Welcome to the Alethea.AI Security Contact Page

For efficient handling and quick response, please ensure your report is detailed, providing as much information as possible. Our triage team will acknowledge and analyze your report promptly.

Preferred Language: English
Contact Email: Support@alethea.ai
Response Time: Within 3 business days

Disclaimer: We do not grant permission for explicit testing. All reports are assumed to be submitted in good faith. If you discover any vulnerabilities in our smart contracts or websites during routine checks, please report them immediately and cease further analysis.

Bounty Program:
Currently, there is no monetary bug bounty or reward. However, rewards may be offered based on the severity and impact of the vulnerability at the discretion of our management. Submissions must include a proof of concept (POC) for the vulnerability; merely providing CVE details or vulnerabilities without POC will not qualify. Rewards, if applicable, are issued in ALI Tokens. Significant rewards are determined through votes on AIprotocol Proposals, as demonstrated at:
https://snapshot.box/#/s:aiprotocolinstitute.eth

Scope:
We are interested in the following vulnerabilities:

+ Smart Contracts logic and bugs  
+ Business logic issues  
+ Remote code execution (RCE)  
+ Database vulnerability, SQLi  
+ File inclusions (Local & Remote)  
+ Access Control Issues (IDOR, Privilege Escalation, etc)  
+ Leakage of sensitive information  
+ Server-Side Request Forgery (SSRF)  
+ Other vulnerability with a clear potential loss  

---

Out of Scope:
Vulnerabilities found in out-of-scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion). In general, the following vulnerabilities do not correspond to the severity threshold:

x Findings derived primarily from social engineering (e.g. phishing, etc)  
x Visual typos, spelling mistakes, etc  
x UI/UX bugs, Data entry errors, spelling mistakes, typos, etc  
x Network level Denial of Service (DoS/DDoS) vulnerabilities  
x Certificates/TLS/SSL related issues  
x DNS issues (i.e. MX records, SPF records, etc.)  
x Server configuration issues (i.e., open ports, TLS, etc.)  
x Spam or Social Engineering techniques  
x Security bugs in third-party applications or services  
x XSS Exploits that do not pose a security risk to 'other' users (Self-XSS)  
x Login/Logout CSRF-XSS  
x HTTPS/SSL or server-info disclosure related issues  
x HTTPS Mixed Content Scripts  
x Brute Force attacks  
x Best practices concerns  
x Recently (less than 30 days) disclosed 0day vulnerabilities  
x Username/email enumeration via Login/Forgot Password Page error messages  
x Missing HTTP security headers  
x Weak password policy  
x HTML injection