Responsible disclosure.
How to report a vulnerability in Noorani, what you can expect from us, and what we promise in return.
Reporting a vulnerability
If you've found a security issue in Noorani Browser or nooranibrowser.com:
Email: nooranibrowser@gmail.com · Subject: [SECURITY] followed by a short title.
Please include:
- A description of the vulnerability — what it is, how it works, what it affects
- Steps to reproduce, ideally with a minimal test case
- The Noorani version, operating system, and any relevant environment details
- Your assessment of impact and severity
- Whether you've told anyone else or are planning to publish
We prefer plain-text email. Encrypted email via PGP is welcome but not required; a PGP key will be published here with the v1.0 release.
What you can expect from us
- Acknowledgment within 72 hours — a human reply, not an autoresponder.
- Initial assessment within 7 days — our read of severity, whether we can reproduce, what we plan to do.
- A fix timeline — typically 30 days for high-severity issues, 60 days for medium, 90 days for low.
- Public credit — in release notes and on this page, if you want it. Anonymous reports are fine too.
- Coordinated disclosure — a 90-day window by default; we'll extend if you ask and the fix needs time.
Safe harbor
Researchers acting in good faith — following the rules below and limiting testing to what's needed to identify the issue — will not face legal action from Ataraxy Developers. We view responsible disclosure as a service to our users and to the community.
In scope
- Noorani Browser desktop application (all supported platforms)
- nooranibrowser.com marketing site
- Bundled dependencies insofar as they affect Noorani specifically (upstream Chromium issues should be reported to the Chromium project)
Out of scope
- Social engineering of Ataraxy Developers staff, contractors, or users
- Physical attacks on Ataraxy Developers offices or infrastructure
- Denial-of-service attacks of any kind
- Vulnerabilities in third-party services we don't operate (GitHub, Hostinger, Google Fonts, etc.)
- Issues requiring physical access to an unlocked device
- Issues that only affect a modified fork of Noorani, not the official release
- Theoretical attacks without a demonstrated practical impact
Bug bounty
We are not running a paid bug bounty programme at launch. We can't afford it and we'd rather not pretend otherwise. We will:
- Credit you publicly if you'd like
- Send a hand-written thank-you and, if we can, a small token of appreciation
- Fast-track your reports on future Ataraxy projects
If Noorani reaches a scale where a paid programme makes sense, we'll announce it here.
Past reports
This section will list publicly acknowledged vulnerabilities and their resolution after v1.0 ships. An empty section is a better signal than a fabricated one.
Contact
nooranibrowser@gmail.com with [SECURITY] in the subject.