We take the security of Пора на пару seriously. Our products handle the personal data of students and staff, so we treat any vulnerability report with priority and care.
Please do not open a public issue for security problems.
Report privately through either channel:
- Email — security@poranaparu.com
- GitHub — Private vulnerability reporting ("Report a vulnerability" on the Security tab of the affected repository)
To help us triage quickly, please include:
- A description of the issue and its potential impact.
- Steps to reproduce (proof-of-concept, requests, or screenshots).
- The affected product and platform (iOS / Android / web / admin) and version, if known.
- Any suggested remediation, if you have one.
| Stage | Target |
|---|---|
| Acknowledge your report | within 3 business days |
| Initial assessment & severity | within 7 business days |
| Fix or mitigation plan | depends on severity, shared with you |
We'll keep you updated through the process and credit you in our disclosure (with your consent) once the issue is resolved.
In scope: the Пора на пару mobile apps (iOS, Android), the public web app, the admin service, and our public-facing infrastructure.
- Give us a reasonable time to fix the issue before any public disclosure.
- Make a good-faith effort to avoid privacy violations, data destruction, and service interruption.
- Only interact with accounts you own or have explicit permission to test.
- Run denial-of-service (DoS/DDoS) attacks or automated scanning that degrades service.
- Access, modify, or delete data that does not belong to you.
- Use social engineering, phishing, or physical attacks against our team or users.
We will not pursue or support legal action against researchers who discover and report vulnerabilities in good faith and in line with this policy. If in doubt about whether an action is acceptable, ask us first at security@poranaparu.com.
Thank you for helping keep Пора на пару and its users safe. 🙏