Responsible Disclosure Policy

We take security seriously. If you discover a vulnerability, we want to hear from you and will work with you to resolve it.

Security Contact

Report security vulnerabilities to our dedicated security team. We encourage encrypted communication when possible.

[email protected]

Please use a descriptive subject line such as “Vulnerability Report: [brief description]”.

Scope

The following Algonney-owned systems and services are within scope for vulnerability testing:

  • Main website: algonney.com
  • API: api.algonney.com
  • Application/dashboard: app.algonney.com
  • Authentication and session management
  • Exchange API key handling and storage
  • Wallet, payment, and subscription flows
  • Publicly owned subdomains only

Out of Scope

The following are explicitly out of scope and will not be considered valid reports:

  • Social engineering attacks (phishing, pretexting, etc.)
  • Physical attacks against infrastructure or offices
  • Spam or relay testing
  • Denial of service (DoS/DDoS) or resource exhaustion attacks
  • Attacks against third-party providers or services
  • Automated scanner findings without a demonstrable exploit
  • Missing email DNS records (SPF, DKIM, DMARC) unless directly exploitable
  • Reports that require stolen credentials or compromised accounts

Safe Harbor

If you act in good faith and follow this policy, Algonney will not pursue legal action against you. We consider security research a collaborative effort to protect our users.

To qualify for safe harbor, you must:

  • Avoid accessing, modifying, or deleting other users' data
  • Not exfiltrate secrets, credentials, or sensitive information
  • Not cause service disruption or degrade availability
  • Not install persistent backdoors or maintain access
  • Report the vulnerability promptly with no public disclosure before we have resolved it

Testing Rules

When testing for vulnerabilities, follow these rules:

  • Do not access, exfiltrate, or modify other users' data
  • Do not exfiltrate secrets, API keys, or credentials
  • Do not modify or delete production data
  • Do not run destructive tests or automated exploitation tools against production
  • Use your own test accounts whenever possible
  • Stop testing immediately and report if you accidentally access sensitive data

What to Include in a Report

To help us triage and resolve the issue quickly, please include:

  • A clear description of the vulnerability
  • Step-by-step instructions to reproduce the issue
  • An assessment of the potential impact
  • The affected URL(s) or API endpoint(s)
  • Screenshots, HTTP requests/responses, or proof of concept
  • A suggested fix or mitigation, if known

Response Timeline

We are committed to responding to reports promptly and keeping you informed throughout the process:

1

Acknowledgment

Within 3–5 business days of receiving your report

2

Triage & Assessment

Within 10 business days, including severity classification

3

Remediation

Timeline based on severity — critical issues prioritized immediately

4

Resolution Notification

You will be notified when the fix is deployed

Bug Bounty Program

Algonney does not currently offer a paid bug bounty program. We value every responsible disclosure and will acknowledge contributors in our security advisories when the vulnerability is resolved, unless you prefer to remain anonymous.

Legal & Compliance

This policy does not authorize any activity that is unlawful under applicable local, national, or international law. Researchers must comply with all applicable laws and regulations. Safe harbor applies only to research conducted within the scope and rules described on this page.

Report a VulnerabilitySecurity Overview
Privacy PolicyTermsSecurity