Skip to content
Security research

Responsible Disclosure

We welcome good-faith security research. Reports should be clear, restrained, and reproducible.

Last updated: June 25, 2026

This is a public draft for the early Appaloft Cloud website. It is not final legal advice or formal commercial terms, and should be reviewed by counsel before commercial launch.

Scope

The Appaloft website, console, authentication, deployment APIs, and official release assets are in priority scope. User-deployed third-party apps are not authorized test targets.

Testing rules

Avoid data destruction, persistence, social engineering, phishing, spam, DDoS, physical attacks, accessing data you are not authorized to view, or creating extra cost for third-party infrastructure.

Report content

Include impact, reproduction steps, screenshots or logs, affected URLs/APIs, suggested remediation, and your contact details.

Handling expectations

We will try to acknowledge reports, assess risk, schedule fixes, and coordinate disclosure timing where appropriate. Unless separately announced, this draft does not create a paid bug bounty program.

Contact

Send reports to [email protected]. Do not disclose exploitable details in public issues.