Responsible Disclosure
Policy

This web page represents a legal document with terms and conditions applicable to all individuals who intend to research information security vulnerabilities on Appfarm AS assets. Upon the attempt to uncover vulnerabilities, you are referred to as a “Researcher” and you are bound by and are obligated to comply with the Researcher Terms and Conditions provided on this page.

If you believe that you have found any vulnerabilities on assets defined in the scope, a thorough report can be submitted to security@appfarm.io

A member of our security team will then review the report, and get back to you normally within a week. Depending on the criticality of the report, response time will vary.

We’re always interested in hearing about any reproducible vulnerability that affects the security of users, including:

• Remote Code Execution (RCE)
• SQL Injection (SQLi)
• Server Side Request Forgery (SSRF)
• Cross Site Request Forgery (CSRF)
• Cross Site Scripting (XSS)
  ‍

We are generally not interested in reports pointing out the following issues: 

• HTTP sniffing or HTTP tampering exploits
• Open API endpoints serving public data
• Brute force, DoS, DDoS, phishing, text injection, or social engineering attacks.
• Output from automated scans
• Clickjacking with minimal security implications
  
• Missing DMARC records

Currently all appfarm services running on the following domain and subdomains:
‍

• appfarm.io
• *.appfarm.io

Note that potential problems with our sub-processors will be forwarded to the responsible party, for them to evaluate the report.

We currently do not have any set prices for reports that we receive, but do offer some Appfarm merchandise if we believe that a report provides valuable information for our organization.