Vulnerability Disclosure Policy

ALLVEI takes the security of our systems seriously. We appreciate the security community's efforts to help us maintain the security of our products and services through responsible vulnerability disclosure.

Disclosure Policy

As a vulnerability report submitter, I agree to the following terms:

  • As a vulnerability report submitter, I will give the recipient reasonable time to investigate and mitigate an issue I report.
  • While the recipient investigates, I refrain from discussing my discovery in any way with a third party (e.g. fellow researchers, colleagues, companies, governments).
  • Acting in good faith, I make an effort to avoid privacy violations and disruptions to others, including but not limited to destruction of data and interruption or degradation of any services.
  • I do not exploit a security issue I discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.)

Scope

This policy applies to vulnerabilities in:

  • ALLVEI websites and web applications (*.allvei.com)
  • ALLVEI mobile applications
  • ALLVEI APIs and services
  • Other systems owned and operated by SARL VICTOR POUCHERET
  • Any software or infrastructure directly controlled by our organization

Guidelines for Responsible Testing

When investigating potential security vulnerabilities, please:

  • Act in good faith and avoid privacy violations, destruction of data, and disruption of our services
  • Use only test accounts you own or have explicit permission to use - do not access other users' data
  • Limit your testing to the minimum necessary to demonstrate the vulnerability
  • Avoid automated scanning that could impact service performance
  • Do not perform social engineering attacks against our employees, contractors, or users
  • Respect rate limiting and do not overwhelm our systems
  • Do not modify or delete data belonging to others

What to Include in Your Report

To help us understand and address the vulnerability quickly, please provide:

  • Clear description of the vulnerability and its potential impact
  • Detailed steps to reproduce the issue, including any specific conditions
  • Affected systems, URLs, or components
  • Proof-of-concept code or screenshots (if applicable)
  • Severity assessment and potential business impact
  • Suggested remediation (if you have recommendations)
  • Your contact information for follow-up questions
  • Timeline for public disclosure (if you plan to publish research)

Out of Scope

The following are generally not eligible for our responsible disclosure program:

  • Attacks requiring physical access to a user's device or premises
  • Social engineering attacks against employees, contractors, or users
  • Vulnerabilities in third-party applications, services, or dependencies we don't control
  • Issues that don't have a demonstrable security impact
  • Spam, phishing, or denial of service attacks
  • Brute force attacks or credential stuffing
  • Issues related to software versions we don't support
  • Clickjacking on pages without sensitive actions
  • Mixed content warnings on non-sensitive pages
  • Missing security headers that don't lead to a demonstrable vulnerability

Our Commitment

We commit to:

  • Acknowledge receipt of your vulnerability report within 48 hours
  • Provide an initial assessment and estimated timeline within 5 business days
  • Keep you informed of our progress throughout the investigation and remediation process
  • Work with you to understand the vulnerability and validate our fix
  • Credit you publicly for the discovery (if desired) once the vulnerability is resolved
  • Not pursue legal action against researchers who follow this policy in good faith
  • Maintain confidentiality until mutually agreed disclosure timeline

How to Report

Please send security vulnerability reports to: [email protected]

Include "SECURITY VULNERABILITY" in the subject line to ensure prompt handling.

For particularly sensitive vulnerabilities or encrypted communication, please request our PGP key in your initial contact.

Intellectual Property

By submitting a report, security researcher warrants that the report and any attachments do not violate the intellectual property rights of any third party and the security researcher assigns free of charge to the receiving company who accepts all intellectual property rights.

Safe Harbor

We will not initiate legal action against security researchers who:

  • Follow this responsible disclosure policy
  • Act in good faith without malicious intent
  • Do not violate privacy or cause harm to users or systems
  • Do not access, modify, or delete data beyond what is necessary to demonstrate the vulnerability
  • Do not disrupt our services or degrade user experience
  • Make a good faith effort to avoid accessing sensitive data

Questions

If you have questions about this policy or need clarification on what is in scope, please contact us at [email protected] before beginning your research.

Thank you for helping us keep ALLVEI and our users secure!