Responsible Disclosure

We welcome good-faith reports on Appsecco-owned systems. This page explains what is in scope, how to report, and how we review submissions. Please test carefully and avoid actions that could impact service availability or customer data.

A policy grounded in real security work

We handle disclosures as part of long-running product security testing engagements. Our process is designed to protect researchers, customers, and service availability while we verify, fix, and communicate findings responsibly.

Years in product security testing

Organizations secured

Public tools and checklists

vulnerable-mcp-servers-lab

Intentionally vulnerable MCP servers for security training

157
breaking-and-pwning-apps-and-servers-aws-azure-training

Cloud security training course materials

949

Scope and safe testing boundaries

We can accept reports for assets we own and control. The lists below clarify what is in scope and what we cannot test through this program.

In scope

  • Public-facing websites and services under appsecco.com that we control
  • Subdomains or apps that are clearly branded and operated by Appsecco
  • Documentation, marketing, and support properties hosted by Appsecco

Out of scope

  • Third-party services or integrations we do not operate
  • Social engineering, phishing, or physical access attempts
  • Denial-of-service, stress testing, or high-volume scanning
  • Access to data that is not your own or requires bypassing authentication

Safe testing expectations

  • Use your own accounts and test data only
  • Keep traffic low and avoid automated scanning that could affect availability
  • Stop if you see unintended impact and report it promptly

If you are unsure whether something is in scope, include it in your report and we will confirm.

Reporting process and response flow

We follow a clear, reviewable process so you know what happens after you report a potential issue. We confirm scope, validate safely, and keep communication in one place.

If you are unsure about scope or safe testing methods, ask before proceeding.

Send a detailed report

Email security@appsecco.com with the affected asset, steps to reproduce, impact, and any supporting evidence.

Receipt and scope confirmation

We acknowledge your report, confirm whether the asset is in scope, and ask clarifying questions if needed.

Validation and coordination

We reproduce the issue safely, assess impact, and coordinate fixes with the internal owners of the affected system.

Resolution and credit

We confirm the fix and, with your permission, coordinate any public credit or disclosure once the issue is resolved.

Good-faith research within scope is welcome
Communication stays in the same email thread
No public disclosure before remediation is complete

Recognition with your permission

We appreciate careful, good-faith research. If a report leads to a fix, we can acknowledge your contribution in a way that respects your preferences.

Public credit (optional)

With your approval, we can add your name or handle to a public acknowledgments list.

Private confirmation

If you prefer privacy, we will confirm receipt and resolution in writing.

Reference letter

We can provide a short reference letter describing the report and responsible process.

We do not run a monetary bounty program. Recognition is always optional and based on your consent.

Safe next step

Report an issue,without pressure.

If you believe you found a vulnerability on an Appsecco-owned system, send a detailed report. We will confirm scope, respond in the same thread, and coordinate a safe fix.

Email security@appsecco.com

or Review scope first

Good-faith reports are welcome
We confirm scope before testing
No public disclosure without consent