Scope
The Appaloft website, console, authentication, deployment APIs, and official release assets are in priority scope. User-deployed third-party apps are not authorized test targets.
Testing rules
Avoid data destruction, persistence, social engineering, phishing, spam, DDoS, physical attacks, accessing data you are not authorized to view, or creating extra cost for third-party infrastructure.
Report content
Include impact, reproduction steps, screenshots or logs, affected URLs/APIs, suggested remediation, and your contact details.
Handling expectations
We will try to acknowledge reports, assess risk, schedule fixes, and coordinate disclosure timing where appropriate. Unless separately announced, this draft does not create a paid bug bounty program.
Contact
Send reports to [email protected]. Do not disclose exploitable details in public issues.