Responsible Disclosure

Our bug bounty program and how you can report security vulnerabilities.

How to report an issue

If you believe you have found a security vulnerability, please send an email to security@alloy.app with the following details:

  • A general description of the vulnerability
  • The URL where this vulnerability was found
  • The steps to reproduce the vulnerability, including screenshots or videos if relevant

What we expect from you

  • Do not execute a Denial of Service (DoS) attack.
  • Do not run any automated tools against our servers.
  • Do not access or modify any data that does not belong to you.
  • Do not publicly disclose the vulnerability until we have had a reasonable amount of time to fix it.

What you can expect from us

  • We will respond to your report within 48 hours.
  • We will perform our own risk assessment for every reported vulnerability.
  • If your report is not eligible, we will let you know.
  • If your report is valid, we will prioritize the issue and inform you once it has been fixed.
  • We will let you decide whether you want to be publicly acknowledged or not.

Bug bounty

Our bug bounty program offers monetary rewards when the Alloy team determines (in its sole discretion) that you have identified a valid security vulnerability. We have financially compensated over ten security researchers so far, and are excited to continue doing so for valid reports.

To qualify, the vulnerability must:

  • Be previously unreported (i.e. not already known to the Alloy team)
  • Have a CVSS v3.1 base score of 4.0 or higher (medium severity or above)
  • Comply with all other program guidelines on this page

Demonstrating unauthorized access to customer data (such as through demonstrating cross-tenant data leakage) is the best way to qualify for a large monetary reward.

We take the upmost care when evaluating and understanding the impact of your report. Once we determine whether your report is eligible, our decision is final.

Due to limited capacity, we are unable to provide responses to follow-up appeals, or any attempts to negotiate the bounty eligibility or amount. Abuse of this policy will result in permanent disqualification from the program.

In scope

  • https://alloy.app
  • https://integrations.alloy.app

Out of scope

  • Automated scanning
  • Social engineering
  • Password brute force
  • Clickjacking on pages with no sensitive actions
  • Missing security headers (unless you can demonstrate an exploit)
  • Security issues only reproducible under highly unlikely conditions (using outdated browsers, operating systems, or insecure internet connections)
  • Missing best practices in HTTP headers (CSP, etc), HTTP cookies, TLS ciphersuites, and DNS configuration ( email [SPF/DKIM/DMARC/MTA-STS], CAA, DNSSEC, etc) may be considered informative but are unlikely to qualify for any reward.

Safe Harbour

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy.
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls.
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis.
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.