Reporting security vulnerabilities with AppCheck products or services

If you have found a security bug in an AppCheck website, product or service and want to report it to us, you’ve come to the right place.


Our security philosophy

As a provider of security vulnerability scanning services, we recognize how important it is to help protect the privacy and security of our customers while making use of one of our services.

AppCheck Ltd takes the security of our products and services very seriously. We educate our staff on security best practices and our development process includes peer review and penetration testing to help ensure that our products delivered are secure and of a high quality. However, like all complex software, it is possible for a security vulnerability to make it into one of our products despite our best efforts.


Who should I report vulnerabilities to?

If you discover a security issue in an AppCheck Ltd product or service, we ask that you report it to us confidentially in order to protect the security of our services. Please email the details to our security team at security@appcheck-ng.com. We will investigate all reports received and do our best to quickly fix any genuine issues.


What issues can I report?

We welcome reports of all security vulnerabilities, including:

Web security problems with our websites and portals, such as cross-site scripting (XSS) and SQL injection problems;
Other security concerns such as infrastructure security problems, and information disclosure issues
What details should you include when reporting a security issue?

Please provide as many relevant details as you can. In particular:

What product or site was involved (with a specific URL if relevant)
What steps someone can follow to go from an initial browser load to a point where they observe the vulnerability

If you are a professional penetration tester or security researcher then please additionally provide any of the below additional detail if possible:

Type of issue (buffer overflow, SQL injection, cross-site scripting, etc.)
Proof-of-concept or exploit code
Target URL, domain, host, port etc
Your client system OS, browser/toolset etc, and versions of each.
Traces and command output if relevant
Sample packet captures or HTTP responses, headers etc
Cookie values, browser user agents used etc
Any special client-side tools or configuration needed to report the issue
Copies of payload (HTTP request, XML/data payload)
Links to associated CVE IDs for the vulnerability, if relevant


Can I use automated scanning tools to look for vulnerabilities on your sites?

No, we expressly forbid the use of automated scanning tools against our products and services, since they can cause high volumes of requests that may impact our other customers. We perform automated scanning of our services ourself in-house at scheduled times and under change/service management to ensure no impact to our customers.


How quickly will you get back to me?

You should receive a response from our security team within 24 hours acknowledging receipt of your report. We take security issues seriously and will respond swiftly to triage and confirm verifiable security issues. After confirming that the issue is genuine, we will assign development and other technical resources to further investigate the issue and fix problems as quickly as possible. Please note that some of our products are complex and may take time to update. We undertake to do our best to update you with a timeline for resolving the issue.


Can I reveal details of the vulnerability to others?

We ask that vulnerabilities discovered are handled in a way that obtain the best outcome for our customers, and specifically that anyone discovering a vulnerability follows responsible disclosure practices, including:

They do not publish the vulnerability prior to AppCheck releasing a fix for it;
They do not divulge exact details of the issue publicly, for example, through exploits or proof-of-concept code;

In return, we commit to making it easy for you to report a vulnerability and to keep you updated as to the progress of the resolution.


Will I be paid for reporting a vulnerability?

AppCheck does not at the time of writing operate a formal bug bounty programme, and are unable to guarantee any financial reward to anyone reporting a vulnerability to us.


Security issues found by AppCheck Research

When the AppCheck research team identifies a vulnerability in another vendors product, the following steps are taken:

AppCheck provides a detailed technical write-up to the vendors security team or appropriate contact.
AppCheck will work with the vendor to provide further assistance in recreating the vulnerability and its associated impact.
In keeping with industry standard, AppCheck will publish an advisory once a remediation is made public by the vendor. This advisory will typically be published within the same week as the vendors own publication, however in some cases AppCheck may limit the technical information provided in the advisory for up to 30 days if requested by the vendor.
In the event the vendor does not respond and/or offer a fix for the vulnerability, AppCheck will release an advisory 90 days following the first contact barring extenuating circumstances.