Security

Last updated 2026-04-25. The authoritative source for this page is docs/legal/forms/vulnerability_disclosure_policy.md in the Signal repository.

How to report

Email security@alpha-tax.ai. Encrypted email is welcomed; the PGP public key is published at /.well-known/security-pgp.asc when configured.

Please include:

  • A description of the vulnerability and the affected component or endpoint.
  • Reproduction steps, including any HTTP requests, payloads, or configuration required.
  • The impact you believe the vulnerability has.
  • Whether you require credit for the discovery.

Scope

This policy applies to:

  • The alpha-tax.ai web application and API endpoints under /api/.
  • The Python tax-pipeline worker invoked by the upload endpoint.
  • The persistent volume on Fly.io that stores Signal’s vault and grant records.
  • Any sub-domain or related infrastructure operated by Signal under alpha-tax.ai.

It does not cover:

  • Third-party services (Fly.io platform, Plaid, the LLM provider). Report those directly to the vendor.
  • Domain registrar or DNS host services. Report to the relevant vendor.
  • Vulnerabilities affecting only the reporter’s own browser configuration or third-party browser extensions.

Authorization for security research

Signal authorizes good-faith security research conducted under the terms of this policy. Specifically, research that:

  • Avoids privacy violations of other users (do not access, modify, or exfiltrate other users’ vault contents).
  • Avoids degradation of the service for other users (no DoS, no high-volume scanning that materially affects availability).
  • Avoids social-engineering attacks against Signal’s operator or its vendors.
  • Avoids physical attacks against Signal’s infrastructure.
  • Avoids automated attacks on production accounts beyond the reporter’s own test accounts.

is permitted, and Signal will not pursue legal action under the Computer Fraud and Abuse Act, similar state laws, or the Digital Millennium Copyright Act for research conducted within those bounds.

What to expect from Signal

  • Acknowledgement within 3 business days.
  • Initial assessment within 10 business days.
  • Remediation: 7 days for critical, 30 days for high, 60 days for medium, tracked-but-no-fixed-timeline for low.
  • Notification of fix when remediation is deployed.
  • Public credit in the disclosure log at the reporter’s option.

Coordinated disclosure

Signal asks reporters to give the operator a reasonable time to remediate before publishing. The default window is 90 days from initial report, or sooner if the remediation is deployed. If Signal cannot remediate within the default window, Signal will communicate the reason and propose an extension. Reporters retain the right to disclose at the end of the default window regardless.

Public disclosure log

Resolved vulnerabilities are published with an advisory ID, affected component, severity, brief description, remediation date, and credit to the reporter (with permission). The advisory does not include reproduction details that would enable exploitation against unpatched deployments.

Out of scope

  • Vulnerabilities discovered through testing that violates the authorization above.
  • Reports of misconfigured DNS, missing security headers duplicative of public scanners, or theoretical issues with no exploitation path.
  • Reports requesting payment as a condition of disclosure. Signal does not run a paid bug bounty at alpha; researchers are welcomed but compensated by credit, not payment.

See also: machine-readable contact information at /.well-known/security.txt.