Responsible Vulnerability Disclosure Policy

Applique values the work of the security community in helping to keep our services and customers safe. We welcome reports of suspected security vulnerabilities and will engage with reporters in good faith.

Suspected vulnerabilities should be reported to security@applique.se. Please include a clear description of the issue, the affected component or URL, steps to reproduce, and any supporting materials. Encrypted submissions may be requested where appropriate.

Applique will not pursue legal action against researchers who, in good faith, comply with this policy. To benefit from this safe harbour, researchers must:

• Avoid privacy violations, degradation of service, and destruction of data
• Not access, modify, or exfiltrate data beyond what is strictly necessary to demonstrate the issue
• Refrain from social engineering, phishing, or physical attacks
• Provide Applique reasonable time to investigate and remediate before public disclosure

• Findings from automated scanners without demonstrated impact
• Denial-of-service testing
• Issues affecting outdated browsers or unsupported software
• Reports relating to missing security headers without demonstrated exploitability

We aim to acknowledge reports within five business days, provide an initial assessment within fifteen business days, and keep reporters informed of progress through to remediation.