Security

Our commitment

We take the security of Alchemize and the data our customers entrust to us seriously. If you discover a vulnerability, we want to hear about it so we can fix it quickly.

How to report

Please report security issues by email to security@alchemizeiq.com . You can also use our security.txt .

We aim to acknowledge reports within 24 hours and provide an estimated resolution timeline within 72 hours.

In scope

• → Authentication bypass or privilege escalation
• → Injection vulnerabilities (SQL, XSS, SSTI, etc.)
• → Exposed sensitive data or credentials
• → Server-side request forgery (SSRF)
• → Insecure direct object references
• → API endpoint misconfigurations

Out of scope

• — Denial of service attacks
• — Physical security attacks
• — Social engineering of Alchemize employees
• — Vulnerabilities in third-party services we have no control over
• — Reports from automated scanners without a clear proof of concept

Rules of engagement

• → Only test against accounts you own or have explicit permission to test.
• → Do not access, modify, or delete data that is not yours.
• → Do not perform actions that could degrade service for others.
• → Report findings privately before public disclosure (90-day window).

Recognition

We don’t currently offer a bug bounty programme, but we do publicly credit researchers who disclose responsibly — with your permission. We’re grateful for your help keeping Alchemize secure.