Security

Bug Bounty Program

We take the security of production data seriously. If you find a vulnerability, report it responsibly and we'll work with you to fix it — and reward you for it.

Rewards

Bounties are illustrative and awarded at our discretion based on severity, impact, and report quality.

Critical$5,000 – $15,000RCE, auth bypass, tenant isolation breaks

High$1,500 – $5,000Privilege escalation, sensitive data exposure

Medium$500 – $1,500CSRF, stored XSS, access-control gaps

Low$100 – $500Limited-impact issues, best-practice gaps

In scope

alkera.ai and its subdomains
The Alkera web app and API
The Alkera CLI and editor extension
The model gateway and connector integrations

Out of scope

Denial-of-service (DoS/DDoS) and volumetric testing
Social engineering, phishing, or physical attacks
Automated scanner output without a working proof-of-concept
Third-party services we don't operate

How to report

Email security@alkera.ai with a clear description, reproduction steps, and impact. Please give us a reasonable window to remediate before any public disclosure.

Safe harbor

We won't pursue legal action for good-faith research that respects this policy: stay within scope, don't access or modify other users' data, don't degrade the service, and report promptly. If in doubt, ask first.