Security & Responsible Disclosure

We take security seriously. If you've found a vulnerability in ASVAB Coach, we appreciate your help in disclosing it responsibly.

This page summarizes the policy for ASVAB Coach specifically. For the umbrella policy covering all KhassinX apps, see khassinx.com/security.

Reporting

Email: [email protected]
Machine-readable disclosure pointer: /.well-known/security.txt (RFC 9116)

Scope

• asvab.khassinx.com (this website)
• ASVAB Coach iOS / iPadOS / watchOS app on the Apple App Store

Out of scope

• Third-party services (Apple App Store, Cloudflare, GitHub) — please report to them directly
• Volumetric attacks (DDoS, brute force) — not vulnerabilities
• Reports generated solely by automated scanners without reproducible proof of impact

Response targets

• Acknowledgement: within 5 business days
• Initial triage: within 14 days
• Coordinated disclosure timeline: agreed case by case

Safe harbor

We will not pursue legal action against researchers acting in good faith — investigating, reporting, and respecting our scope rules. This includes researchers accessing only data necessary to demonstrate the issue, not exfiltrating user data, and giving us reasonable time to remediate before public disclosure.

Recognition

We don't currently offer a monetary bug bounty. We do offer:

• Public acknowledgement (Hall of Thanks)
• Free lifetime credit for ASVAB Coach
• A formal letter of recognition you can use in your portfolio