KB-1447 Appian Cloud Vulnerability Testing

Kaushal Patel — Tue, 14 Apr 2026 15:29:27 GMT

Current Revision posted to Appian Knowledge Base by Kaushal Patel on 4/14/2026 3:29:27 PM

Purpose

Cloud customers can perform security-related activities against their Appian environments such as penetration testing and vulnerability scanning as well as software composition analysis scans on installers, containers and plugin jars. This article outlines assessment rules and accepted formats for submitting vulnerabilities to Appian.

Appian Cloud Assessment Rules

All planned security testing by customers must be submitted to Appian Technical Support at least 3 US business days (Mon-Fri 9:00 AM to 6:00 PM EST/EDT)
prior to testing via a support case.
The following details must be provided in the support case to prevent Appian or its hosting service providers from adding the test source IP addresses to a block list:
- Contact information
- Start time of test (including timezone)
- Test duration
- Expected peak bandwidth in Gigabits per second (Gbps)
- Source IP addresses generating the test traffic
Only perform assessments against the Appian Cloud Sites or FQDNs for which you have explicit approval.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Denial of service attacks are prohibited.
Appian recommends performing assessments against a test or development site whenever possible, rather than a production site.
Appian considers any information identified during a security test of an Appian Cloud site to be Confidential Information that is protected under Appian’s contractual agreements with its customers. This obligation to protect Appian’s Confidential Information must flow down to any third-party security consultants hired by Appian customers. Please indicate in the support case whether a third-party entity will be used for security testing and whether the third-party entity has executed a non-disclosure agreement appropriate for the purpose.

Submitting Results

The following applies to all submissions:

Appian reviews security scan results only for recent hotfixes. Customers running older hotfix versions should upgrade to a recent hotfix and resubmit security scan results before Appian team initiates review.
All documentation (including results, summaries, and reproduction steps) must be submitted in English.
Appian will not accept findings that are missing information within the provided templates.
Submissions much be done via support case.

Appian Vulnerabilities

This section is applicable to penetration testing or vulnerability scans against Appian installations.

Fill out the Appian Vulnerability Submission Worksheet according the instructions below:

All submitted vulnerabilities must be validated by the assessor prior to submission. Appian does not accept invalidated results or direct output from automated scanners without additional manual validation.
Appian requires verifiable evidence such as screenshots, payloads, or any other associated proof-of-concept material as well as manual reproduction steps in order to properly validate any reported vulnerability findings.
All scanning or testing documentation must be accompanied by:
- A summarized index of all issues found, with the severity level of each issue.
- Clear evidence performed by the assessor showing that the proposed vulnerability can be used to exploit the system, for example by:
  - Allowing inappropriate access to the system or its data.
  - Allowing inappropriate modification of the system or its data.
  - Inappropriate use of a component of the system or as a whole.
- A description of the risk to the system.
- Guidance on how to reach the impacted end point(s).
- Clear steps on how to reproduce the issue.

Appian Third-Party Component Vulnerabilities

This section is applicable to Software Composition Analysis scans against Appian installers, containers and plugin jars.

Fill out the Appian third-party vulnerability submission worksheet according to the instructions below:

If the vulnerability reporting source is vendor specific (ex: BlackDuck or X-Ray), the customer should provide as much explanatory detail as possible in the Description column in order for Appian to effectively validate the issue.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and either accept or reject each one.
- For rejected findings, Appian will provide an explanation as to why the reported vulnerability was rejected (false positive, configuration-level controls available to mitigate, etc.).
- For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.
Appian Support will provide analyses and impact assessments of the report and individual findings through the support case.

Affected Versions

This article applies to all versions of Appian Cloud

Last Reviewed: April 2026

Tags: Security, Cloud

KB-1447 Appian Cloud Vulnerability Testing

Kaushal Patel — Fri, 16 Jan 2026 18:17:42 GMT

Revision 33 posted to Appian Knowledge Base by Kaushal Patel on 1/16/2026 6:17:42 PM

Purpose

Appian Cloud Assessment Rules

All planned security testing by customers must be submitted to Appian Technical Support at least 3 business days prior to testing via a support case.
The following details must be provided in the support case to prevent Appian or its hosting service providers from adding the test source IP addresses to a block list:
- Contact information
- Start time of test (including timezone)
- Test duration
- Expected peak bandwidth in Gigabits per second (Gbps)
- Source IP addresses generating the test traffic
Only perform assessments against the Appian Cloud Sites or FQDNs for which you have explicit approval.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Denial of service attacks are prohibited.
Appian recommends performing assessments against a test or development site whenever possible, rather than a production site.
Appian considers any information identified during a security test of an Appian Cloud site to be Confidential Information that is protected under Appian’s contractual agreements with its customers. This obligation to protect Appian’s Confidential Information must flow down to any third-party security consultants hired by Appian customers. Please indicate in the support case whether a third-party entity will be used for security testing and whether the third-party entity has executed a non-disclosure agreement appropriate for the purpose.

Submitting Results

The following applies to all submissions:

Appian reviews security scan results only for recent hotfixes. Customers running older hotfix versions should upgrade to a recent hotfix and resubmit security scan results before Appian team initiates review.
All documentation (including results, summaries, and reproduction steps) must be submitted in English.
Appian will not accept findings that are missing information within the provided templates.
Submissions much be done via support case.

Appian Vulnerabilities

This section is applicable to penetration testing or vulnerability scans against Appian installations.

Fill out the Appian Vulnerability Submission Worksheet according the instructions below:

All submitted vulnerabilities must be validated by the assessor prior to submission. Appian does not accept unvalidated results or direct output from automated scanners without additional manual validation.
Appian requires verifiable evidence such as screenshots, payloads, or any other associated proof-of-concept material as well as manual reproduction steps in order to properly validate any reported vulnerability findings.
All scanning or testing documentation must be accompanied by:
- A summarized index of all issues found, with the severity level of each issue.
- Clear evidence performed by the assessor showing that the proposed vulnerability can be used to exploit the system, for example by:
  - Allowing inappropriate access to the system or its data.
  - Allowing inappropriate modification of the system or its data.
  - Inappropriate use of a component of the system or as a whole.
- A description of the risk to the system.
- Guidance on how to reach the impacted end point(s).
- Clear steps on how to reproduce the issue.

Appian Third-Party Component Vulnerabilities

This section is applicable to Software Composition Analysis scans against Appian installers, containers and plugin jars.

Fill out the Appian third-party vulnerability submission worksheet according to the instructions below:

If the vulnerability reporting source is vendor specific (ex: BlackDuck or X-Ray), the customer should provide as much explanatory detail as possible in the Description column in order for Appian to effectively validate the issue.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and either accept or reject each one.
- For rejected findings, Appian will provide an explanation as to why the reported vulnerability was rejected (false positive, configuration-level controls available to mitigate, etc.).
- For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.
Appian Support will provide analyses and impact assessments of the report and individual findings through the support case.

