Coordinated vulnerability disclosure

Contact

Email security@alfanestlabs.com with subject line containing SafeKey and a short summary. Encrypt mail with PGP only if we publish a key for that address; otherwise TLS to your provider is acceptable for first contact.

What to include

Describe impact, affected component (web path, API route, Android build, etc.), reproduction steps, and whether the issue is already public. Redact unrelated personal data.

Permitted testing

Do not access third-party accounts, exfiltrate data, degrade production availability, or perform physical attacks on infrastructure. Do not publicly disclose a zero-day until we have had reasonable time to remediate (guideline: 90 days for standard issues unless shorter or longer alignment is agreed in writing).

Our response

We aim to acknowledge receipt within five business days for reports that are actionable and in scope. Complex issues may require more time; we will keep reporters informed when an email address is supplied.

Out of scope

Reports limited to scanner noise without impact, social engineering against individuals, forgotten passwords, issues in third-party services without a clear SafeKey integration flaw, or spam are typically out of scope. Issues in unreleased or unofficial builds may receive lower priority unless they affect production secrets.

Safe harbour intent

When you follow this policy in good faith we will not pursue legal action for accidental, authorised-by-this-policy research. This statement is not a binding contract in every jurisdiction; it records our intent.

EU CRA context

From 11 September 2026, products with digital elements already on the EU market must follow Regulation (EU) 2024/2847 reporting rules for active exploitation and severe incidents. This channel is for technical vulnerability intake; use official national/ENISA routes when laws require regulatory notification.

Home