Skip to content
AIAn Alian Software company
ENHI

Security · Responsible disclosure

Found a security issue? Tell us privately first.

We treat security reports seriously. Here's the scope, the process, and what you'll hear back.

security@aliansoftware.net

What happens after you report

  • Email security@aliansoftware.net

    Subject line: 'Security report: [short title]'. Include reproduction steps, impact, and a single contact email for follow-up.

  • We acknowledge in 24 hours

    A human reads every report. We'll send back a tracking ID and an honest first read on severity within one business day.

  • We triage + remediate

    Critical (auth bypass, data exposure): patched within 48 hours, you're updated daily. High: 7 days. Medium / low: scheduled into the next sprint.

  • Coordinated disclosure

    We'd love 30 days before any public write-up — to let us patch and notify affected users. Faster timelines are negotiable in extreme cases.

In scope

  • aliansoftware.net (Alian AI subdomain and root)
  • Our AI endpoints (/api/solve, /api/chat, /api/contact, /api/subscribe)
  • Our PDF generation endpoints
  • OG image generator
  • Status endpoint

Out of scope

  • Third-party services we use (Anthropic, OpenAI, Resend, Vercel) — please report to them directly
  • Issues that require physical access or social engineering against our team
  • Denial-of-service vulnerabilities (we already rate-limit)
  • Output of public AI agents being 'wrong' — that's a quality issue, not a security one
  • Self-XSS, clickjacking on pages without sensitive actions

Safe-harbor commitments

  • We will not pursue legal action against good-faith researchers who follow this policy.
  • We'll credit you publicly (or keep you anonymous — your call).
  • Material findings get a thank-you swag pack. Critical findings get a paid bug bounty (case by case — we don't run a public bounty program yet).

Encrypted reports

For sensitive reports, encrypt with our PGP key. Email security@ for the current public key and fingerprint.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: Placeholder · request the real key at security@aliansoftware.net
Comment: We rotate annually and publish the fingerprint here.

[Public key block — request via email]
-----END PGP PUBLIC KEY BLOCK-----
For our general security posture, see the Security overview →