Responsible Disclosure Policy

This web page represents a legal document with terms and conditions applicable to all individuals who intend to research information security vulnerabilities on Appfarm AS assets.

The Submission Process

If you believe you have found any vulnerabilities in assets defined in the scope, a thorough report can be submitted to

A member of our security team will then review the report and get back to you, normally within a week. Depending on the criticality of the report, response time will vary.


We’re always interested in hearing about any reproducible vulnerability that affects the security of users, including:

  • Remote Code Execution (RCE)

  • SQL Injection (SQLi)

  • Server Side Request Forgery (SSRF)

  • Cross-Site Request Forgery (CSRF)

  • Cross-Site Scripting (XSS)

We are generally not interested in reports pointing out the following issues:

  • HTTP sniffing or HTTP tampering exploits

  • Open API endpoints serving public data

  • Brute force, DoS, DDoS, phishing, text injection, or social engineering attacks.

  • Output from automated scans

  • Clickjacking with minimal security implications

  • Missing DMARC records or other email headers

  • Missing CAA

  • Missing webpage headers


Currently, all Appfarm services run on the following domain and subdomains:


  • *

Potential problems with our sub-processors will be forwarded to the responsible party so they can evaluate the report.


We do not currently have any set prices for reports that we receive. We do not offer monetary rewards, but we do offer swag if we believe that a report provides valuable information for our organization.

Last updated