Responsible Disclosure Program

Security is important to us at Tamara. We constantly strive to ensure our customers feel safe and secure using our services. If you believe you have discovered a potential security vulnerability on any of our Tamara domains, report your findings to us so we can fix it as soon as possible - and earn rewards!

Reporting your findings:

We will get back to you within 14 business days after receiving the submission. You will be notified via email, SMS, or push notification.

Our Bug Bounty Program is temporarily closed.

Expectations

Please provide a clear, concise description, along with steps to reproduce, Proof-of-Concept, URL, and details of the vulnerable system when submitting a vulnerability.
Please give us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. Depending on the severity of the issue, it may take us a few days to get back to you with feedback.

Out-of-scopes techniques

Denial of Service or brute force attacks unless they expose confidential data.
Spam or social engineering techniques conducted on any Tamara employee, vendor or contractor.
Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.
Password policy, Absence SPF/DMARC, Missing Security Header, Self-XSS, Login/Logout CSRF, Lacking CSRF (unless affecting sensitive user action).

Tamara Finance Company (a joint-stock Saudi company)
Under the Supervision and control of The Saudi Central Bank (SAMA) as per Permit No: 74/AH/202306
The capital is 515,000,000 Saudi Riyals.
Commercial Registration No: 1010627663. Unified No: 7016874419. Tel. 8001240441.
King Abdullah Branch Road, King Salman Dist. Building No. 2907, Postal Code 12444, Riyadh, Kingdom of Saudi Arabia.