Approval Pathway Vulnerability Disclosure Policy (VDP)

Last updated: 2025-10-03

Summary

We appreciate responsible security research. If you discover a security vulnerability affecting Approval Pathway services, please report it so we can fix it quickly and safely.

Scope

In-scope systems:

• *.approvalpathway.com (web apps and APIs)
• Services explicitly published by Approval Pathway (listed below)

Out-of-scope:

• Third-party services (e.g., cloud provider infrastructure you don’t have an account on)
• Customer systems and data not owned by Approval Pathway
• Social engineering, physical attacks, and denial-of-service testing

If you’re unsure whether something is in-scope, submit a report and we’ll clarify.

How to report

Preferred contact method is email: security@approvalpathway.com

When reporting, please include:

• Affected URL or system
• Proof-of-concept (POC) steps to reproduce (as minimal and non-destructive as possible)
• Impact assessment (what you can access or affect)
• Your contact email and PGP public key (optional)

Do not include screenshots or attachments that contain real user data.

Rules of engagement (what we ask researchers to follow):

• Don’t perform denial-of-service (DoS) or ransomware-style testing.
• Don’t access, modify, or exfiltrate real user/customer data.
• Don’t perform tests that would materially disrupt production systems.

Avoid automated mass-scanning that may affect availability.

If your testing accidentally accesses data, stop immediately and notify us.

What we promise

• Acknowledge receipt within 72 hours.
• Provide an initial triage update within 14 days.
• Work in good faith to remediate validated issues; we’ll provide status updates during remediation.
• We will coordinate public disclosure with you and will not unreasonably delay publishing an advisory.

Safe harbor

If you follow this VDP in good faith (you act reasonably and avoid privacy harm or service disruption), Approval Pathway will not pursue legal action against you for the activity described in your report. This safe-harbor does not apply to conduct that violates laws, privacy rights, or third-party agreements.

Rewards

We may offer public acknowledgement or discretionary bounties for high-impact reports. A formal bug-bounty program is currently not in place. If you wish monetary compensation, indicate this in your report - we’ll evaluate case-by-case.

Disclosure timeline & coordination

We expect coordinated disclosure: we and the reporter will agree on a reasonable public disclosure date after fix or mitigation.

If a serious exploit is being actively abused in the wild, we may shorten disclosure timelines.

Triage & severity

We classify issues by impact (e.g., Critical, High, Medium, Low) based on confidentiality, integrity, and availability impact. Critical issues (remote code execution, data exfiltration affecting multiple customers) receive highest priority.

Legal / Limitations

This policy is not a contract and does not create any legal rights or obligations. Approval Pathway reserves the right to change this policy at any time.

Acknowledgements

If you’d like public acknowledgement, state this in your report. We’ll maintain an acknowledgements page for researchers who opt-in.