Affected Versions

This article applies to all versions of Appian Cloud

Last Reviewed: May 2023

Tags: Security, Cloud

KB-1447 Appian Cloud Vulnerability Testing

Maggie Deppe-Walker — Wed, 04 Dec 2024 23:22:25 GMT

Revision 32 posted to Appian Knowledge Base by Maggie Deppe-Walker on 12/4/2024 11:22:25 PM

Purpose

Appian Cloud Assessment Rules

All planned security testing by customers must be submitted to Appian Technical Support at least 3 business days prior to testing via a support case.
The following details must be provided in the support case to prevent Appian or its hosting service providers from adding the test source IP addresses to a block list:
- Contact information
- Start time of test (including timezone)
- Test duration
- Expected peak bandwidth in Gigabits per second (Gbps)
- Source IP addresses generating the test traffic
Only perform assessments against the Appian Cloud Sites or FQDNs for which you have explicit approval.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Denial of service attacks are prohibited.
Appian recommends performing assessments against a test or development site whenever possible, rather than a production site.
Appian considers any information identified during a security test of an Appian Cloud site to be Confidential Information that is protected under Appian’s contractual agreements with its customers. This obligation to protect Appian’s Confidential Information must flow down to any third-party security consultants hired by Appian customers. Please indicate in the support case whether a third-party entity will be used for security testing and whether the third-party entity has executed a non-disclosure agreement appropriate for the purpose.

Submitting Results

The following applies to all submissions:

All documentation (including results, summaries, and reproduction steps) must be submitted in English.
Appian will not accept findings that are missing information within the provided templates.
Submissions much be done via support case.

Appian Vulnerabilities

This section is applicable to penetration testing or vulnerability scans against Appian installations.

Fill out the Appian Vulnerability Submission Worksheet according the instructions below:

All submitted vulnerabilities must be validated by the assessor prior to submission. Appian does not accept unvalidated results or direct output from automated scanners without additional manual validation.
Appian requires verifiable evidence such as screenshots, payloads, or any other associated proof-of-concept material as well as manual reproduction steps in order to properly validate any reported vulnerability findings.
All scanning or testing documentation must be accompanied by:
- A summarized index of all issues found, with the severity level of each issue.
- Clear evidence performed by the assessor showing that the proposed vulnerability can be used to exploit the system, for example by:
  - Allowing inappropriate access to the system or its data.
  - Allowing inappropriate modification of the system or its data.
  - Inappropriate use of a component of the system or as a whole.
- A description of the risk to the system.
- Guidance on how to reach the impacted end point(s).
- Clear steps on how to reproduce the issue.

Appian Third-Party Component Vulnerabilities

This section is applicable to Software Composition Analysis scans against Appian installers, containers and plugin jars.

Fill out the Appian third-party vulnerability submission worksheet according to the instructions below:

If the vulnerability reporting source is vendor specific (ex: BlackDuck or X-Ray), the customer should provide as much explanatory detail as possible in the Description column in order for Appian to effectively validate the issue.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and either accept or reject each one.
- For rejected findings, Appian will provide an explanation as to why the reported vulnerability was rejected (false positive, configuration-level controls available to mitigate, etc.).
- For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.
Appian Support will provide analyses and impact assessments of the report and individual findings through the support case.

Affected Versions

This article applies to all versions of Appian Cloud

Last Reviewed: May 2023

Tags: Security, Cloud

KB-1447 Appian Cloud Vulnerability Testing

pauline.delacruz — Wed, 28 Aug 2024 19:27:25 GMT

Revision 31 posted to Appian Knowledge Base by pauline.delacruz on 8/28/2024 7:27:25 PM

Purpose

Appian Cloud Assessment Rules

All planned security testing by customers must be submitted to Appian Technical Support at least 3 business days prior to testing via a support case.
The following details must be provided in the support case to prevent Appian or its hosting service providers from adding the test source IP addresses to a block list:
- Contact information
- Start time of test (including timezone)
- Test duration
- Expected peak bandwidth in Gigabits per second (Gbps)
- Source IP addresses generating the test traffic
Only perform assessments against the Appian Cloud Sites or FQDNs for which you have explicit approval.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Denial of service attacks are prohibited.
Appian recommends performing assessments against a test or development site whenever possible, rather than a production site.
Appian considers any information identified during a security test of an Appian Cloud site to be Confidential Information that is protected under Appian’s contractual agreements with its customers. This obligation to protect Appian’s Confidential Information must flow down to any third-party security consultants hired by Appian customers. Please indicate in the support case whether a third-party entity will be used for security testing and whether the third-party entity has executed a non-disclosure agreement appropriate for the purpose.

Submitting Results

The following applies to all submissions:

All documentation (including results, summaries, and reproduction steps) must be submitted in English.
Appian will not accept findings that are missing information within the provided templates.
Submissions much be done via support case.

Appian Vulnerabilities

This section is applicable to penetration testing or vulnerability scans against Appian installations.

Fill out the Appian Vulnerability Submission Worksheet according the instructions below:

All submitted vulnerabilities must be validated by the assessor prior to submission. Appian does not accept unvalidated results or direct output from automated scanners without additional manual validation.
Appian requires verifiable evidence such as screenshots, payloads, or any other associated proof-of-concept material as well as manual reproduction steps in order to properly validate any reported vulnerability findings.
All scanning or testing documentation must be accompanied by:
- A summarized index of all issues found, with the severity level of each issue.
- Clear evidence performed by the assessor showing that the proposed vulnerability can be used to exploit the system, for example by:
  - Allowing inappropriate access to the system or its data.
  - Allowing inappropriate modification of the system or its data.
  - Inappropriate use of a component of the system or as a whole.
- A description of the risk to the system.
- Guidance on how to reach the impacted end point(s).
- Clear steps on how to reproduce the issue.

Appian Third-Party Component Vulnerabilities

This section is applicable to Software Composition Analysis scans against Appian installers, containers and plugin jars.

Fill out the Appian third-party vulnerability submission worksheet according to the instructions below:

If the vulnerability reporting source is vendor specific (ex: BlackDuck or X-Ray), the customer should provide as much explanatory detail as possible in the Description column in order for Appian to effectively validate the issue.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and either accept or reject each one.
- For rejected findings, Appian will provide an explanation as to why the reported vulnerability was rejected (false positive, configuration-level controls available to mitigate, etc.).
- For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.
Appian Support will provide analyses and impact assessments of the report and individual findings through the support case.

Affected Versions

This article applies to all versions of Appian Cloud

Last Reviewed: May 2023

Tags: Security, Cloud

KB-1447 Appian Cloud Vulnerability Testing

pauline.delacruz — Mon, 19 Aug 2024 20:53:59 GMT

Revision 30 posted to Appian Knowledge Base by pauline.delacruz on 8/19/2024 8:53:59 PM

Purpose

Appian Cloud Assessment Rules

All planned security testing by customers must be submitted to Appian Technical Support at least 3 business days prior to testing via a support case if no third party is involved in any phase of the testing or the tool used for scanning is not sending any information to a third party. If a third party is involved in any phase of the testing or the tool used for testing is sending any information to a third party, customers must submit the support case at least 10 business days prior to testing along with a completed NDA.
The following details must be provided in the support case to prevent Appian or its hosting service providers from adding the test source IP addresses to a block list:
- Contact information
- Start time of test (including timezone)
- Test duration
- Expected peak bandwidth in Gigabits per second (Gbps)
- Source IP addresses generating the test traffic
Only perform assessments against the Appian Cloud Sites or FQDNs for which you have explicit approval.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Denial of service attacks are prohibited.
Appian recommends performing assessments against a test or development site whenever possible, rather than a production site.
Appian considers any information identified during a security test of an Appian Cloud site to be Confidential Information that is protected under Appian’s contractual agreements with its customers. This obligation to protect Appian’s Confidential Information must flow down to any third-party security consultants hired by Appian customers. Please indicate in the support case whether a third-party entity will be used for security testing and whether the third-party entity has executed a non-disclosure agreement appropriate for the purpose.

Submitting Results

The following applies to all submissions:

All documentation (including results, summaries, and reproduction steps) must be submitted in English.
Appian will not accept findings that are missing information within the provided templates.
Submissions much be done via support case.

