Vulnerability disclosure policy

Alpacon is committed to ensuring the security of our platform and protecting our users. We welcome and appreciate security researchers and users who help us identify and address security vulnerabilities.

Reporting a vulnerability

How to report

If you believe you’ve discovered a security vulnerability in Alpacon, please report it to us:

Email: security@alpacax.com

PGP key (optional for encrypted communication):

-----BEGIN PGP PUBLIC KEY BLOCK-----
Available upon request at security@alpacax.com
-----END PGP PUBLIC KEY BLOCK-----

What to include

Please provide as much information as possible:

  1. Description: Clear description of the vulnerability
  2. Impact: Potential security impact and severity assessment
  3. Steps to reproduce: Detailed steps to reproduce the issue
  4. Proof of concept: Code, screenshots, or video demonstrating the vulnerability (if applicable)
  5. Affected components: Which parts of Alpacon are affected (web app, agent, API, etc.)
  6. Your contact information: So we can follow up with questions
  7. Disclosure timeline: Your preferred disclosure timeline

Example report:

Subject: [Security] SQL Injection in User Search

Description:
The user search functionality in the IAM section is vulnerable to SQL injection.

Impact:
An authenticated attacker with staff privileges could extract sensitive data from the database, including hashed passwords and user credentials.

Steps to Reproduce:
1. Log in as a staff user
2. Navigate to IAM > Users
3. Enter the following in the search box: ' OR 1=1--
4. Observe that all users are returned, bypassing search filters

Affected Version: v2.3.1
Environment: Production (alpacon.io)
Browser: Chrome 120.0

Contact: researcher@example.com
Preferred Disclosure: 90 days

Our commitment

Response timeline

  • Initial response: Within 48 hours of receiving your report
  • Vulnerability assessment: Within 5 business days
  • Status updates: Regular updates throughout the investigation and remediation process
  • Resolution: Timeline depends on severity (see below)

Severity-based resolution timeline

SeverityDescriptionTarget Resolution
CriticalRemote code execution, authentication bypass, data breach7 days
HighPrivilege escalation, significant data exposure30 days
MediumInformation disclosure, denial of service60 days
LowMinor security issues, configuration problems90 days

What we will do

  1. Acknowledge your report promptly
  2. Investigate the reported vulnerability
  3. Keep you informed of our progress
  4. Fix confirmed vulnerabilities in a timely manner
  5. Credit you for your discovery (if desired)
  6. Notify affected users if necessary

Responsible disclosure

Disclosure timeline

We request that you:

  1. Give us time to investigate and fix the vulnerability before public disclosure
  2. Coordinate disclosure timing with our security team
  3. Avoid exploiting the vulnerability beyond what’s necessary to demonstrate it
  4. Refrain from disclosing the vulnerability publicly until we’ve released a fix

Standard disclosure timeline:

  • Critical/High: 90 days from initial report
  • Medium/Low: 120 days from initial report
  • Negotiable: We’re open to adjusting timelines based on circumstances

Public disclosure

After a fix is released, we support coordinated public disclosure:

  • Security advisory: We’ll publish a security advisory crediting you (if desired)
  • CVE assignment: We’ll request CVE IDs for qualifying vulnerabilities
  • Blog post: For significant vulnerabilities, we may publish a detailed blog post
  • Your writeup: You’re welcome to publish your own technical writeup after disclosure

Scope

In scope

The following are within the scope of our vulnerability disclosure program:

Infrastructure & applications:

  • *.alpacon.io - Main application and workspace domains
  • auth.alpacon.io - Authentication service
  • Alpacon web application (browser-based)
  • Alpacon CLI tool
  • Alpamon agent software
  • Public APIs and endpoints

Vulnerability types:

  • Authentication and authorization bypasses
  • Remote code execution
  • SQL injection, NoSQL injection
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • Server-side request forgery (SSRF)
  • Insecure direct object references (IDOR)
  • Security misconfigurations
  • Sensitive data exposure
  • XML external entity (XXE) attacks
  • Deserialization vulnerabilities
  • Business logic flaws with security impact

Out of scope

The following are outside the scope:

Excluded domains & assets:

  • Third-party services we use (AWS, Cloudflare, etc.)
  • Employee email accounts
  • *.alpacax.com (separate company domain)
  • Archived or deprecated services

Excluded vulnerability types:

  • Denial of Service (DoS/DDoS) attacks
  • Social engineering attacks against Alpacon employees
  • Physical attacks against Alpacon offices or data centers
  • Spam or phishing attacks
  • Vulnerabilities in outdated browsers or platforms
  • Issues that require physical access to a user’s device
  • Vulnerabilities in third-party applications or libraries (report to the vendor)

Non-security issues:

  • Bugs that don’t have security impact
  • Feature requests
  • Usability issues
  • Performance issues (unless they enable DoS)

Safe harbor

Alpacon is committed to working with security researchers and will not pursue legal action against researchers who:

  1. Act in good faith to report security vulnerabilities
  2. Make a good faith effort to avoid privacy violations, data destruction, and service disruption
  3. Do not exploit vulnerabilities beyond what’s necessary to demonstrate them
  4. Follow this disclosure policy

Legal protection:

  • We will not initiate legal action for vulnerability research conducted under this policy
  • We will not report you to law enforcement for good-faith security research
  • If legal action is initiated by a third party, we will take steps to make it known that your actions were conducted under this policy

Recognition

Hall of fame

We maintain a Security Researchers Hall of Fame to recognize contributors:

  • Listed on our Security page
  • Public acknowledgment in security advisories
  • Social media recognition (with your permission)
  • Alpacon swag and merchandise

Opt-out: If you prefer to remain anonymous, we’ll respect your wishes.

Bug bounty program

Coming soon: We’re planning to launch a bug bounty program with monetary rewards.

Current status: While we don’t currently offer monetary rewards, we deeply appreciate security research and will recognize your contributions.

Future plans:

  • Monetary rewards based on severity
  • Platform: HackerOne or Bugcrowd
  • Expected Launch: 2026

Contact information

Security team

Emergency contact

For critical vulnerabilities being actively exploited:

General security inquiries

For non-vulnerability security questions:

Additional resources

Policy updates

This vulnerability disclosure policy may be updated from time to time. Material changes will be announced on our blog and security mailing list.

Current version: 1.0 Last updated: November 2025 Next review: June 2026

Thank you for helping keep Alpacon and our users safe!