Vulnerability disclosure policy
We take security seriously. If you find a vulnerability in EI BNC Compta or any AlfaNest Labs product, please report it to us — we will respond promptly and responsibly.
Report a vulnerability
Email: security@alfanestlabs.com
Please include as much detail as possible: the product and version, a description of the issue, steps to reproduce, and the potential impact. Encrypted submissions are welcome (contact us first for a PGP key if needed).
Our commitments to you
- We will acknowledge your report within 48 hours.
- We will provide an initial assessment and severity estimate within 5 business days.
- We will keep you informed of progress as we work on a fix.
- We will not take legal action against researchers acting in good faith under this policy.
- We will credit you in the release notes if you wish (or keep you anonymous if you prefer).
Response timeline
- Day 0 You submit the report to security@alfanestlabs.com.
- 48 h We acknowledge receipt and assign a tracking reference.
- 5 days We send an initial assessment: severity, affected scope, and whether we can reproduce.
- 90 days Target for releasing a fix or publishing a mitigation. Complex issues may take longer — we will communicate any extension.
- After fix We notify affected users and publish release notes. Coordinated public disclosure at a date agreed with the reporter.
Scope
This policy covers:
- EI BNC Compta — index.html, bundled libraries, license activation flow.
- AlfaNest Labs website — alfanestlabs.com and product subpages.
- SafeKey — see SafeKey disclosure policy.
Out of scope: third-party services used at user discretion (Mistral AI, browser vendor issues, CDN providers).
What we ask of researchers
- Do not access, modify, or destroy data that does not belong to you.
- Do not perform denial-of-service attacks or automated scanning beyond what is needed to confirm the issue.
- Do not publicly disclose the vulnerability before we have had a reasonable opportunity to address it (90 days from acknowledgement, or as agreed).
- Act in good faith with the goal of improving security for all users.
EU CRA Art. 14 — regulatory reporting
If a vulnerability constitutes an actively exploited security incident or a severe incident as defined by Regulation (EU) 2024/2847 Art. 14, AlfaNest Labs will notify the relevant national CSIRT (ANSSI for France) within the legally required timelines (24 hours for early warning, 72 hours for the full notification). Users will be informed without undue delay when a vulnerability affects data or functionality in a material way.
Contact
Security reports: security@alfanestlabs.com
General contact: contact@alfanestlabs.com
Last updated: May 2026