Appian Vulnerabilities

This section is applicable to penetration testing or vulnerability scans against Appian installations.

Fill out the Appian Vulnerability Submission Worksheet according the instructions below:

All submitted vulnerabilities must be validated by the assessor prior to submission. Appian does not accept unvalidated results or direct output from automated scanners without additional manual validation.
Appian requires verifiable evidence such as screenshots, payloads, or any other associated proof-of-concept material as well as manual reproduction steps in order to properly validate any reported vulnerability findings.
All scanning or testing documentation must be accompanied by:
- A summarized index of all issues found, with the severity level of each issue.
- Clear evidence performed by the assessor showing that the proposed vulnerability can be used to exploit the system, for example by:
  - Allowing inappropriate access to the system or its data.
  - Allowing inappropriate modification of the system or its data.
  - Inappropriate use of a component of the system or as a whole.
- A description of the risk to the system.
- Guidance on how to reach the impacted end point(s).
- Clear steps on how to reproduce the issue.

Appian Third-Party Component Vulnerabilities

This section is applicable to Software Composition Analysis scans against Appian installers, containers and plugin jars.

Fill out the Appian third-party vulnerability submission worksheet according to the instructions below:

If the vulnerability reporting source is vendor specific (ex: BlackDuck or X-Ray), the customer should provide as much explanatory detail as possible in the Description column in order for Appian to effectively validate the issue.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and either accept or reject each one.
- For rejected findings, Appian will provide an explanation as to why the reported vulnerability was rejected (false positive, configuration-level controls available to mitigate, etc.).
- For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.
Appian Support will provide analyses and impact assessments of the report and individual findings through the support case.

Affected Versions

This article applies to all versions of Appian Cloud

Last Reviewed: August 2024

Tags: Security, Cloud

KB-1447 Appian Cloud Vulnerability Testing

Elly Meng — Wed, 03 May 2023 16:09:44 GMT

Revision 29 posted to Appian Knowledge Base by Elly Meng on 5/3/2023 4:09:44 PM

Purpose

Appian Cloud Assessment Rules

All planned security testing by customers must be submitted to Appian Technical Support at least 3 business days prior to testing via a support case.
The following details must be provided in the support case to prevent Appian or its hosting service providers from adding the test source IP addresses to a block list:
- Contact information
- Start time of test (including timezone)
- Test duration
- Expected peak bandwidth in Gigabits per second (Gbps)
- Source IP addresses generating the test traffic
Only perform assessments against the Appian Cloud Sites or FQDNs for which you have explicit approval.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Denial of service attacks are prohibited.
Appian recommends performing assessments against a test or development site whenever possible, rather than a production site.
Appian considers any information identified during a security test of an Appian Cloud site to be Confidential Information that is protected under Appian’s contractual agreements with its customers. This obligation to protect Appian’s Confidential Information must flow down to any third-party security consultants hired by Appian customers. Please indicate in the support case whether a third-party entity will be used for security testing and whether the third-party entity has executed a non-disclosure agreement appropriate for the purpose.

Submitting Results

The following applies to all submissions:

All documentation (including results, summaries, and reproduction steps) must be submitted in English.
Appian will not accept findings that are missing information within the provided templates.
Submissions much be done via support case.

Appian Vulnerabilities

This section is applicable to penetration testing or vulnerability scans against Appian installations.

Fill out the Appian Vulnerability Submission Worksheet according the instructions below:

All submitted vulnerabilities must be validated by the assessor prior to submission. Appian does not accept unvalidated results or direct output from automated scanners without additional manual validation.
Appian requires verifiable evidence such as screenshots, payloads, or any other associated proof-of-concept material as well as manual reproduction steps in order to properly validate any reported vulnerability findings.
All scanning or testing documentation must be accompanied by:
- A summarized index of all issues found, with the severity level of each issue.
- Clear evidence performed by the assessor showing that the proposed vulnerability can be used to exploit the system, for example by:
  - Allowing inappropriate access to the system or its data.
  - Allowing inappropriate modification of the system or its data.
  - Inappropriate use of a component of the system or as a whole.
- A description of the risk to the system.
- Guidance on how to reach the impacted end point(s).
- Clear steps on how to reproduce the issue.

Appian Third-Party Component Vulnerabilities

This section is applicable to Software Composition Analysis scans against Appian installers, containers and plugin jars.

Fill out the Appian third-party vulnerability submission worksheet according to the instructions below:

If the vulnerability reporting source is vendor specific (ex: BlackDuck or X-Ray), the customer should provide as much explanatory detail as possible in the Description column in order for Appian to effectively validate the issue.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and either accept or reject each one.
- For rejected findings, Appian will provide an explanation as to why the reported vulnerability was rejected (false positive, configuration-level controls available to mitigate, etc.).
- For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.
Appian Support will provide analyses and impact assessments of the report and individual findings through the support case.

Affected Versions

This article applies to all versions of Appian Cloud

Last Reviewed: May 2023

Tags: Security, Cloud

KB-1447 Appian Cloud Vulnerability Testing

Elly Meng — Wed, 03 May 2023 16:08:40 GMT

Revision 28 posted to Appian Knowledge Base by Elly Meng on 5/3/2023 4:08:40 PM

Purpose

Appian Cloud Assessment Rules

All planned security testing by customers must be submitted to Appian Technical Support at least 3 business days prior to testing via a support case.
The following details must be provided in the support case to prevent Appian or its hosting service providers from adding the test source IP addresses to a block list:
- Contact information
- Start time of test (including timezone)
- Test duration
- Expected peak bandwidth in Gigabits per second (Gbps)
- Source IP addresses generating the test traffic
Only perform assessments against the Appian Cloud Sites or FQDNs for which you have explicit approval.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Denial of service attacks are prohibited.
Appian recommends performing assessments against a test or development site whenever possible, rather than a production site.
Appian considers any information identified during a security test of an Appian Cloud site to be Confidential Information that is protected under Appian’s contractual agreements with its customers. This obligation to protect Appian’s Confidential Information must flow down to any third-party security consultants hired by Appian customers. Please indicate in the support case whether a third-party entity will be used for security testing and whether the third-party entity has executed a non-disclosure agreement appropriate for the purpose.

Submitting Results

The following applies to all submissions:

All documentation (including results, summaries, and reproduction steps) must be submitted in English.
Appian will not accept findings that are missing information within the provided templates.
Submissions much be done via support case.

Appian Vulnerabilities

This section is applicable to penetration testing or vulnerability scans against Appian installations.

Fill out the Appian Vulnerability Submission Worksheet according the instructions below:

All submitted vulnerabilities must be validated by the assessor prior to submission. Appian does not accept unvalidated results or direct output from automated scanners without additional manual validation.
Appian requires verifiable evidence such as screenshots, payloads, or any other associated proof-of-concept material as well as manual reproduction steps in order to properly validate any reported vulnerability findings.
All scanning or testing documentation must be accompanied by:
- A summarized index of all issues found, with the severity level of each issue.
- Clear evidence performed by the assessor showing that the proposed vulnerability can be used to exploit the system, for example by:
  - Allowing inappropriate access to the system or its data.
  - Allowing inappropriate modification of the system or its data.
  - Inappropriate use of a component of the system or as a whole.
- A description of the risk to the system.
- Guidance on how to reach the impacted end point(s).
- Clear steps on how to reproduce the issue.

Appian Third-Party Component Vulnerabilities

This section is applicable to Software Composition Analysis scans against Appian installers, containers and plugin jars.

