Security Disclosure Policy

Last updated: 18 April 2026. Operated by MeliUX Ltd. Version 1.0.

If you have found a security issue in AllAddin, please report it to security@alladdin.dev. See also our security.txt.

Our security posture

What we do on our side, so you know what you are testing against:

Local corpus encryption. The on-disk corpus of captured tricks is encrypted at rest by the operating system's credential store. Only the logged-in user account that captured them can decrypt.
Signed extensions. Every marketplace bundle is Ed25519-signed by our server. The AllAddin client refuses to install anything without a valid signature.
Three-layer review. Every submitted extension passes structural validation, static analysis, and reputation checks before a human reviewer sees it.
Audit log retention. Request and security events are automatically pruned after 90 days. See the privacy policy for the full retention schedule.

How to report

Email security@alladdin.dev with:

A clear description of the issue and its impact.
Steps to reproduce, or a proof-of-concept if you have one.
Your name and a contact address, so we can acknowledge and credit you.

If you want to encrypt your report, include a request for our PGP key in your first message and we will reply with it.

Our commitments

Acknowledgement within 72 hours of receiving a valid report (business days).
Status update every 14 days while we are investigating.
Disclosure window of 90 days from the acknowledgement, extended by mutual agreement if a fix is in flight.
Public credit on request, in the release notes of the fix.

Safe harbour

We consider security research conducted in line with this policy to be authorised. We will not pursue or support legal action against researchers who:

Report vulnerabilities promptly and in good faith.
Make a reasonable effort to avoid privacy violations, service disruption, or data exfiltration.
Do not access or modify data belonging to other users beyond what is strictly needed to demonstrate the issue.
Do not publicly disclose the issue before the coordinated disclosure window closes.

This safe harbour covers both civil action under computer misuse legislation and any contractual claim arising from your use of the AllAddin service while testing.

In scope

alladdin.dev and all subdomains.
The AllAddin Revit add-in binary and its auto-update channel.
The backend API at https://alladdin.dev/api/*.
Third-party services that we operate (not those operated by Railway, GitHub, Anthropic, Sentry, or OpenAI; please report to them directly).

Out of scope

Denial-of-service or volumetric attacks.
Social engineering of our staff or testers.
Physical attacks on our offices or equipment.
Attacks requiring physical access to a victim's device.
Missing security headers without a demonstrated impact.
Automated scanner output without a verified exploitable finding.

Legal

This policy does not authorise access to data belonging to anyone other than yourself. It does not override UK or other applicable law. It does not grant any rights to our intellectual property.

MeliUX Ltd is a UK limited company, registered in England and Wales. Governing law for this policy is England and Wales.