AlphaZero Studios LLC

Vulnerability Disclosure Policy

Effective 2026-05-17

We welcome reports from security researchers acting in good faith to help keep the AlphaZero Studios LLC platform safe.

In scope

  • The AlphaZero Studios LLC platform admin shell and APIs (this domain).
  • Storefronts served by the platform on first- and third-party domains.
  • Storefront-engine and platform-core runtime libraries (open-source-style review of behavior, not source).

Out of scope

  • Subprocessor infrastructure — report to the vendor directly per their own program (Stripe, Cloudflare, Hetzner, AWS, etc.).
  • Storefront content authored by individual merchants (report to that merchant).
  • Denial-of-service via volume or amplification.
  • Social engineering of staff or shoppers.
  • Physical attacks against people, hardware, or facilities.

How to report

Email legal@alphazerostudios.com. Encrypt with our PGP key if the report contains exploit details (request the key in your first email; we'll respond with the fingerprint).

Include:

  • A clear description of the issue and the affected URL or component.
  • Step-by-step reproduction.
  • Impact assessment (what the vulnerability lets an attacker do).
  • Any proof-of-concept code or screenshots.

Response timeline

  • Within 72 hours — acknowledgement of receipt.
  • Within 14 days — initial triage and severity classification.
  • Ongoing — status updates at least every 14 days until the issue is closed.

Safe harbor

We will not pursue civil or criminal action against researchers who, in good faith and in accordance with this policy:

  • Make a reasonable effort to avoid privacy violations, destruction of data, and interruption of service.
  • Use only the test accounts or your own accounts to demonstrate vulnerabilities.
  • Give us reasonable time to remediate before disclosing publicly.
  • Do not exploit the vulnerability beyond what is necessary to confirm it.

Activities consistent with this policy will be considered authorized under the Computer Fraud and Abuse Act and similar laws; we will not pursue or support adverse action against researchers for them.

Acknowledgements

With your permission we'll add your name to our researcher acknowledgements after the fix ships. We do not offer monetary bounties at this time.