Email security@maghrebinsights.co with details. Do not open public issues for vulnerabilities.

We acknowledge within 48 hours and aim to patch critical issues within 7 days.

In scope: data leakage in generated reports, auth bypass on /api, payment flow vulnerabilities, secret exposure, SQL injection, XSS.

Out of scope: rate limiting on public endpoints, missing security headers on marketing pages, theoretical vulnerabilities with no practical exploit.

Coordinated disclosure preferred. Public CVE filed after patch ships.