Security

Responsible Disclosure

We take the security of our platform seriously. If you've found a vulnerability, we want to work with you to resolve it quickly and safely.

Report

Found something? Let us know.

Email us with the details below and we'll get back to you. The more context you provide, the faster we can act.

security@getalloy.dev

PGP key available on request

Include in your report

01

A description of the vulnerability and its potential impact

02

Steps to reproduce the issue

03

Any relevant screenshots, logs, or proof-of-concept code

04

Your contact information so we can follow up

Response

What to expect.

012 days

Acknowledgement

We confirm receipt of your report and assign a tracking reference.

025 days

Initial assessment

We triage the issue, confirm severity, and share our initial findings with you.

03Ongoing

Resolution & disclosure

We keep you informed as we work through the fix and notify you when it ships.

Guidelines

Rules of engagement.

Allow reasonable time

Give us time to investigate and address the issue before any public disclosure.

Avoid harm

Make a good faith effort to avoid privacy violations, data destruction, or service disruption.

Respect boundaries

Do not access or modify data belonging to other users or tenants.

No social engineering

Do not perform denial-of-service testing or social engineering against Alloy staff.

Scope

What's covered.

Alloy platform & APIs

All production endpoints

IN SCOPE

getalloy.dev

Including subdomains

IN SCOPE

Open source projects

Alloy-maintained repositories

IN SCOPE

Safe harbour

We will not take legal action against researchers who discover and report vulnerabilities in good faith, following the guidelines above. We consider security research conducted under this policy to be authorised.

Bug bounty

We do not currently operate a bug bounty programme. We appreciate every legitimate report but cannot respond to automated scan output, reports with no demonstrable security impact, or unsolicited beg bounties.

Ready to report?

Send your findings to our security team. We'll acknowledge within 2 business days and keep you updated throughout the process.

Contact us