Responsible Disclosure

AliasVault takes security seriously and encourages responsible disclosure of security vulnerabilities.

Home
Responsible Disclosure

We appreciate the work of security researchers and ethical hackers who help keep AliasVault and our users secure. If you believe you have discovered a security vulnerability in AliasVault, we encourage you to report it to us responsibly.

Please report security vulnerabilities to:

security@support.aliasvault.net

Commitment

We take responsible disclosure of security vulnerabilities seriously. Where applicable, we will:

Acknowledge receipt of your report within 48 hours
Investigate and validate the reported vulnerability
Provide regular updates on our progress
Credit you in our security advisory (if desired)
Submit for CVE assignment when applicable
Coordinate disclosure timeline with you

Disclosure Guidelines

To ensure the safety of our users and systems, please follow these guidelines:

Do not access, modify, or delete user data
Use minimal interaction necessary to demonstrate the vulnerability
Keep vulnerability details confidential until coordinated disclosure
Do not violate any applicable laws or regulations
Test only against systems you own (self-hosted) or have explicit permission to test

Scope

This policy applies to:

AliasVault main application (app.aliasvault.net)
AliasVault API endpoints (app.aliasvault.net/api)
AliasVault website and subdomains
Official AliasVault mobile applications
Official AliasVault browser extensions

Out of Scope

The following are typically considered out of scope:

Social engineering attacks
Physical attacks against AliasVault infrastructure
Denial of service attacks
Spam or content injection
Automated scanning without prior approval

Thank you for helping us keep AliasVault secure for everyone.