KB-1447 Vulnerability Testing

The following rules apply to all scanning activity, penetration testing, or other vulnerability assessment performed against Appian Cloud sites or the Appian platform:

Assessment Rules (Appian Cloud only)

  • All planned security testing by customers must be submitted to Appian Technical Support at least 3 business days prior to testing via a support case.
  • The following details must be provided in the support case to prevent Appian or its hosting service providers from adding the test source IP addresses to a block list:
    • Contact information
    • Start time of test (including timezone)
    • Test duration
    • Expected peak bandwidth in Gigabits per second (Gbps)
    • Source IP addresses generating the test traffic
  • Only perform assessments against the Appian Cloud Sites or FQDNs for which you have explicit approval.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Denial of service attacks are prohibited.
  • Appian recommends performing assessments against a test or development site whenever possible, rather than a production site.
  • Appian considers any information identified during a security test of an Appian Cloud site to be Confidential Information that is protected under Appian’s contractual agreements with its customers. This obligation to protect Appian’s Confidential Information must flow down to any third-party security consultants hired by Appian customers. Please indicate in the support case whether a third-party entity will be used for security testing and whether the third-party entity has executed a non-disclosure agreement appropriate for the purpose.

Submitting Results

  • Fill out the Appian vulnerability submission worksheet as per the instructions below: 
    • All submitted vulnerabilities must be validated by the assessor prior to submission. Appian does not accept unvalidated results or direct output from automated scanners without additional validation.
    • Appian requires verifiable evidence such as screenshots, payloads, or any other associated proof-of-concept material as well as manual reproduction steps in order to properly validate any reported vulnerability findings.
    • Validated vulnerabilities should be submitted to Appian Support via a support ticket.
    • All vulnerability documentation (including results, summaries, and steps) must be submitted in English.
    • All scanning or testing documentation must be accompanied by:
      • A summarized index of all issues found, with the severity level of each issue.
      • Clear evidence performed by the assessor showing that the proposed vulnerability can be used to exploit the system, for example by:
        • Allowing inappropriate access to the system or its data.
        • Allowing inappropriate modification of the system or its data.
        • Inappropriate use of a component of the system or as a whole.
      • A description of the risk to the system.
      • Guidance on how to reach the impacted end point(s).
      • Clear steps on how to reproduce the issue.

What to Expect Next

  • Appian will review the findings (assuming all submission requirements have been met) and accept or reject the individual findings.
    • For rejected findings, Appian will provide an explanation as to why the reported vulnerability has been rejected (false-positive, configuration level controls available to mitigate, etc.).
    • For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.
  • Appian Support will provide analysis and assessment of the report and individual findings through the support case. 

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: September 2022