POLICIES · RESPONSIBLE DISCLOSURE

Found a vulnerability?

How to report it, what's in scope, and what we'll do with it. Last updated May 2026.

REPORT TO
[email protected] · security.txt

Alora Networks is a security company. We expect to find vulnerabilities, and we appreciate the researchers who help us fix them.

This page describes the rules of engagement for reporting a security issue to us. It applies to our website at aloranetworks.com and to the free tools we run on it. Reports made in good faith under this policy are welcome.

1. Scope

The following assets are in scope for security research and reports:

  • The Alora Networks website at aloranetworks.com.
  • The free SEO audit and threat assessment request flows.
  • The contact and assessment forms, and the Web3Forms submission path.
  • Configuration of our Cloudflare Pages deployment, DNS, and email authentication records (SPF, DKIM, DMARC).

The following are out of scope:

  • Third-party services we use that have their own disclosure programs, including Web3Forms, Cloudflare, Ahrefs, and Google Workspace. Report issues in those services to their respective security teams.
  • Customer environments. Any system, network, or application belonging to an Alora Networks customer is not in scope for testing through this program.
  • Social engineering, physical security, or attacks against Alora Networks employees.
  • Denial-of-service or stress testing.
  • Findings that only affect outdated browsers, automated scanner output without proof of impact, missing security headers without an exploitable consequence, or theoretical issues without a demonstrated attack path.

2. How to Report

Send reports to [email protected].

Please include:

  • A clear description of the issue, including the affected URL or component.
  • Steps to reproduce, ideally with a proof of concept (request, payload, screenshot, or short video).
  • The impact you observed or believe is achievable.
  • Your contact information and whether you would like to be credited if we publish a fix note.

3. Safe Harbor

If you research and report a vulnerability in accordance with this policy, in good faith, we will:

  • Not pursue or support any civil or criminal action against you.
  • Treat your activity as authorised security testing, including authorised access under applicable computer-misuse legislation.
  • Work with you to understand and fix the issue, and keep you informed during triage and remediation.

To stay within this safe harbor:

  • Only test against the in-scope assets listed in Section 1.
  • Make a good-faith effort to avoid privacy violations, service disruption, and data destruction.
  • Stop testing as soon as you have established the existence of a vulnerability. Do not exfiltrate data beyond what is needed to demonstrate impact.
  • Do not disclose the issue publicly until we have had a reasonable opportunity to fix it (see Section 5).

If you are uncertain whether an action is within scope or safe harbor, contact us first at [email protected] and ask.

4. Response Targets

We aim to:

  • Acknowledge your report within 2 business days of receipt.
  • Provide an initial triage outcome (in scope / out of scope / duplicate, with severity assessment) within 7 business days.
  • Share a remediation plan with target dates within 14 business days for confirmed issues.
  • Notify you when the fix is deployed.

Critical issues (active exploitation, unauthenticated access to sensitive data, account takeover, or remote code execution) are triaged within hours of receipt.

5. Coordinated Disclosure

We ask that you do not publicly disclose a vulnerability until:

  • We have deployed a fix, or
  • 90 days have passed since your initial report, whichever comes first.

If we need additional time beyond 90 days, we will tell you why and propose a revised disclosure date. We will not extend this window unreasonably.

We will credit researchers who report valid issues, with your permission, when we publish a fix note or a public advisory.

6. Rewards

We do not currently operate a paid bug bounty program. We do offer:

  • Public acknowledgement, with your permission, in a Security Hall of Fame on this page (planned).
  • A short written reference describing your finding, useful for portfolios and conference submissions, on request.
  • Direct relationships with our team for future research.

If your finding is exceptional or required substantial effort, we may offer a discretionary reward. This is decided case by case.

7. security.txt

We publish machine-readable contact information at /.well-known/security.txt in accordance with RFC 9116. The values there match this page.

8. Contact

Vulnerability reports and questions about this policy can be directed to:

Alora Networks Inc.

Email: [email protected] Phone: 1-844-355-6935