Institute Alterna

Security Vulnerability Disclosure

We welcome responsible and good-mannered security research on the systems that our personnel and learners use.

Reporting a Vulnerability

If you discover a security vulnerability in any Alterna system, please report it responsibly by emailing safety [at] alterna.dev with the subject line “Security Vulnerability Report”, followed by a descriptive title of the issue. If you are able to, we strongly suggest that you encrypt your report using our PGP key.

We kindly ask you to not disclose this vulnerability to outside parties nor abuse it maliciously until we have resolved the issue or otherwise notified you.

What to Include

Please include the following in your report:

  • A precise description of the vulnerability and its potential impact
  • Steps to reproduce the issue
  • Any relevant screenshots, logs, or proof-of-concept code
  • Your real name (or pseudonym) and contact information (optional, but appreciated)

What We'll Do

When you report a vulnerability to us, we commit to:

  • Acknowledging receipt of your report within 48 hours
  • Providing an initial assessment within 5 business days
  • Keeping you informed of our progress toward resolution
  • Not pursuing legal action against researchers who act in good faith and follow this disclosure policy

Scope

This policy applies to all systems operated by Institute Alterna, including:

  • alterna.dev and all subdomains
  • Our public GitHub repositories
  • Any web applications or APIs we operate

Out of Scope

The following are considered out of scope and won't be recognised:

  • Denial of service attacks
  • Social engineering of volunteers or learners
  • Physical security testing
  • Third-party services we use but do not control

Safe Harbour

We consider security research conducted in accordance with this policy to be authorised. We will not pursue civil or criminal action against researchers who follow these guidelines. If legal action is initiated by a third party, we will take steps to make it known that your actions were conducted in compliance with this policy.

Recognition

We appreciate the efforts of security researchers in helping keep our systems safe. With your permission, we are happy to publicly acknowledge your contribution.

Paid Bounties

At this time, we do not offer paid bounties for vulnerability reports. However, we are open to discussing other forms of recognition or rewards for significant contributions.

Any attempt to provide a report for which no details are provided until a payment is made will not be recognised and will be found in violation of this policy.

Report a Vulnerability