Fill out the Appian third-party vulnerability submission worksheet according to the instructions below:

If the vulnerability reporting source is vendor specific (ex: BlackDuck or X-Ray), the customer should provide as much explanatory detail as possible in the Description column in order for Appian to effectively validate the issue.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and either accept or reject each one.

For rejected findings, Appian will provide an explanation as to why the reported vulnerability was rejected (false positive, configuration-level controls available to mitigate, etc.).
For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.

Appian Support will provide analyses and impact assessments of the report and individual findings through the support case.

Affected Versions

This article applies to all versions of Appian Cloud

Last Reviewed: May 2023

Tags: Security, Cloud

KB-1447 Appian Cloud Vulnerability Testing

Elly Meng — Wed, 03 May 2023 16:07:44 GMT

Revision 27 posted to Appian Knowledge Base by Elly Meng on 5/3/2023 4:07:44 PM

Purpose

Appian Cloud Assessment Rules

All planned security testing by customers must be submitted to Appian Technical Support at least 3 business days prior to testing via a support case.
The following details must be provided in the support case to prevent Appian or its hosting service providers from adding the test source IP addresses to a block list:
- Contact information
- Start time of test (including timezone)
- Test duration
- Expected peak bandwidth in Gigabits per second (Gbps)
- Source IP addresses generating the test traffic
Only perform assessments against the Appian Cloud Sites or FQDNs for which you have explicit approval.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Denial of service attacks are prohibited.
Appian recommends performing assessments against a test or development site whenever possible, rather than a production site.
Appian considers any information identified during a security test of an Appian Cloud site to be Confidential Information that is protected under Appian’s contractual agreements with its customers. This obligation to protect Appian’s Confidential Information must flow down to any third-party security consultants hired by Appian customers. Please indicate in the support case whether a third-party entity will be used for security testing and whether the third-party entity has executed a non-disclosure agreement appropriate for the purpose.

Submitting Results

The following applies to all submissions:

All documentation (including results, summaries, and reproduction steps) must be submitted in English.
Appian will not accept findings that are missing information within the provided templates.
Submissions much be done via support case.

Appian Vulnerabilities

This section is applicable to penetration testing or vulnerability scans against Appian installations.

Fill out the Appian Vulnerability Submission Worksheet as per the instructions below:

All submitted vulnerabilities must be validated by the assessor prior to submission. Appian does not accept unvalidated results or direct output from automated scanners without additional validation.
Appian requires verifiable evidence such as screenshots, payloads, or any other associated proof-of-concept material as well as manual reproduction steps in order to properly validate any reported vulnerability findings.
All scanning or testing documentation must be accompanied by:
- A summarized index of all issues found, with the severity level of each issue.
- Clear evidence performed by the assessor showing that the proposed vulnerability can be used to exploit the system, for example by:
  - Allowing inappropriate access to the system or its data.
  - Allowing inappropriate modification of the system or its data.
  - Inappropriate use of a component of the system or as a whole.
- A description of the risk to the system.
- Guidance on how to reach the impacted end point(s).
- Clear steps on how to reproduce the issue.

Appian Third-Party Component Vulnerabilities

This section is applicable to Software Composition Analysis scans against Appian installers, containers and plugin jars.

Fill out the Appian third-party vulnerability submission worksheet according to the instructions below:

If the vulnerability reporting source is vendor specific (ex: BlackDuck or X-Ray), the customer should provide as much explanatory detail as possible in the Description column in order for Appian to effectively validate the issue.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and either accept or reject each one.

For rejected findings, Appian will provide an explanation as to why the reported vulnerability was rejected (false positive, configuration-level controls available to mitigate, etc.).
For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.

Appian Support will provide analyses and impact assessments of the report and individual findings through the support case.

Affected Versions

This article applies to all versions of Appian Cloud

Last Reviewed: May 2023

Tags: Security, Cloud

KB-1447 Appian Cloud Vulnerability Testing

Elly Meng — Wed, 03 May 2023 16:05:23 GMT

Revision 26 posted to Appian Knowledge Base by Elly Meng on 5/3/2023 4:05:23 PM

Purpose

Appian Cloud Assessment Rules

All planned security testing by customers must be submitted to Appian Technical Support at least 3 business days prior to testing via a support case.
The following details must be provided in the support case to prevent Appian or its hosting service providers from adding the test source IP addresses to a block list:
- Contact information
- Start time of test (including timezone)
- Test duration
- Expected peak bandwidth in Gigabits per second (Gbps)
- Source IP addresses generating the test traffic
Only perform assessments against the Appian Cloud Sites or FQDNs for which you have explicit approval.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Denial of service attacks are prohibited.
Appian recommends performing assessments against a test or development site whenever possible, rather than a production site.
Appian considers any information identified during a security test of an Appian Cloud site to be Confidential Information that is protected under Appian’s contractual agreements with its customers. This obligation to protect Appian’s Confidential Information must flow down to any third-party security consultants hired by Appian customers. Please indicate in the support case whether a third-party entity will be used for security testing and whether the third-party entity has executed a non-disclosure agreement appropriate for the purpose.

Submitting Results

The following applies to all submissions:

All documentation (including results, summaries, and reproduction steps) must be submitted in English.
Appian will not accept findings that are missing information within the provided templates.
Submissions much be done via support case.

Appian Vulnerabilities

This section is applicable to penetration testing or vulnerability scans against Appian installations.

Fill out the Appian Vulnerability Submission Worksheet as per the instructions below:
- All submitted vulnerabilities must be validated by the assessor prior to submission. Appian does not accept unvalidated results or direct output from automated scanners without additional validation.
- Appian requires verifiable evidence such as screenshots, payloads, or any other associated proof-of-concept material as well as manual reproduction steps in order to properly validate any reported vulnerability findings.
- All scanning or testing documentation must be accompanied by:
  - A summarized index of all issues found, with the severity level of each issue.
  - Clear evidence performed by the assessor showing that the proposed vulnerability can be used to exploit the system, for example by:
    - Allowing inappropriate access to the system or its data.
    - Allowing inappropriate modification of the system or its data.
    - Inappropriate use of a component of the system or as a whole.
  - A description of the risk to the system.
  - Guidance on how to reach the impacted end point(s).
  - Clear steps on how to reproduce the issue.

Appian Third-Party Component Vulnerabilities

This section is applicable to Software Composition Analysis scans against Appian installers, containers and plugin jars.

Fill out the Appian third-party vulnerability submission worksheet according to the instructions below:

If the vulnerability reporting source is vendor specific (ex: BlackDuck or X-Ray), the customer should provide as much explanatory detail as possible in the Description column in order for Appian to effectively validate the issue.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and either accept or reject each one.

For rejected findings, Appian will provide an explanation as to why the reported vulnerability was rejected (false positive, configuration-level controls available to mitigate, etc.).
For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.

Appian Support will provide analyses and impact assessments of the report and individual findings through the support case.

Affected Versions

This article applies to all versions of Appian Cloud

Last Reviewed: May 2023

Tags: Security, Cloud

KB-1447 Appian Cloud Vulnerability Testing

Elly Meng — Wed, 03 May 2023 16:03:17 GMT

Revision 25 posted to Appian Knowledge Base by Elly Meng on 5/3/2023 4:03:17 PM

The following rules apply to all scanning activity, penetration testing, or other vulnerability assessment performed against Appian Cloud sites or the Appian platform:

Appian Cloud Assessment Rules

All planned security testing by customers must be submitted to Appian Technical Support at least 3 business days prior to testing via a support case.
The following details must be provided in the support case to prevent Appian or its hosting service providers from adding the test source IP addresses to a block list:
- Contact information
- Start time of test (including timezone)
- Test duration
- Expected peak bandwidth in Gigabits per second (Gbps)
- Source IP addresses generating the test traffic
Only perform assessments against the Appian Cloud Sites or FQDNs for which you have explicit approval.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Denial of service attacks are prohibited.
Appian recommends performing assessments against a test or development site whenever possible, rather than a production site.
Appian considers any information identified during a security test of an Appian Cloud site to be Confidential Information that is protected under Appian’s contractual agreements with its customers. This obligation to protect Appian’s Confidential Information must flow down to any third-party security consultants hired by Appian customers. Please indicate in the support case whether a third-party entity will be used for security testing and whether the third-party entity has executed a non-disclosure agreement appropriate for the purpose.

