αlphabell.
α · Legal · Vulnerability Disclosure Policy

Vulnerability Disclosure Policy

Scope, disclosure process, 90-day window, Hall of Fame, PGP fingerprint.

Version 2.0
Last updated 2026-05-17
Questions legal@alphabell.com

1. Policy summary

alphabell welcomes security research on its Site and its open-source artefacts. This page describes the scope, the disclosure process, and the commitments we make in return for the time and discretion of researchers who report issues responsibly.

2. Scope

In scope:

  • dev.alphabell.com and any sub-paths.
  • alphabell.com and www.alphabell.com.
  • mail.alphabell.com (the web-facing portion of the lab's mail relay).
  • The lab's open-source repositories under github.com/alphabell-labs — specifically: oversight-tools, ab-circuits, ab-trace, ab-pairs, ab-scheduler, ab-verify.
  • The lab's published container images on ghcr.io/alphabell-labs.

Out of scope:

  • Third-party services we depend on (Plausible, Resend, Cloudflare, GitHub, the lab's compute operators) — report to the respective vendor.
  • Authenticated areas accessible only to lab contributors (the internal index, the proposal queue, the federated scheduler operator dashboard).
  • Social-engineering attacks against lab contributors or anchor stewards.
  • Denial-of-service attacks, volumetric attacks, and rate-limit bypasses pursued for their own sake rather than to demonstrate a downstream impact.
  • Reports against forks of lab-published code that the lab does not host.

3. How to report

Send your report to security@alphabell.com. We strongly prefer PGP-encrypted reports for any issue that includes proof-of-concept material or credentials. The current PGP key fingerprint for the security inbox is:

4F2E A8B1 9D44 C027 6FB3 1E8E 5A37 0C9D 2F6B 49AC

Key material is published at /.well-known/pgp-key.txt when this page next ships an updated key.

4. What to include in a report

  • A description of the issue, ideally with a clear impact statement.
  • Reproduction steps. If the issue requires specific input, include the input.
  • Any mitigations you have already identified.
  • Whether you have shared the issue with anyone else, and your expected public-disclosure timeline (if any).
  • A name and contact channel for us to acknowledge you — or a clear statement if you prefer to remain anonymous.

5. What we commit to

  • Acknowledgement within 3 working days. We acknowledge every well-formed report, even where we determine the issue is out of scope.
  • Triage within 14 working days. We provide an initial assessment of severity and a working response timeline.
  • Honest engagement. If we disagree with your assessment, we say so and explain why. We do not stonewall.
  • A 90-day disclosure window. We aim to remediate in-scope issues within 90 days of the initial report; if more time is needed, we will request an extension before the window closes rather than after it. We honour reasonable researcher-disclosure timelines.
  • Public credit. Reports that lead to a substantive fix are acknowledged on the Hall of Fame below, unless the reporter prefers anonymity.
  • No legal action against good-faith research. We will not pursue legal action against researchers who follow this policy in good faith. We do not enter into bounty-related NDAs.

6. What we do not offer

We do not pay cash bounties at this time. Reports that lead to a substantive fix earn public credit, our active assistance with academic-publication of the finding if relevant, and — where the researcher is appropriate — a serious consideration for visiting-fellow placement. The lab's funding model (see /funding) does not currently support a cash-bounty programme; if that changes, we will say so here.

7. Hall of Fame

Researchers whose reports led to substantive fixes:

  • Yuna Lefebvre — TLS pinning bypass in ab-trace (2025-Q4)
  • Tomáš Krištofík — input-handling bug in the publications JSON loader (2025-Q3)
  • Anika Patel — race condition in the careers application upload flow (2025-Q2)
  • Sebastián Aldana — Cross-site script bypass on a legacy news-detail layout (2025-Q1)
  • Hannah Børgmann — Open redirect via the unsubscribe-confirmation flow (2024-Q4)
  • (anonymous) — Server-side request forgery vector in an internal staging build (2024-Q3)

8. Coordinated disclosure

Where an issue is jointly relevant to alphabell and to a third party (a peer lab, a downstream consumer of our tooling, the External Evaluation Cooperative), we coordinate disclosure. Researchers should expect us to contact the affected third party promptly after acknowledgement and to invite the third party into the disclosure timeline.

Version 2.0 · Last updated 2026-05-17.