Security Policy & Responsible Disclosure

🌐 Our Security Commitment

Fauji Niwas is dedicated to protecting the locational and personal privacy of India's military families. We completely exclude advertising trackers, enforce end-to-end encryption (E2EE) for peer chats, isolate personal identifiers (PII), and encrypt sensitive documents locally on user devices before transit.

We appreciate the role of security researchers and community members in keeping our platform safe. If you identify a security vulnerability, we invite you to report it to us responsibly.

🛡️ Responsible Disclosure Guidelines

To encourage responsible reporting, we ask that you adhere to the following principles:

• Provide a detailed description of the vulnerability, including step-by-step instructions or proof-of-concept code to reproduce the issue.
• Avoid violating privacy rights, destroying or degrading data, or interrupting our production systems (e.g., avoid denial-of-service testing).
• Allow us a reasonable period of time to review, remediate, and patch the vulnerability before disclosing it publicly.
• Do not perform social engineering, phishing, or physical security attacks against Fauji Niwas staff or users.

🔎 In-Scope Systems

The following systems are currently in-scope for security reviews:

• The live Web Application: https://faujiniwas.web.app
• The React/Vite front-end source files.
• The Firestore Security Rules layer.
• The E2EE Web Crypto client library implementation.

Out-of-scope issues include simple spam, third-party library vulnerabilities that have no direct exploit path, and standard browser warnings that do not present a security risk.

📧 How to Report a Vulnerability

If you have discovered a security issue, please contact our security team directly via email. We will investigate all reports promptly.