Security Disclosure Policy

1. Purpose

This Security Disclosure Policy explains how researchers, customers, and users may report suspected vulnerabilities in Align systems.

2. How to Report

Reports should be sent to security@alignsoft.us. Please include a clear description, affected URL or endpoint, steps to reproduce, potential impact, proof of concept where safe, and contact information.

3. Research Rules

• Do not access, modify, delete, or exfiltrate data that does not belong to you.
• Do not disrupt service availability.
• Do not use social engineering, phishing, physical attacks, or denial-of-service testing.
• Do not test against production customers without authorization.
• Stop testing and report immediately if you encounter non-public data.
• Comply with applicable law and this policy.

4. Safe Harbor Statement

Align will not pursue legal action against good-faith security research that complies with this policy, avoids privacy harm and service disruption, and is promptly reported. This statement does not authorize activity that violates law or third-party rights.

5. Out of Scope

• Missing security headers without demonstrated impact.
• Clickjacking on pages without sensitive actions.
• Rate-limit findings without practical exploitability.
• Self-XSS or issues requiring unlikely user behavior.
• Vulnerabilities in third-party systems not controlled by Align.
• Reports generated solely by automated scanners without validation.

6. Response Process

Align will review reports, assess severity, investigate impact, prioritize remediation, and communicate as appropriate. Align does not guarantee rewards or public recognition unless a separate bug-bounty program is published.