Security Vulnerability Disclosure
We take the security of our systems and our users seriously. If you believe you have found a vulnerability, we want to hear from you.
Reporting a Vulnerability
If you discover a security vulnerability in any Institute Alterna system, please report it responsibly by emailing hey@alterna.dev with the subject line “Security Vulnerability Report”.
What to Include
Please include the following in your report:
- A description of the vulnerability and its potential impact
- Steps to reproduce the issue
- Any relevant screenshots, logs, or proof-of-concept code
- Your name and contact information (optional, but appreciated)
Our Commitment
When you report a vulnerability to us, we commit to:
- Acknowledging receipt of your report within 48 hours
- Providing an initial assessment within 5 business days
- Keeping you informed of our progress toward resolution
- Not pursuing legal action against researchers who act in good faith and follow this disclosure policy
Scope
This policy applies to all systems operated by Institute Alterna, including:
- alterna.dev and all subdomains
- Our public GitHub repositories
- Any web applications or APIs we operate
Out of Scope
The following are considered out of scope:
- Denial of service attacks
- Social engineering of staff or volunteers
- Physical security testing
- Third-party services we use but do not control
Safe Harbour
We consider security research conducted in accordance with this policy to be authorised. We will not pursue civil or criminal action against researchers who follow these guidelines. If legal action is initiated by a third party, we will take steps to make it known that your actions were conducted in compliance with this policy.
Recognition
We appreciate the efforts of security researchers in helping keep our systems safe. With your permission, we are happy to publicly acknowledge your contribution.