We take security seriously 

The security of our platform and our Customers’ data is a priority. If you have discovered a security vulnerability in Aliat, we want to hear from you. We appreciate the work of security researchers who help us keep our platform safe, and we are committed to working with you to understand and resolve issues quickly. 

How to report a vulnerability 

Send your report to security@aliat.io. 

Please include as much of the following as possible: 

• A description of the vulnerability and its potential impact. 

• Steps to reproduce the issue, or a proof-of-concept. 

• The URL, endpoint, or component affected. 

• Your assessment of severity (using the CVSS framework), if you have one. 

• Any supporting material (screenshots, screen recordings, logs, HTTP requests/responses). 

Do not include Customer data, End-User data, or any personal data belonging to third parties in your report. If the vulnerability involves access to such data, describe what you observed without extracting or retaining the data itself. 

What we commit to 

Acknowledgment. We will acknowledge receipt of your report within 2 business days. 

Assessment. We will provide an initial assessment of the report, including whether we have confirmed the vulnerability, within 10 business days. If a reported issue is a duplicate of an existing report or a previously known vulnerability, we may close it without further action. We will indicate this where possible. 

Communication. We will keep you informed of our progress toward remediation. If we need additional information, we will reach out promptly. 

Remediation. We will work to remediate confirmed vulnerabilities in a timeframe appropriate to their severity. Critical vulnerabilities affecting Customer data will be treated as the highest priority. 

Credit. If you would like to be publicly acknowledged for your discovery, we are happy to credit you by name (or pseudonym) once the issue is resolved. Just let us know your preference when you report. We will not publish your identity without your consent. 

Coordinated disclosure. We will work with you to agree on appropriate disclosure timing after the vulnerability has been remediated. We believe that coordinated disclosure — where the fix is deployed before details are published — best protects our Customers and End-Users. 

Safe harbour 

We will not take legal action against individuals who discover and report security vulnerabilities in good faith, provided that they: 

• Make a good-faith effort to avoid accessing, modifying, or deleting data belonging to others, and do not intentionally access Customer or End-User data beyond what is minimally necessary to demonstrate the vulnerability. 

• Do not exploit the vulnerability beyond what is necessary to confirm its existence. 

• Do not perform actions that degrade the availability or performance of the Service (including denial-of-service testing, brute-force attacks, or automated scanning at a volume that impacts other users). 

• Do not publicly disclose the vulnerability before we have had a reasonable opportunity to remediate it. 

• Comply with all applicable laws. 

Please limit testing to reasonable volumes that do not impact platform stability. Where authentication is required, researchers should use accounts they own or have been granted explicit permission to use. We do not currently provide dedicated test accounts. 

If your research inadvertently causes a disruption or accesses data you did not intend to access, and you report it to us promptly, we will consider this in good faith when assessing the situation. 

We consider security research that complies with this policy to be authorised conduct and will not pursue legal claims against you for it. If a third party initiates legal action against you for research conducted in compliance with this policy, we will take reasonable steps to make it known that your actions were authorized. 

What is in scope 

• The Aliat web application (app.aliat.io) 

• The Aliat marketing website (aliat.io) 

• Aliat APIs 

• Authentication and session management 

• Data access controls and authorization 

• Encryption implementation (including data‑at‑rest, data‑in‑transit, and key management mechanisms controlled by Aliat) 

• Any infrastructure directly operated by JivyGroup Software S.R.L. 

What is out of scope 

The following are not covered by this policy and should not be tested: 

• Third-party services and platforms that Aliat integrates with (Meta, Auth0, Stripe, SendGrid, Azure). If you find a vulnerability in one of these services, please report it to them directly through their own security channels. 

• Social engineering, phishing, or physical attacks against Aliat employees or contractors. 

• Denial-of-service (DoS/DDoS) attacks or any testing that intentionally degrades service availability. 

• Automated vulnerability scanning that generates excessive traffic, impacts rate limits, or degrades service performance. 

• Attacks against accounts you do not own, unless you have explicit written permission from the account holder. 

• Findings from automated tools without a demonstrated, validated, exploitable vulnerability (e.g. generic scanner output without proof of impact). 

• Vulnerabilities in software or systems not operated by JivyGroup Software S.R.L. 

No bug bounty (for now) 

We do not currently operate a paid bug bounty program. We acknowledge every valid report and offer public credit where the researcher consents. If we introduce a paid bounty program in the future, this page will be updated accordingly. 

Contact 

 JivyGroup Software S.R.L. · registered in Bucharest, Sector 2, Pipera Road, no.48A, off. 408, Romania · Trade Register:  J2022002531405 · CUI:  45627469