Responsible disclosure
Found a vulnerability? Please report it privately before public disclosure. We value responsible reporters and will credit you if you like (subject to your consent).
Contact:
@Alphaprismbot on TelegramPreferred: encrypted DM with PoC + expected severity
Response target: acknowledgement within 48 h
In scope
alphaprism.it.com and all its subdomains- The public HTTP API under
/api/* - The WebSocket gateway at
/ws - The Telegram bot
@Alphaprismbot (unauth'd command surface only) - Any rug-score false-positive or false-negative that looks exploitable by a malicious token deployer
Out of scope
- Third-party services we consume (CoinGecko, Blockscout, twitterapi.io, Igra / Kasplex RPCs, Kaspa API).
- Missing best-practice headers that don't unlock a concrete attack.
- Clickjacking on pages without sensitive state change.
- Rate-limit bypass on public read-only endpoints (we expect and budget for this).
- Self-XSS requiring the user to paste into devtools.
- Social engineering of AlphaPrism staff.
What gets priority
- Authentication bypass (SIWE replay, nonce reuse, admin role escalation).
- Server action IDOR (toggling alerts or watchlist items for other users).
- Rug-score manipulation — any on-chain pattern that forges a fake +bonus on a genuinely rug-risk token.
- SQL / command injection, SSRF, RCE.
- Cross-user data leakage via the realtime gateway.
Safe harbour
Acting in good faith under this policy, we will not pursue legal action for testing. Please: don't access data beyond what's needed to prove the issue, don't degrade service for other users, and don't publicly disclose until we've had 90 days or a fix has shipped — whichever comes first.
Machine-readable
A /.well-known/security.txt is served with canonical contact details.