Submitting Results

The following applies to all submissions:

All documentation (including results, summaries, and reproduction steps) must be submitted in English.
Appian will not accept findings that are missing information within the provided templates.
Submissions much be done via support case.

Appian Vulnerabilities

This section is applicable to penetration testing or vulnerability scans against Appian installations.

Fill out the Appian Vulnerability Submission Worksheet as per the instructions below:
- All submitted vulnerabilities must be validated by the assessor prior to submission. Appian does not accept unvalidated results or direct output from automated scanners without additional validation.
- Appian requires verifiable evidence such as screenshots, payloads, or any other associated proof-of-concept material as well as manual reproduction steps in order to properly validate any reported vulnerability findings.
- All scanning or testing documentation must be accompanied by:
  - A summarized index of all issues found, with the severity level of each issue.
  - Clear evidence performed by the assessor showing that the proposed vulnerability can be used to exploit the system, for example by:
    - Allowing inappropriate access to the system or its data.
    - Allowing inappropriate modification of the system or its data.
    - Inappropriate use of a component of the system or as a whole.
  - A description of the risk to the system.
  - Guidance on how to reach the impacted end point(s).
  - Clear steps on how to reproduce the issue.

Appian Third-Party Component Vulnerabilities

This section is applicable to Software Composition Analysis scans against Appian installers, containers and plugin jars.

Fill out the Appian third-party vulnerability submission worksheet according to the instructions below:

If the vulnerability reporting source is vendor specific (ex: BlackDuck or X-Ray), the customer should provide as much explanatory detail as possible in the Description column in order for Appian to effectively validate the issue.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and either accept or reject each one.

For rejected findings, Appian will provide an explanation as to why the reported vulnerability was rejected (false positive, configuration-level controls available to mitigate, etc.).
For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.

Appian Support will provide analyses and impact assessments of the report and individual findings through the support case.

Affected Versions

This article applies to all versions of Appian Cloud

Last Reviewed: May 2023

Tags: Security, Cloud

KB-1447 Appian Cloud Vulnerability Testing

Maggie Deppe-Walker — Mon, 17 Apr 2023 08:34:29 GMT

Revision 24 posted to Appian Knowledge Base by Maggie Deppe-Walker on 4/17/2023 8:34:29 AM

The following rules apply to all scanning activity, penetration testing, or other vulnerability assessment performed against Appian Cloud sites or the Appian platform:

Appian Cloud Assessment Rules

All planned security testing by customers must be submitted to Appian Technical Support at least 3 business days prior to testing via a support case.
The following details must be provided in the support case to prevent Appian or its hosting service providers from adding the test source IP addresses to a block list:
- Contact information
- Start time of test (including timezone)
- Test duration
- Expected peak bandwidth in Gigabits per second (Gbps)
- Source IP addresses generating the test traffic
Only perform assessments against the Appian Cloud Sites or FQDNs for which you have explicit approval.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Denial of service attacks are prohibited.
Appian recommends performing assessments against a test or development site whenever possible, rather than a production site.
Appian considers any information identified during a security test of an Appian Cloud site to be Confidential Information that is protected under Appian’s contractual agreements with its customers. This obligation to protect Appian’s Confidential Information must flow down to any third-party security consultants hired by Appian customers. Please indicate in the support case whether a third-party entity will be used for security testing and whether the third-party entity has executed a non-disclosure agreement appropriate for the purpose.

Submitting Results

Fill out the Appian Vulnerability Submission Worksheet as per the instructions below:
- All submitted vulnerabilities must be validated by the assessor prior to submission. Appian does not accept unvalidated results or direct output from automated scanners without additional validation.
- Appian requires verifiable evidence such as screenshots, payloads, or any other associated proof-of-concept material as well as manual reproduction steps in order to properly validate any reported vulnerability findings.
- Validated vulnerabilities should be submitted to Appian Support via a support ticket.
- All vulnerability documentation (including results, summaries, and steps) must be submitted in English.
- All scanning or testing documentation must be accompanied by:
  - A summarized index of all issues found, with the severity level of each issue.
  - Clear evidence performed by the assessor showing that the proposed vulnerability can be used to exploit the system, for example by:
    - Allowing inappropriate access to the system or its data.
    - Allowing inappropriate modification of the system or its data.
    - Inappropriate use of a component of the system or as a whole.
  - A description of the risk to the system.
  - Guidance on how to reach the impacted end point(s).
  - Clear steps on how to reproduce the issue.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and accept or reject the individual findings.
- For rejected findings, Appian will provide an explanation as to why the reported vulnerability has been rejected (false-positive, configuration level controls available to mitigate, etc.).
- For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.
Appian Support will provide analyses and impact assessments of the report and individual findings through the support case.

Affected Versions

This article applies to all versions of Appian Cloud

Last Reviewed: April 2023

Tags: Security, Cloud

KB-1447 Appian Cloud Vulnerability Testing

Elly Meng — Fri, 24 Feb 2023 22:10:31 GMT

Revision 23 posted to Appian Knowledge Base by Elly Meng on 2/24/2023 10:10:31 PM

The following rules apply to all scanning activity, penetration testing, or other vulnerability assessment performed against Appian Cloud sites or the Appian platform:

Appian Cloud Assessment Rules

All planned security testing by customers must be submitted to Appian Technical Support at least 3 business days prior to testing via a support case.
The following details must be provided in the support case to prevent Appian or its hosting service providers from adding the test source IP addresses to a block list:
- Contact information
- Start time of test (including timezone)
- Test duration
- Expected peak bandwidth in Gigabits per second (Gbps)
- Source IP addresses generating the test traffic
Only perform assessments against the Appian Cloud Sites or FQDNs for which you have explicit approval.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Denial of service attacks are prohibited.
Appian recommends performing assessments against a test or development site whenever possible, rather than a production site.
Appian considers any information identified during a security test of an Appian Cloud site to be Confidential Information that is protected under Appian’s contractual agreements with its customers. This obligation to protect Appian’s Confidential Information must flow down to any third-party security consultants hired by Appian customers. Please indicate in the support case whether a third-party entity will be used for security testing and whether the third-party entity has executed a non-disclosure agreement appropriate for the purpose.

Submitting Results

Fill out the Appian vulnerability submission worksheet as per the instructions below:
- All submitted vulnerabilities must be validated by the assessor prior to submission. Appian does not accept unvalidated results or direct output from automated scanners without additional validation.
- Appian requires verifiable evidence such as screenshots, payloads, or any other associated proof-of-concept material as well as manual reproduction steps in order to properly validate any reported vulnerability findings.
- Validated vulnerabilities should be submitted to Appian Support via a support ticket.
- All vulnerability documentation (including results, summaries, and steps) must be submitted in English.
- All scanning or testing documentation must be accompanied by:
  - A summarized index of all issues found, with the severity level of each issue.
  - Clear evidence performed by the assessor showing that the proposed vulnerability can be used to exploit the system, for example by:
    - Allowing inappropriate access to the system or its data.
    - Allowing inappropriate modification of the system or its data.
    - Inappropriate use of a component of the system or as a whole.
  - A description of the risk to the system.
  - Guidance on how to reach the impacted end point(s).
  - Clear steps on how to reproduce the issue.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and accept or reject the individual findings.
- For rejected findings, Appian will provide an explanation as to why the reported vulnerability has been rejected (false-positive, configuration level controls available to mitigate, etc.).
- For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.
Appian Support will provide analyses and impact assessments of the report and individual findings through the support case.

