How to report
Email security@alterscope.org.security@alterscope.org is our intake address for security reports. If you can’t reach it, support can route a report to the security team, but please don’t include vulnerability details in a general support ticket.- A clear description of the issue and its security impact.
- The affected endpoint, page, or component, and the time of testing (in UTC).
- Step-by-step reproduction, including any request/response samples. If a specific call is involved, the
request_idfrom the response (see Support) helps us trace it. - Any proof-of-concept code or screenshots, and your assessment of severity.
security@alterscope.org is the canonical contact for security reports. If this page and any other reference to our security contact ever disagree, treat security@alterscope.org as the source of truth and tell us about the discrepancy.
Scope
In scope:- The Alterscope API at
https://api.alterscope.org. - The developer portal and documentation site.
- The web application used to manage organizations, API keys, and connections.
- Denial-of-service, volumetric, or load/stress testing against production. Note that the API enforces per-tier rate limits and returns
429once you exceed them — that is expected behavior, not a finding. - Social engineering, phishing, or physical attacks against Alterscope staff, users, or facilities.
- Third-party services and infrastructure we don’t operate (cloud providers, upstream data sources, on-chain protocols Alterscope indexes).
- Reports generated solely by automated scanners with no demonstrated, exploitable impact.
- Missing security headers or best-practice findings with no concrete exploit path. Our Security page documents the protections that are in place.
Rules of engagement
To keep research good-faith and avoid harming users:- Use your own account and credentials. Don’t access, modify, or destroy data that isn’t yours, and don’t attempt to access another organization’s data.
- Stop at proof of concept. Once you’ve demonstrated a vulnerability, stop — don’t pivot, escalate, or exfiltrate data beyond what’s needed to prove the issue.
- Keep your testing scoped and low-volume. Avoid actions that could degrade service for others.
- Never include real secrets in a report. If you discover a leaked credential or API key, report its location — don’t paste the secret itself.
- Keep findings confidential until we’ve had a reasonable chance to remediate and have coordinated any disclosure with you.
What to expect
- Acknowledgement. We aim to confirm receipt of your report within a few business days.
- Assessment. We’ll triage the report, validate it, and work with you on any clarifying questions.
- Remediation. We’ll keep you informed of progress and let you know when the issue is resolved.
- Coordinated disclosure. If you’d like to publish, we’ll coordinate timing with you. We’re glad to credit researchers who report in good faith — let us know how you’d like to be acknowledged, or if you’d prefer to stay anonymous.
Safe harbor
If you make a good-faith effort to follow this policy, we consider your security research authorized. Specifically:- We will not pursue or support legal action against you for research that adheres to this policy, including the scope and rules of engagement above.
- We consider such research to be authorized access for the purpose of relevant anti-hacking laws, and exempt from restrictions in our terms of service that would otherwise conflict with security research conducted under this policy.
- If a third party brings legal action against you for activity that complied with this policy, we’ll make it known that your actions were authorized.
Related
Security
The access, credential-encryption, and transport controls in the product today.
Support
General help with the API, your account, and how to cite a request ID.