The following rules apply to all scanning activity, penetration testing, or other vulnerability assessment performed against Appian Cloud sites or the Appian platform:
Assessment Rules
- All planned security testing by customers must be submitted to Appian Technical Support at least 3 business days prior to testing via a support ticket.
- Only perform assessments against the Appian Cloud Sites or FQDNs for which you have explicit approval.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- Denial of service attacks are prohibited.
- Appian recommends performing assessments against a test or development site whenever possible, rather than a production site.
Submitting Results
- All submitted vulnerabilities must be validated by the assessor prior to submission. Appian does not accept unvalidated results or direct output from automated scanners without additional validation.
- Validation requires that the assessor has reviewed the issues to remove false positives, and is able to reproduce any issues and prove to Appian that they can be used to exploit the system.
- Validated vulnerabilities should be submitted to Appian Support via a support ticket.
- All scanning or testing documentation must be accompanied by:
- A summarized index of all issues found, with the severity level of each issue.
- Clear evidence performed by the assessor showing that the proposed vulnerability can be used to exploit the system, for example by:
- Allowing inappropriate access to the system or its data.
- Allowing inappropriate modification of the system or its data.
- Inappropriate use of a component of the system or as a whole.
- A description of the risk to the system.
Affected Versions
This article applies to all versions of Appian Cloud.
Last Reviewed: April 2019