If you believe you have found a security vulnerability in any Nebras Open Finance repository — including the documentation site, OpenAPI specifications, or Postman collections — please report it privately rather than opening a public issue or discussion.

Email: technology@nebrasopenfinance.ae

Please include, where possible:

• The repository and file or endpoint affected
• A clear description of the issue and its potential impact
• Steps to reproduce, or a proof-of-concept
• Any suggested remediation
• Your name or handle for acknowledgement (optional)

• We aim to acknowledge reports within 3 business days.
• We will keep you informed as we investigate and work on a fix.
• We follow a coordinated disclosure approach: please give us reasonable time to remediate before disclosing publicly.
• Once a fix is in place, we are happy to credit reporters who wish to be named.

This policy covers material published by Nebras Open Finance on GitHub. It does not cover production deployments of the UAE Open Finance API Hub or LFI/TPP systems operated by ecosystem participants — those should be reported through the relevant participant's own channels.