We operate a policy of responsible disclosure whereby we work closely with security researchers to ensure any potential vulnerabilities submitted to us are reviewed and remediated as soon as possible.

If you believe you have identified a security vulnerability in one of our products, services, applications or systems, then we would love to work with you to fix it as quickly as possible.

When to report a security vulnerability?

If you think you have identified a security vulnerability that affects Algbra systems and/or customers then you should submit a report as soon as possible. 

Guidelines

We request that all researchers follow the straight forward guidelines below:

  • Do not publicise the vulnerability without our explicit approval
  • Do not access customer or employee personal information or any Algbra confidential information. If you accidentally access any of these, please stop testing and submit your report immediately.
  • Stop testing and report the issue immediately if you gain access to any nonpublic application or non-public credentials.
  • Do not degrade the Algbra Platform (e.g., Denial of Service), customer experience, disrupt production systems, or destroy data during your research.
  • Do not run automated vulnerability scans - we have the capability to do this ourselves.

What information should you provide in the report?

The more information you are able to provide, the faster we will be able to respond and remediate ant potential vulnerabilities.

The below information is a loose template we ask researchers to follow when reporting vulnerabilities:

  • Your name
  • Date and time of discovery
  • Your number, if you are comfortable providing it
  • Technical details of the vulnerability
  • Raw HTTP requests and responses where appropriate. Any timestamps that would help us correlate logs would be useful
  • Clear and concise step-by-step guide to allow for validation. Attach any screenshots or videos to the email or via a private storage account. Do not upload any attachments to public storage websites

Reports that are out of scope and that are unlikely to facilitate a response:

  • Reports that are not actual security vulnerabilities (e.g., forgetting your password is not a security vulnerability)
  • Spamming, social engineering, or phishing attacks
  • Accessible, non-sensitive files or directories (e.g., README.txt, robots.txt, etc)
  • Fingerprinting / banner / version disclosure of common applications and/or services
  • Username / email enumeration by bruteforcing or by inference of certain error messages - except in exceptional circumstances such as the ability to enumerate phone numbers by incrementing a variable

Now that you’ve read the above, here’s how you can contact us:

Send through your report to responsible-disclosure@algbra.com

The e-money issued to your Algbra account is issued by Algbra Group Limited, which is a private limited company registered in England and Wales with company registration number 12629086 and registered address at Squire Patton Boggs (UK) LLP (Ref: CSU) No.1 Spinningfields, Hardman Square, Manchester, England, M3 3EB. Algbra is authorised and regulated by the Financial Conduct Authority (FCA) under the Electronic Money Regulations 2011 with FRN 952360.

For those customers who have ordered an Algbra Card, Your Algbra Card is currently issued by Transact Payments Limited (incorporated and registered in Gibraltar with company number 108217 and registered office of 6.20 World Trade Center, 6 Bayside Road, Gibraltar, GX11 1AA). As of 19 November 2024, or shortly after, the Algbra Card will be issued by Algbra Group Limited (FCA FRN  952360), a Principal member of Mastercard International Incorporated. MasterCard is a registered trademark and the circles design is a trademark of Mastercard International Incorporated.

Algbra Group Limited is a limited company registered in England and Wales with company registration number 12629086.