Responsible Disclosure

Report a vulnerability

We take security seriously and value the work of researchers who help us keep our platform and customers safe. If you have found a vulnerability, we want to hear from you.

Our Policy

Disclosure
guidelines

Security research helps us build a more resilient platform. These guidelines define how we work with researchers.

Scope

Our production applications, APIs, and infrastructure at alvor.io and associated subdomains.

Response Time

We acknowledge all reports within 24 hours and aim to provide an initial assessment within 5 business days.

Safe Harbour

We will not pursue legal action against researchers who act in good faith and follow this policy.

Confidentiality

We ask that you do not publicly disclose the vulnerability until we have had reasonable time to address it.

Recognition

With your permission, we will credit you publicly for verified vulnerabilities in our security advisories.

Out of scope

Denial of service (DoS/DDoS) attacks
Social engineering or phishing of employees
Physical security attacks
Automated scanning without prior coordination
Vulnerabilities in third-party services we do not control

Submit a Report