Affected Versions

This article applies to all versions of Appian Cloud

Last Reviewed: February 2023

Tags: Security, Cloud

KB-1447 Appian Cloud Vulnerability Testing

Elly Meng — Tue, 21 Feb 2023 18:43:52 GMT

Revision 22 posted to Appian Knowledge Base by Elly Meng on 2/21/2023 6:43:52 PM

The following rules apply to all scanning activity, penetration testing, or other vulnerability assessment performed against Appian Cloud sites or the Appian platform:

Appian Cloud Assessment Rules

All planned security testing by customers must be submitted to Appian Technical Support at least 3 business days prior to testing via a support case.
The following details must be provided in the support case to prevent Appian or its hosting service providers from adding the test source IP addresses to a block list:
- Contact information
- Start time of test (including timezone)
- Test duration
- Expected peak bandwidth in Gigabits per second (Gbps)
- Source IP addresses generating the test traffic
Only perform assessments against the Appian Cloud Sites or FQDNs for which you have explicit approval.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Denial of service attacks are prohibited.
Appian recommends performing assessments against a test or development site whenever possible, rather than a production site.
Appian considers any information identified during a security test of an Appian Cloud site to be Confidential Information that is protected under Appian’s contractual agreements with its customers. This obligation to protect Appian’s Confidential Information must flow down to any third-party security consultants hired by Appian customers. Please indicate in the support case whether a third-party entity will be used for security testing and whether the third-party entity has executed a non-disclosure agreement appropriate for the purpose.

Submitting Results

Fill out the Appian vulnerability submission worksheet as per the instructions below:
- All submitted vulnerabilities must be validated by the assessor prior to submission. Appian does not accept unvalidated results or direct output from automated scanners without additional validation.
- Appian requires verifiable evidence such as screenshots, payloads, or any other associated proof-of-concept material as well as manual reproduction steps in order to properly validate any reported vulnerability findings.
- Validated vulnerabilities should be submitted to Appian Support via a support ticket.
- All vulnerability documentation (including results, summaries, and steps) must be submitted in English.
- All scanning or testing documentation must be accompanied by:
  - A summarized index of all issues found, with the severity level of each issue.
  - Clear evidence performed by the assessor showing that the proposed vulnerability can be used to exploit the system, for example by:
    - Allowing inappropriate access to the system or its data.
    - Allowing inappropriate modification of the system or its data.
    - Inappropriate use of a component of the system or as a whole.
  - A description of the risk to the system.
  - Guidance on how to reach the impacted end point(s).
  - Clear steps on how to reproduce the issue.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and accept or reject the individual findings.
- For rejected findings, Appian will provide an explanation as to why the reported vulnerability has been rejected (false-positive, configuration level controls available to mitigate, etc.).
- For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.
Appian Support will provide analysis and assessment of the report and individual findings through the support case.

Affected Versions

This article applies to all versions of Appian Cloud

Last Reviewed: February 2023

Tags: Security, Cloud

KB-1447 Vulnerability Testing

Elly Meng — Thu, 22 Sep 2022 20:56:44 GMT

Revision 21 posted to Appian Knowledge Base by Elly Meng on 9/22/2022 8:56:44 PM

The following rules apply to all scanning activity, penetration testing, or other vulnerability assessment performed against Appian Cloud sites or the Appian platform:

Assessment Rules (Appian Cloud only)

All planned security testing by customers must be submitted to Appian Technical Support at least 3 business days prior to testing via a support case.
The following details must be provided in the support case to prevent Appian or its hosting service providers from adding the test source IP addresses to a block list:
- Contact information
- Start time of test (including timezone)
- Test duration
- Expected peak bandwidth in Gigabits per second (Gbps)
- Source IP addresses generating the test traffic
Only perform assessments against the Appian Cloud Sites or FQDNs for which you have explicit approval.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Denial of service attacks are prohibited.
Appian recommends performing assessments against a test or development site whenever possible, rather than a production site.
Appian considers any information identified during a security test of an Appian Cloud site to be Confidential Information that is protected under Appian’s contractual agreements with its customers. This obligation to protect Appian’s Confidential Information must flow down to any third-party security consultants hired by Appian customers. Please indicate in the support case whether a third-party entity will be used for security testing and whether the third-party entity has executed a non-disclosure agreement appropriate for the purpose.

Submitting Results

Fill out the Appian vulnerability submission worksheet as per the instructions below:
- All submitted vulnerabilities must be validated by the assessor prior to submission. Appian does not accept unvalidated results or direct output from automated scanners without additional validation.
- Appian requires verifiable evidence such as screenshots, payloads, or any other associated proof-of-concept material as well as manual reproduction steps in order to properly validate any reported vulnerability findings.
- Validated vulnerabilities should be submitted to Appian Support via a support ticket.
- All vulnerability documentation (including results, summaries, and steps) must be submitted in English.
- All scanning or testing documentation must be accompanied by:
  - A summarized index of all issues found, with the severity level of each issue.
  - Clear evidence performed by the assessor showing that the proposed vulnerability can be used to exploit the system, for example by:
    - Allowing inappropriate access to the system or its data.
    - Allowing inappropriate modification of the system or its data.
    - Inappropriate use of a component of the system or as a whole.
  - A description of the risk to the system.
  - Guidance on how to reach the impacted end point(s).
  - Clear steps on how to reproduce the issue.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and accept or reject the individual findings.
- For rejected findings, Appian will provide an explanation as to why the reported vulnerability has been rejected (false-positive, configuration level controls available to mitigate, etc.).
- For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.
Appian Support will provide analysis and assessment of the report and individual findings through the support case.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: September 2022

Tags: self-managed, Security, Cloud

KB-1447 Vulnerability Testing

Elly Meng — Tue, 19 Apr 2022 18:15:15 GMT

Revision 20 posted to Appian Knowledge Base by Elly Meng on 4/19/2022 6:15:15 PM

The following rules apply to all scanning activity, penetration testing, or other vulnerability assessment performed against Appian Cloud sites or the Appian platform:

Assessment Rules

All planned security testing by customers must be submitted to Appian Technical Support at least 3 business days prior to testing via a support case.
The following details must be provided in the support case to prevent Appian or its hosting service providers from adding the test source IP addresses to a block list:
- Contact information
- Start time of test (including timezone)
- Test duration
- Expected peak bandwidth in Gigabits per second (Gbps)
- Source IP addresses generating the test traffic
Only perform assessments against the Appian Cloud Sites or FQDNs for which you have explicit approval.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Denial of service attacks are prohibited.
Appian recommends performing assessments against a test or development site whenever possible, rather than a production site.
Appian considers any information identified during a security test of an Appian Cloud site to be Confidential Information that is protected under Appian’s contractual agreements with its customers. This obligation to protect Appian’s Confidential Information must flow down to any third-party security consultants hired by Appian customers. Please indicate in the support case whether a third-party entity will be used for security testing and whether the third-party entity has executed a non-disclosure agreement appropriate for the purpose.

