protected Endpoints

About SyriaHub

Security Policy

Vulnerability Disclosure Policy

What to Report

In Scope

Out of Scope

Our Commitment

Security Infrastructure

Origin Validation

Rate Limiting

Turnstile Verification

Cryptographic Tokens

Protected Endpoints