Responsible Disclosure

We appreciate the work of security researchers and ethical hackers who help keep AliasVault and our users secure. If you believe you have discovered a security vulnerability in AliasVault, we encourage you to report it to us responsibly.

Commitment

We take responsible disclosure of security vulnerabilities seriously. Where applicable, we will:

• Acknowledge receipt of your report within 48 hours
• Investigate and validate the reported vulnerability
• Provide regular updates on our progress
• Credit you in our security advisory (if desired)
• Submit for CVE assignment when applicable
• Coordinate disclosure timeline with you

Disclosure Guidelines

To ensure the safety of our users and systems, please follow these guidelines:

• Do not access, modify, or delete user data
• Use minimal interaction necessary to demonstrate the vulnerability
• Keep vulnerability details confidential until coordinated disclosure
• Do not violate any applicable laws or regulations
• Test only against systems you own (self-hosted) or have explicit permission to test

Scope

This policy applies to the AliasVault main application (app.aliasvault.net) and API endpoints. Social engineering, physical attacks, denial of service, spam, and automated scanning without prior approval are typically considered out of scope.