Submitting Results

Fill out the Appian vulnerability submission worksheet as per the instructions below:
- All submitted vulnerabilities must be validated by the assessor prior to submission. Appian does not accept unvalidated results or direct output from automated scanners without additional validation.
- Appian requires verifiable evidence such as screenshots, payloads, or any other associated proof-of-concept material as well as manual reproduction steps in order to properly validate any reported vulnerability findings.
- Validated vulnerabilities should be submitted to Appian Support via a support ticket.
- All vulnerability documentation (including results, summaries, and steps) must be submitted in English.
- All scanning or testing documentation must be accompanied by:
  - A summarized index of all issues found, with the severity level of each issue.
  - Clear evidence performed by the assessor showing that the proposed vulnerability can be used to exploit the system, for example by:
    - Allowing inappropriate access to the system or its data.
    - Allowing inappropriate modification of the system or its data.
    - Inappropriate use of a component of the system or as a whole.
  - A description of the risk to the system.
  - Guidance on how to reach the impacted end point(s).
  - Clear steps on how to reproduce the issue.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and accept or reject the individual findings.
- For rejected findings, Appian will provide an explanation as to why the reported vulnerability has been rejected (false-positive, configuration level controls available to mitigate, etc.).
- For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.
Appian Support will provide analysis and assessment of the report and individual findings through the support case.

Affected Versions

This article applies to all versions of Appian Cloud.

Last Reviewed: April 2022

Tags: Security, Cloud

KB-1447 Vulnerability Testing

Nicholas Van Dyke — Fri, 14 May 2021 23:33:25 GMT

Revision 19 posted to Appian Knowledge Base by Nicholas Van Dyke on 5/14/2021 11:33:25 PM

The following rules apply to all scanning activity, penetration testing, or other vulnerability assessment performed against Appian Cloud sites or the Appian platform:

Assessment Rules

All planned security testing by customers must be submitted to Appian Technical Support at least 3 business days prior to testing via a support case.
The following details must be provided in the support case to prevent Appian or its hosting service providers from adding the test source IP addresses to a block list:
- Contact information
- Start time of test (including timezone)
- Test duration
- Expected peak bandwidth in Gigabits per second (Gbps)
- Source IP addresses generating the test traffic
Only perform assessments against the Appian Cloud Sites or FQDNs for which you have explicit approval.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Denial of service attacks are prohibited.
Appian recommends performing assessments against a test or development site whenever possible, rather than a production site.

Submitting Results

Fill out the Appian vulnerability submission worksheet as per the instructions below:
- All submitted vulnerabilities must be validated by the assessor prior to submission. Appian does not accept unvalidated results or direct output from automated scanners without additional validation.
- Appian requires verifiable evidence such as screenshots, payloads, or any other associated proof-of-concept material as well as manual reproduction steps in order to properly validate any reported vulnerability findings.
- Validated vulnerabilities should be submitted to Appian Support via a support ticket.
- All vulnerability documentation (including results, summaries, and steps) must be submitted in English.
- All scanning or testing documentation must be accompanied by:
  - A summarized index of all issues found, with the severity level of each issue.
  - Clear evidence performed by the assessor showing that the proposed vulnerability can be used to exploit the system, for example by:
    - Allowing inappropriate access to the system or its data.
    - Allowing inappropriate modification of the system or its data.
    - Inappropriate use of a component of the system or as a whole.
  - A description of the risk to the system.
  - Guidance on how to reach the impacted end point(s).
  - Clear steps on how to reproduce the issue.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and accept or reject the individual findings.
- For rejected findings, Appian will provide an explanation as to why the reported vulnerability has been rejected (false-positive, configuration level controls available to mitigate, etc.).
- For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.
Appian Support will provide analysis and assessment of the report and individual findings through the support case.

Affected Versions

This article applies to all versions of Appian Cloud.

Last Reviewed: May 2021

Tags: Security, Cloud

KB-1447 Vulnerability Testing

Parmida Borhani — Sun, 02 Aug 2020 22:50:18 GMT

Revision 18 posted to Appian Knowledge Base by Parmida Borhani on 8/2/2020 10:50:18 PM

The following rules apply to all scanning activity, penetration testing, or other vulnerability assessment performed against Appian Cloud sites or the Appian platform:

Assessment Rules

All planned security testing by customers must be submitted to Appian Technical Support at least 3 business days prior to testing via a support case.
The following details must be provided in the support case to prevent Appian or its hosting service providers from adding the test source IP addresses to a block list:
- Contact information
- Start time of test (including timezone)
- Test duration
- Expected peak bandwidth in Gigabits per second (Gbps)
- Source IP addresses generating the test traffic
Only perform assessments against the Appian Cloud Sites or FQDNs for which you have explicit approval.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Denial of service attacks are prohibited.
Appian recommends performing assessments against a test or development site whenever possible, rather than a production site.

Submitting Results

All submitted vulnerabilities must be validated by the assessor prior to submission. Appian does not accept unvalidated results or direct output from automated scanners without additional validation.
- Validation requires that the assessor has reviewed the issues to remove false positives, and is able to reproduce any issues and prove to Appian that they can be used to exploit the system.
Validated vulnerabilities should be submitted to Appian Support via a support ticket.
All vulnerability documentation (including results, summaries, and steps) must be submitted in English.
All scanning or testing documentation must be accompanied by:
- A summarized index of all issues found, with the severity level of each issue.
- Clear evidence performed by the assessor showing that the proposed vulnerability can be used to exploit the system, for example by:
  - Allowing inappropriate access to the system or its data.
  - Allowing inappropriate modification of the system or its data.
  - Inappropriate use of a component of the system or as a whole.
- A description of the risk to the system.
- Guidance on how to reach the impacted end point(s).
- Clear steps on how to reproduce the issue.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and accept or reject the individual findings.
- For rejected findings, Appian will provide an explanation as to why the reported vulnerability has been rejected (false-positive, configuration level controls available to mitigate, etc.).
- For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.
Appian Support will provide analysis and assessment of the report and individual findings through the support case.

Affected Versions

This article applies to all versions of Appian Cloud.

Last Reviewed: August 2020

Tags: Security, Cloud

KB-1447 Vulnerability Testing

Parmida Borhani — Fri, 10 Jul 2020 05:49:37 GMT

Revision 17 posted to Appian Knowledge Base by Parmida Borhani on 7/10/2020 5:49:37 AM

The following rules apply to all scanning activity, penetration testing, or other vulnerability assessment performed against Appian Cloud sites or the Appian platform:

Assessment Rules

All planned security testing by customers must be submitted to Appian Technical Support at least 3 business days prior to testing via a support case.
The following details must be provided in the support case to prevent Appian or its hosting service providers from adding the test source IP addresses to a block list:
- Contact information
- Start time of test (including timezone)
- Test duration
- Expected peak bandwidth in Gigabits per second (Gbps)
- Source IP addresses generating the test traffic
Only perform assessments against the Appian Cloud Sites or FQDNs for which you have explicit approval.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Denial of service attacks are prohibited.
Appian recommends performing assessments against a test or development site whenever possible, rather than a production site.

