Security
Responsible Disclosure
We take the security of our systems seriously. If you have found a vulnerability, we want to hear from you — and we will work with you to verify and resolve it.
Our commitment
We welcome reports from security researchers and members of the public who discover potential vulnerabilities in our systems. We do not currently operate a paid bug bounty program, but we genuinely value responsible disclosure and are happy to credit researchers who report valid issues, with your permission.
In scope
- Production web properties served from appsandwebs.net and its subdomains
- Authentication, authorization, and session-handling flaws
- Injection, cross-site scripting, and server-side request issues
- Exposure of sensitive data or misconfigured access controls
Out of scope
- Denial-of-service, volumetric, or resource-exhaustion testing
- Social engineering, phishing, or physical attacks against staff or offices
- Automated scanner output without a demonstrated, reproducible impact
- Reports affecting only unsupported browsers or third-party services we do not control
Safe harbor
If you make a good-faith effort to comply with this policy during your research, we will consider your testing to be authorized. We will not pursue or support legal action against you for accidental, good-faith violations, and we will work with you to understand and resolve the issue quickly. In return, we ask that you avoid privacy violations, degradation of our services, and destruction of data; that you use only the accounts and assets you own or have explicit permission to test; and that you give us a reasonable opportunity to remediate before any public disclosure.
What to expect
- We aim to acknowledge valid reports within three business days of receipt.
- We will keep you informed as we investigate and remediate, and we will let you know when the issue is resolved.
How to report
Use the form below, or email us directly at security@appsandwebs.net. If you would like to encrypt your report, request our PGP key at the same address and we will share it before you send any sensitive details. Please include enough information for us to reproduce the issue.
Report a vulnerability
Send us the details
The more context you provide — affected asset, steps to reproduce, and impact — the faster we can verify and fix the issue.
Let's Build Something That Scales
Tell us about your project and get a senior engineer's honest perspective — free, and within one business day.