FAQ

Here are answers to the questions we hear most often from Catchify clients. If your question is not covered here, contact your account manager or email [email protected].

Account & Access

I did not receive my invitation email. What should I do?

Check your spam or junk folder first. If you still cannot find it, ask the team manager who sent the invitation to resend it from the Team page. If the problem persists, contact [email protected].

I forgot my password. How do I reset it?

Go to portal.catchify.sa, click Forgot Password?, and enter your email address. You will receive a link to set a new password. The link expires after 1 hour, so use it promptly.

My account seems to be locked. What happened?

For security, accounts are temporarily locked after multiple failed login attempts. Wait a few minutes and try again. If you are still unable to log in, contact [email protected] for assistance.

I lost access to my authenticator app for 2FA. How do I get back in?

Contact the Catchify support team at [email protected]. After verifying your identity, we will reset your two-factor authentication so you can set it up again on a new device.

Can I change the email address on my account?

Contact your account manager to request an email change. For security, email changes require identity verification.

Findings & Vulnerabilities

What is a finding?

A finding is a security vulnerability or weakness discovered during penetration testing or through your bug bounty program. Each finding includes a description, severity level, evidence, and recommendations for fixing the issue. See Understanding Findings for details.

What do the severity levels mean?

Findings are rated from Critical (most severe) to Informational (least severe). Critical findings represent immediate threats, while Informational findings are best-practice recommendations. See Severity Levels Explained for a full breakdown.

How quickly should I fix a finding?

We recommend addressing Critical findings within 24-48 hours, High findings within 1-2 weeks, and Medium findings within a month. Low and Informational findings can be addressed in regular development cycles. These are guidelines -- your account manager can help you prioritize based on your specific context.

Can I dispute or discuss a finding's severity?

Yes. Add a comment to the finding explaining your perspective, or contact your account manager. The Catchify team is open to reviewing severity assessments based on your business context and environment.

What does "Accepted Risk" mean?

When you mark a finding as Accepted Risk, it means your organization has acknowledged the vulnerability but has decided not to fix it at this time -- perhaps because the risk is mitigated by other controls, or the cost of fixing outweighs the risk. The finding remains documented for future reference.

Penetration Testing

How long does a typical pentest take?

It depends on the scope. A focused web application test might take 1-2 weeks, while a comprehensive assessment of multiple systems could take 3-4 weeks. Your account manager will provide a timeline when your quote is prepared.

Can I see findings during the test, or only after it is complete?

You can see findings in real time as they are discovered. You do not need to wait for the final report to start reviewing and addressing issues.

How do I request a retest after fixing a vulnerability?

Open the finding, change its status to Fixed, and click Request Retest. The Catchify team will verify your fix, usually within 1-3 business days. See Requesting a Retest for step-by-step instructions.

Where do I download my pentest report?

Go to Projects, click on the completed project, and navigate to the Reports tab. Click Download PDF to save the report. See Pentest Reports for more details.

Bug Bounty

What is the difference between a pentest and a bug bounty program?

A penetration test is a time-bound, structured engagement where our team tests your applications during a defined period. A bug bounty program is ongoing -- researchers continuously test your applications, and you only pay for valid findings. Many organizations use both for comprehensive coverage.

Who are the researchers testing my applications?

Catchify's researchers go through an identity verification and screening process before joining the platform. Your bug bounty program is private -- only vetted, invited researchers can see and participate.

How are duplicate reports handled?

The Catchify triage team reviews all reports before they reach you. If a researcher submits a vulnerability that has already been reported by someone else, it is marked as a duplicate and does not appear in your review queue.

How do I fund researcher rewards?

You add credits to your bug bounty wallet, and rewards are deducted automatically when reports are approved. See Wallet & Payments for details.

Invoices & Payments

How do I view and download my invoices?

Navigate to Invoices in the main menu. Click any invoice to view its details, and click Download PDF to save a copy. See Your Invoices for details.

Are invoices ZATCA-compliant?

Yes. All Catchify invoices are generated in compliance with ZATCA (Zakat, Tax and Customs Authority) regulations, including proper VAT calculation and required formatting.

What payment methods do you accept?

Catchify accepts bank transfers and wire transfers. Payment instructions are included on each invoice. Contact your account manager if you need alternative arrangements.

Team & Access

How many team members can I add?

There is no limit. You can invite as many team members as needed to your Catchify account.

What is the difference between a Manager and a Member?

Managers have full access to everything in the portal. Members have customizable permissions -- you can choose exactly what they can see and do. See Roles & Permissions for details.

Can I remove a team member's access?

Yes. Go to the Team page, find the member, and click Remove. Their access will be revoked immediately.

Data & Security

Where is my data stored?

All Catchify data is hosted in Dammam, Saudi Arabia, ensuring your information stays within the Kingdom and meets local data residency requirements.

Is my data encrypted?

Yes. All data is encrypted in transit (using TLS/SSL) and at rest. The Catchify platform follows industry best practices for data protection.

Who can see my findings and reports?

Only authorized members of your organization can see your data. The Catchify team has access for the purpose of providing testing and support services. Your data is never shared with other clients.

Still Have Questions?

If your question was not answered here, we are happy to help:

• Email: [email protected]

• Account Manager: Check your portal settings for contact details