Submitting Results

All submitted vulnerabilities must be validated by the assessor prior to submission. Appian does not accept unvalidated results or direct output from automated scanners without additional validation.
- Validation requires that the assessor has reviewed the issues to remove false positives, and is able to reproduce any issues and prove to Appian that they can be used to exploit the system.
Validated vulnerabilities should be submitted to Appian Support via a support ticket.
All vulnerability documentation (including results, summaries, and steps) must be submitted in English.
All scanning or testing documentation must be accompanied by:
- A summarized index of all issues found, with the severity level of each issue.
- Clear evidence performed by the assessor showing that the proposed vulnerability can be used to exploit the system, for example by:
  - Allowing inappropriate access to the system or its data.
  - Allowing inappropriate modification of the system or its data.
  - Inappropriate use of a component of the system or as a whole.
- A description of the risk to the system.
- Guidance on how to reach the impacted end point(s).
- Clear steps on how to reproduce the issue.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and accept or reject the individual findings.
- For rejected findings, Appian will provide an explanation as to why the reported vulnerability has been rejected (false-positive, configuration level controls available to mitigate, etc.).
- For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.
Appian Support will provide analysis and assessment of the report and individual findings through the support case.
Appian will make a best effort to address accepted vulnerabilities in accordance with industry standards below based on the severity classifications of the findings:

Severity	LOW	MEDIUM	HIGH	CRITICAL
SLA	90 days	45 days	ASAP/max 5 days	ASAP/max 5 days

Affected Versions

This article applies to all versions of Appian Cloud.

Last Reviewed: July 2020

Tags: Security, Cloud

KB-1447 Vulnerability Testing

Parmida Borhani — Fri, 10 Jul 2020 05:49:07 GMT

Revision 16 posted to Appian Knowledge Base by Parmida Borhani on 7/10/2020 5:49:07 AM

The following rules apply to all scanning activity, penetration testing, or other vulnerability assessment performed against Appian Cloud sites or the Appian platform:

Assessment Rules

All planned security testing by customers must be submitted to Appian Technical Support at least 3 business days prior to testing via a support case.
The following details must be provided in the support case to prevent Appian or its hosting service providers from adding the test source IP addresses to a block list:
- Contact information
- Start time of test (including timezone)
- Test duration
- Expected peak bandwidth in Gigabits per second (Gbps)
- Source IP addresses generating the test traffic
Only perform assessments against the Appian Cloud Sites or FQDNs for which you have explicit approval.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Denial of service attacks are prohibited.
Appian recommends performing assessments against a test or development site whenever possible, rather than a production site.

Submitting Results

All submitted vulnerabilities must be validated by the assessor prior to submission. Appian does not accept unvalidated results or direct output from automated scanners without additional validation.
- Validation requires that the assessor has reviewed the issues to remove false positives, and is able to reproduce any issues and prove to Appian that they can be used to exploit the system.
Validated vulnerabilities should be submitted to Appian Support via a support ticket.
All vulnerability documentation (including results, summaries, and steps) must be submitted in English.
All scanning or testing documentation must be accompanied by:
- A summarized index of all issues found, with the severity level of each issue.
- Clear evidence performed by the assessor showing that the proposed vulnerability can be used to exploit the system, for example by:
  - Allowing inappropriate access to the system or its data.
  - Allowing inappropriate modification of the system or its data.
  - Inappropriate use of a component of the system or as a whole.
- A description of the risk to the system.
- Guidance on how to reach the impacted end point(s).
- Clear steps on how to reproduce the issue.

What to Expect Next

Appian will review the findings (assuming all submission requirements have been met) and accept or reject the individual findings.
- For rejected findings, Appian will provide an explanation as to why the reported vulnerability has been rejected (false-positive, configuration level controls available to mitigate, etc.).
- For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.
Appian Support will provide analysis and assessment of the report and individual findings through the Support Case.
Appian will make a best effort to address accepted vulnerabilities in accordance with industry standards below based on the severity classifications of the findings:

Severity	LOW	MEDIUM	HIGH	CRITICAL
SLA	90 days	45 days	ASAP/max 5 days	ASAP/max 5 days

Affected Versions

This article applies to all versions of Appian Cloud.

Last Reviewed: July 2020

Tags: Security, Cloud

KB-1447 Vulnerability Testing

James Lee — Wed, 01 Jul 2020 22:23:17 GMT

Revision 15 posted to Appian Knowledge Base by James Lee on 7/1/2020 10:23:17 PM

The following rules apply to all scanning activity, penetration testing, or other vulnerability assessment performed against Appian Cloud sites or the Appian platform:

Assessment Rules

All planned security testing by customers must be submitted to Appian Technical Support at least 3 business days prior to testing via a support case.
The following details must be provided in the support case to prevent Appian or its hosting service providers from adding the test source IP addresses to a block list:
- Contact information
- Start time of test (including timezone)
- Test duration
- Expected peak bandwidth in Gigabits per second (Gbps)
- Source IP addresses generating the test traffic
Only perform assessments against the Appian Cloud Sites or FQDNs for which you have explicit approval.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Denial of service attacks are prohibited.
Appian recommends performing assessments against a test or development site whenever possible, rather than a production site.

Submitting Results

All submitted vulnerabilities must be validated by the assessor prior to submission. Appian does not accept unvalidated results or direct output from automated scanners without additional validation.
- Validation requires that the assessor has reviewed the issues to remove false positives, and is able to reproduce any issues and prove to Appian that they can be used to exploit the system.
Validated vulnerabilities should be submitted to Appian Support via a support ticket.
All vulnerability documentation (including results, summaries, and steps) must be submitted in English.
All scanning or testing documentation must be accompanied by:
- A summarized index of all issues found, with the severity level of each issue.
- Clear evidence performed by the assessor showing that the proposed vulnerability can be used to exploit the system, for example by:
  - Allowing inappropriate access to the system or its data.
  - Allowing inappropriate modification of the system or its data.
  - Inappropriate use of a component of the system or as a whole.
- A description of the risk to the system.
- Guidance on how to reach the impacted end point(s).
- Clear steps on how to reproduce the issue.

Affected Versions

This article applies to all versions of Appian Cloud.

Last Reviewed: July 2020

Tags: Security, Cloud

KB-1447 Vulnerability Testing

Rebecca Jonas — Thu, 18 Jun 2020 20:00:49 GMT

Revision 14 posted to Appian Knowledge Base by Rebecca Jonas on 6/18/2020 8:00:49 PM

The following rules apply to all scanning activity, penetration testing, or other vulnerability assessment performed against Appian Cloud sites or the Appian platform:

Assessment Rules

All planned security testing by customers must be submitted to Appian Technical Support at least 3 business days prior to testing via a support case.
The following details must be provided in the support case to prevent Appian or its hosting service providers from adding the test source IP addresses to a block list:
- Contact information
- Start time of test (including timezone)
- Test duration
- Expected peak bandwidth in Gigabits per second (Gbps)
- Source IP addresses generating the test traffic
Only perform assessments against the Appian Cloud Sites or FQDNs for which you have explicit approval.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Denial of service attacks are prohibited.
Appian recommends performing assessments against a test or development site whenever possible, rather than a production site.

Submitting Results

All submitted vulnerabilities must be validated by the assessor prior to submission. Appian does not accept unvalidated results or direct output from automated scanners without additional validation.
- Validation requires that the assessor has reviewed the issues to remove false positives, and is able to reproduce any issues and prove to Appian that they can be used to exploit the system.
Validated vulnerabilities should be submitted to Appian Support via a support ticket.
All scanning or testing documentation must be accompanied by:
- A summarized index of all issues found, with the severity level of each issue.
- Clear evidence performed by the assessor showing that the proposed vulnerability can be used to exploit the system, for example by:
  - Allowing inappropriate access to the system or its data.
  - Allowing inappropriate modification of the system or its data.
  - Inappropriate use of a component of the system or as a whole.
- A description of the risk to the system.
- Guidance on how to reach the impacted end point(s).
- Clear steps on how to reproduce the issue.

Affected Versions

This article applies to all versions of Appian Cloud.

Last Reviewed: June 2020

Tags: Security, Cloud