Security Policy

📋 Policy Information:
Last Updated: July 14, 2025
Version: 3.0 (NIST Framework Compliant)
Effective Date: January 1, 2025
Next Review: January 1, 2026

1. 📖 Policy Overview

Who Zid IS (شركة هو زيد آي إس) is committed to maintaining the highest standards of cybersecurity. This comprehensive security policy outlines our approach to protecting digital assets, client data, and maintaining operational security in accordance with international standards and Saudi Arabian regulations.

🎯 Our Security Mission:
To provide world-class cybersecurity services while maintaining transparency, accountability, and continuous improvement in our security posture.

2. 🎯 Scope and Applicability

This policy applies to all Who Zid IS digital assets and services:

🌐 Web Assets

Main website (whozidis.com)
All subdomains and microsites
Client portals and dashboards

📱 Applications

Mobile applications (iOS/Android)
Desktop applications
Browser extensions

🔌 APIs & Services

REST and GraphQL APIs
Webhook endpoints
Third-party integrations

☁️ Infrastructure

Cloud services (AWS, Azure)
On-premises systems
Network infrastructure

3. 🚨 Vulnerability Reporting

⚠️ Critical Security Notice:
Please do NOT disclose security vulnerabilities publicly. Report them directly to our security team following the responsible disclosure process outlined below.

3.1 How to Report Vulnerabilities

📧 Primary Contact: security@whozidis.com
🔐 PGP Encrypted Reports: Download our PGP key
📞 Emergency Hotline: +966 58 104 9813 (Critical vulnerabilities only)
💬 Secure Messaging: Signal: +966 58 104 9813

3.2 Required Information

Vulnerability Description: Clear, detailed explanation of the security issue
Reproduction Steps: Step-by-step instructions to reproduce the vulnerability
Impact Assessment: Potential consequences and affected systems
Proof of Concept: Screenshots, videos, or code samples (if applicable)
Researcher Information: Your contact details and preferred communication method
Discovery Timeline: When and how you discovered the vulnerability

Hall of Fame Vulnerability Reports

No vulnerability reports found.

4. ⏱️ Response Timeline & SLA

72h

Assessment Complete: Vulnerability validation and severity classification

7d

Status Update: Detailed remediation plan and estimated timeline

4.1 Resolution Timeline by Severity

🔴 Critical

24-48 hours

Remote code execution, data breach, authentication bypass

🟠 High

7 days

Privilege escalation, significant data exposure

🟡 Medium

30 days

XSS, CSRF, information disclosure

🟢 Low

90 days

Minor information leakage, configuration issues

5. 🔒 Security Framework & Controls

5.1 Data Protection Measures

TLS 1.3 All data transmission encrypted using latest TLS standards
AES-256 Data at rest encryption using industry-standard algorithms
Zero Trust Network architecture with continuous verification
MFA Multi-factor authentication for all administrative access
HSM Hardware Security Modules for key management

5.2 Infrastructure Security

WAF Web Application Firewall with real-time threat detection
DDoS Advanced DDoS protection and mitigation
SIEM Security Information and Event Management system
24/7 SOC Security Operations Center monitoring
IDS/IPS Intrusion Detection and Prevention Systems

5.3 Application Security

SAST Static Application Security Testing in CI/CD pipeline
DAST Dynamic Application Security Testing
SCA Software Composition Analysis for dependencies
OWASP Following OWASP Top 10 security guidelines
Secure SDLC Security integrated throughout development lifecycle

6. 📋 Compliance & Standards

🇸🇦 Saudi Regulations

CITC Cybersecurity Framework
SAMA Cybersecurity Framework
Personal Data Protection Law (PDPL)

🌍 International Standards

ISO 27001:2022 Information Security
NIST Cybersecurity Framework 2.0
SOC 2 Type II Compliance

🔐 Privacy Regulations

GDPR (General Data Protection Regulation)
CCPA (California Consumer Privacy Act)
PIPEDA (Personal Information Protection)

