Last updated: 2026-04-27

Security Policy & Responsible Disclosure

SAHM places strong emphasis on information security and the protection of client data, in line with the Essential Cybersecurity Controls (ECC) issued by the National Cybersecurity Authority (NCA) and the requirements of the Personal Data Protection Law (PDPL).

1. Scope

This policy covers the following digital assets:

The primary domain sahm.sa and all of its public subdomains.
The customer portal and employee portal hosted under that domain.
Public APIs linked to the website.

2. Out of Scope

Cloud platforms operated by our service providers (e.g. mail, hosting) — please report to those providers.
Denial-of-service or volumetric attacks.
Social engineering against SAHM staff or clients.
Vulnerabilities in browser versions no longer supported by their vendors.
Reports based solely on automated scanner output with no demonstrated impact.

3. Responsible Disclosure

We encourage security researchers to report vulnerabilities under coordinated disclosure. We commit to taking no legal action against researchers who follow this policy in good faith and do not exceed what is needed to demonstrate a vulnerability.

4. How to Report

Dedicated mailbox: security@sahm.sa
See /.well-known/security.txt for the current contact channels.

Please include:

A clear description of the vulnerability and potential impact.
Reproduction steps (proof of concept).
Affected URLs and any supporting logs.
Your name and preferred contact method (if you wish credit).

5. Target Response Times

Acknowledgement of report: within two business days.
Initial triage: within five business days.
Remediation: we target closing critical and high-severity issues within thirty (30) days of validation; lower-severity issues are scheduled by risk.
Ongoing communication: we will keep you informed of progress until closure.

6. Acceptable Conduct

Test only against accounts you own or test accounts you are authorized to use.
Do not access, modify, or delete other users' data.
Report findings promptly and refrain from public disclosure prior to remediation.
Comply with all applicable laws of the Kingdom of Saudi Arabia.

7. Researcher Recognition

We value the contributions of the security community and are happy to credit researchers who follow this policy on a dedicated thanks page, on request.

8. Updates

This policy may be updated periodically. Material changes are published on this page and reflected in security.txt.

2. Out of Scope

Cloud platforms operated by our service providers (e.g. mail, hosting) — please report to those providers.

Denial-of-service or volumetric attacks.

Social engineering against SAHM staff or clients.

Vulnerabilities in browser versions no longer supported by their vendors.

Reports based solely on automated scanner output with no demonstrated impact.

4. How to Report

Please include:

A clear description of the vulnerability and potential impact.

Reproduction steps (proof of concept).

Affected URLs and any supporting logs.

Your name and preferred contact method (if you wish credit).

5. Target Response Times

Acknowledgement of report: within two business days.

Initial triage: within five business days.

Remediation: we target closing critical and high-severity issues within thirty (30) days of validation; lower-severity issues are scheduled by risk.

Ongoing communication: we will keep you informed of progress until closure.