We welcome high-impact security reports that demonstrate a real compromise of AppDeploy systems, tenant boundaries, or privileged access controls.
Eligible Submission Types
Accepted submissions are limited to vulnerabilities that clearly demonstrate one or more of the following:
Cross-tenant boundary violation
Unauthorized access to, modification of, or disclosure of another tenant’s data, configuration, secrets, deployments, users, or resources.
Admin Dashboard access
Unauthorized access to the AppDeploy Admin Dashboard or administrative functionality.
User admin dashboard compromise
Compromise of a legitimate user’s admin dashboard, including privilege escalation, account takeover, or unauthorized administrative actions.
System infrastructure access
Unauthorized access to AppDeploy infrastructure, internal systems, deployment pipelines, cloud resources, databases, secrets, logs, or execution environments.
Proof Requirements
Each submission must include a basic proof of concept, and preferably a fully working proof of concept.
Reports should include at least one of the following:
- Clear reproduction steps
- A working PoC demonstrating the vulnerability
- Proof of compromise with relevant evidence
- Screenshots, request/response samples, logs, or extracted non-sensitive metadata
- A description of the affected tenant, account, resource, dashboard, or infrastructure component
Submissions without sufficient evidence of exploitability may be rejected.
Out of Scope
The following will not be considered valid submissions:
- Best-practice recommendations without demonstrated impact
- Theoretical vulnerabilities without a PoC
- Reports that only link to documentation, public guidance, or generic scanner output
- Missing security headers without demonstrated exploitability
- Low-impact informational findings
- Social engineering, phishing, or physical attacks
- Denial-of-service testing without prior written approval
Research Rules
Researchers must:
- Avoid accessing, modifying, or deleting data that does not belong to them, except where strictly necessary to demonstrate impact
- Minimize exposure of sensitive data
- Stop testing immediately after proving impact
- Report findings promptly
- Not disrupt AppDeploy services or customer environments
Submission Format
Please include:
- Vulnerability title
- Affected AppDeploy area or endpoint
- Vulnerability category
- Step-by-step reproduction instructions
- PoC or proof-of-compromise evidence
- Impact assessment
- Suggested remediation, if available
We reserve the right to reject reports that do not demonstrate meaningful security impact within the accepted categories above.