Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.alterscope.org/llms.txt

Use this file to discover all available pages before exploring further.

We want to hear about security issues in our systems, and we want the researchers who find them to be able to report safely. This page describes what is in scope, how to reach us, what happens after you report, and the protections that apply to good-faith research. This is a coordinated, good-faith disclosure policy. We do not operate a paid bug bounty.

How to report

Email security@alterscope.org.
security@alterscope.org is our intake address for security reports. If you can’t reach it, support can route a report to the security team, but please don’t include vulnerability details in a general support ticket.
A useful report includes:
  • A clear description of the issue and its security impact.
  • The affected endpoint, page, or component, and the time of testing (in UTC).
  • Step-by-step reproduction, including any request/response samples. If a specific call is involved, the request_id from the response (see Support) helps us trace it.
  • Any proof-of-concept code or screenshots, and your assessment of severity.
Please report promptly after you discover an issue, and give us reasonable time to remediate before any public disclosure. security@alterscope.org is the canonical contact for security reports. If this page and any other reference to our security contact ever disagree, treat security@alterscope.org as the source of truth and tell us about the discrepancy.

Scope

In scope:
  • The Alterscope API at https://api.alterscope.org.
  • The developer portal and documentation site.
  • The web application used to manage organizations, API keys, and connections.
Out of scope (please do not test these):
  • Denial-of-service, volumetric, or load/stress testing against production. Note that the API enforces per-tier rate limits and returns 429 once you exceed them — that is expected behavior, not a finding.
  • Social engineering, phishing, or physical attacks against Alterscope staff, users, or facilities.
  • Third-party services and infrastructure we don’t operate (cloud providers, upstream data sources, on-chain protocols Alterscope indexes).
  • Reports generated solely by automated scanners with no demonstrated, exploitable impact.
  • Missing security headers or best-practice findings with no concrete exploit path. Our Security page documents the protections that are in place.
If you’re unsure whether something is in scope, ask before testing.

Rules of engagement

To keep research good-faith and avoid harming users:
  • Use your own account and credentials. Don’t access, modify, or destroy data that isn’t yours, and don’t attempt to access another organization’s data.
  • Stop at proof of concept. Once you’ve demonstrated a vulnerability, stop — don’t pivot, escalate, or exfiltrate data beyond what’s needed to prove the issue.
  • Keep your testing scoped and low-volume. Avoid actions that could degrade service for others.
  • Never include real secrets in a report. If you discover a leaked credential or API key, report its location — don’t paste the secret itself.
  • Keep findings confidential until we’ve had a reasonable chance to remediate and have coordinated any disclosure with you.

What to expect

  • Acknowledgement. We aim to confirm receipt of your report within a few business days.
  • Assessment. We’ll triage the report, validate it, and work with you on any clarifying questions.
  • Remediation. We’ll keep you informed of progress and let you know when the issue is resolved.
  • Coordinated disclosure. If you’d like to publish, we’ll coordinate timing with you. We’re glad to credit researchers who report in good faith — let us know how you’d like to be acknowledged, or if you’d prefer to stay anonymous.
We don’t currently offer monetary rewards. We do read every report, fix what’s real, and treat researchers with respect.

Safe harbor

If you make a good-faith effort to follow this policy, we consider your security research authorized. Specifically:
  • We will not pursue or support legal action against you for research that adheres to this policy, including the scope and rules of engagement above.
  • We consider such research to be authorized access for the purpose of relevant anti-hacking laws, and exempt from restrictions in our terms of service that would otherwise conflict with security research conducted under this policy.
  • If a third party brings legal action against you for activity that complied with this policy, we’ll make it known that your actions were authorized.
This safe harbor applies only to the good-faith research described here. It does not authorize accessing other users’ data, degrading service, or any activity outside the scope above. If in doubt about whether an action is covered, contact us at security@alterscope.org before proceeding.

Security

The access, credential-encryption, and transport controls in the product today.

Support

General help with the API, your account, and how to cite a request ID.