💳 Industry Standards

PCI DSS Level 1 Compliance
HIPAA Security Rule
FedRAMP Moderate Authorization

7. 🏆 Bug Bounty & Recognition Program

🎯 Program Scope: All Who Zid IS owned assets and services
💰 Rewards: Recognition, certificates, and exclusive merchandise
📈 Future Plans: Monetary rewards program launching Q4 2025

7.1 Current Recognition Benefits

🌟 Public recognition in our Security Hall of Fame
📜 Official certificate of appreciation signed by our CISO
🎁 Exclusive Who Zid IS security researcher merchandise
🤝 Direct communication channel with our security team
📧 Invitation to exclusive security webinars and events

8. ❌ Out of Scope Activities

⚠️ The following activities are strictly prohibited:

🚫 Denial of Service (DoS/DDoS) attacks against our infrastructure
🚫 Social engineering attacks against our employees or clients
🚫 Physical security testing of our facilities
🚫 Accessing, modifying, or deleting user data
🚫 Disrupting our services or degrading user experience
🚫 Testing third-party services integrated with our platform
🚫 Automated vulnerability scanning without prior approval
🚫 Testing recently patched vulnerabilities (within 30 days)

9. ⚖️ Legal Safe Harbor

Who Zid IS commits to not pursuing legal action against security researchers who:

✅ Follow responsible disclosure practices outlined in this policy
✅ Provide reasonable time for vulnerability remediation
✅ Do not access, modify, or delete user data
✅ Do not disrupt our services or degrade performance
✅ Do not publicly disclose vulnerabilities before resolution
✅ Act in good faith to help improve our security posture

📝 Legal Note: This safe harbor provision applies only to security research activities conducted in accordance with this policy. Any activities outside this scope may be subject to legal action.

10. 📞 Contact Information

🔒 Security Team

Email: security@whozidis.com

PGP: Download Key

Response: 24 hours

🆘 Emergency Contact

Phone: +966 58 104 9813

Signal: +966 58 104 9813

Critical issues only

💼 Business Inquiries

Email: info@whozidis.com

Phone: +966 58 104 9813

Business hours: 9AM-6PM AST

🎓 Security Training

Email: training@whozidis.com

Workshops and certifications

Available in Arabic & English

This security policy is compliant with NIST Cybersecurity Framework 2.0 and Saudi CITC regulations.

Last updated: July 14, 2025 | Next review: January 1, 2026

Questions about this policy? Contact us.

Shopping Cart

Categories

Menu

Security Policy

🛡️ Security Policy

1. 📖 Policy Overview

2. 🎯 Scope and Applicability

3. 🚨 Vulnerability Reporting

3.1 How to Report Vulnerabilities

3.2 Required Information

Hall of Fame Vulnerability Reports

4. ⏱️ Response Timeline & SLA

4.1 Resolution Timeline by Severity

5. 🔒 Security Framework & Controls

5.1 Data Protection Measures

5.2 Infrastructure Security

5.3 Application Security

6. 📋 Compliance & Standards

7. 🏆 Bug Bounty & Recognition Program

7.1 Current Recognition Benefits

8. ❌ Out of Scope Activities

9. ⚖️ Legal Safe Harbor

10. 📞 Contact Information

Shopping Cart

Categories

Menu

Security Policy

🛡️ Security Policy

1. 📖 Policy Overview

2. 🎯 Scope and Applicability

3. 🚨 Vulnerability Reporting

3.1 How to Report Vulnerabilities

3.2 Required Information

Hall of Fame Vulnerability Reports

4. ⏱️ Response Timeline & SLA

4.1 Resolution Timeline by Severity

5. 🔒 Security Framework & Controls

5.1 Data Protection Measures

5.2 Infrastructure Security

5.3 Application Security

6. 📋 Compliance & Standards

7. 🏆 Bug Bounty & Recognition Program

7.1 Current Recognition Benefits

8. ❌ Out of Scope Activities

9. ⚖️ Legal Safe Harbor

10. 📞 Contact Information

Join Who Zid IS Newsletter