Security

How to report a vulnerability in AppAttest, and what happens after you do.

Reporting a vulnerability

Email security@appattest.dev with the details. Please do not open public issues or post publicly about a security problem before we've had a chance to fix it. If you have a fix in mind, attach a private patch and we'll discuss coordinated disclosure before anything is merged.

What to expect

• We aim to acknowledge your report within one business day.
• We'll work with you on coordinated disclosure and keep you updated as we investigate and fix.
• There is no paid bug-bounty program. We're grateful for good-faith reports and will credit you if you'd like.

Scope

This policy covers AppAttest's own surfaces:

• The AppAttest API service.
• The AppAttest dashboard.
• This website.
• The published AppAttest SDK and its platform bridges.

Out of scope

• Denial-of-service, volumetric, or load testing against our infrastructure.
• Automated scanning that degrades the service for others.
• Social engineering of our team or customers, and physical attacks.
• Reports from automated tools without a demonstrated, reproducible impact.

Good faith

If you make a good-faith effort to follow this policy while researching and reporting, we'll treat your report as authorized testing and work with you rather than pursue action. When in doubt, ask first at security@appattest.dev.