Alertoscan.io just launched!Help us Grow:
Alertoscan

Vulnerability Disclosure Policy

How to report security vulnerabilities to Alertoscan. Our responsible disclosure policy for security researchers.

Last updated: January 2025

Introduction

At Alertoscan, we take the security of our systems seriously. We value the security community and believe that responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our users.

This policy describes how to report vulnerabilities to us, what we expect from you, and what you can expect from us.

Scope

This policy applies to all Alertoscan services and infrastructure, including:

  • alertoscan.io - Main website and web application
  • API endpoints - Our public and private APIs
  • Related subdomains - Any *.alertoscan.io services

Out of Scope

The following are excluded from this policy:

  • Social engineering attacks (phishing, vishing, etc.)
  • Denial of Service (DoS/DDoS) attacks
  • Physical attacks against our offices or data centers
  • Attacks against third-party services we use
  • Spam or social media account issues
  • Issues in third-party applications or libraries (report these to the respective vendors)

How to Report a Vulnerability

Reporting Channel

Please report vulnerabilities through our contact form:

Report a Security Vulnerability

Select "Security Report" as the inquiry type.

What to Include

To help us triage and respond quickly, please include:

  1. Description - A clear description of the vulnerability
  2. Steps to Reproduce - Detailed steps to reproduce the issue
  3. Impact Assessment - Your assessment of the potential impact
  4. Proof of Concept - Screenshots, videos, or code demonstrating the issue
  5. Your Contact Information - So we can follow up with questions

What NOT to Do

When researching vulnerabilities, please:

  • Do NOT access, modify, or delete data that does not belong to you
  • Do NOT perform actions that could harm our users or services
  • Do NOT use automated scanning tools that generate excessive traffic
  • Do NOT publicly disclose the vulnerability before we have addressed it
  • Do NOT demand financial compensation as a condition for reporting

Our Commitment

When you report a vulnerability to us, we commit to:

Response Timeline

ActionTimeline
Initial acknowledgmentWithin 3 business days
Severity assessmentWithin 7 business days
Status updateAt least every 14 days
Resolution target90 days (critical issues prioritized)

What We Will Do

  • Acknowledge your report promptly
  • Investigate the issue and keep you informed of our progress
  • Work with you to understand and resolve the issue
  • Credit you (if desired) when we publicly disclose the fixed vulnerability
  • Not pursue legal action against researchers who follow this policy

Safe Harbor

Alertoscan will not pursue legal action against security researchers who:

  • Make a good faith effort to comply with this policy
  • Avoid privacy violations, data destruction, or service disruption
  • Do not exploit vulnerabilities beyond what is necessary to demonstrate them
  • Report vulnerabilities promptly and do not publicly disclose before resolution

Recognition

We appreciate the security research community's efforts in helping keep our users safe. With your permission, we may:

  • Publicly acknowledge your contribution
  • Add your name to our security acknowledgments page
  • Provide a reference letter for your security research work

Questions

If you have questions about this policy or need clarification before reporting, please contact us at contact@alertoscan.io.

Related Resources

This policy is based on industry best practices and guidelines from ISO/IEC 29147 and the NCSC Vulnerability Disclosure Toolkit.