KB-1447 Vulnerability Testing

The following rules apply to all scanning activity, penetration testing, or other vulnerability assessment performed against Appian Cloud sites or the Appian platform:

Assessment Rules

  • All planned security testing by customers must be submitted to Appian Technical Support at least 3 business days prior to testing via a support case.
  • The following details must be provided in the support case to prevent Appian or its hosting service providers from adding the test source IP addresses to a block list:
    • Contact information
    • Start time of test (including timezone)
    • Test duration
    • Expected peak bandwidth in Gigabits per second (Gbps)
    • Source IP addresses generating the test traffic
  • Only perform assessments against the Appian Cloud Sites or FQDNs for which you have explicit approval.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Denial of service attacks are prohibited.
  • Appian recommends performing assessments against a test or development site whenever possible, rather than a production site.

Submitting Results

  • Fill out the Appian vulnerability submission worksheet as per the instructions below: 
    • All submitted vulnerabilities must be validated by the assessor prior to submission. Appian does not accept unvalidated results or direct output from automated scanners without additional validation.
    • Appian requires verifiable evidence such as screenshots, payloads, or any other associated proof-of-concept material as well as manual reproduction steps in order to properly validate any reported vulnerability findings.
    • Validated vulnerabilities should be submitted to Appian Support via a support ticket.
    • All vulnerability documentation (including results, summaries, and steps) must be submitted in English.
    • All scanning or testing documentation must be accompanied by:
      • A summarized index of all issues found, with the severity level of each issue.
      • Clear evidence performed by the assessor showing that the proposed vulnerability can be used to exploit the system, for example by:
        • Allowing inappropriate access to the system or its data.
        • Allowing inappropriate modification of the system or its data.
        • Inappropriate use of a component of the system or as a whole.
      • A description of the risk to the system.
      • Guidance on how to reach the impacted end point(s).
      • Clear steps on how to reproduce the issue.

What to Expect Next

  • Appian will review the findings (assuming all submission requirements have been met) and accept or reject the individual findings.
    • For rejected findings, Appian will provide an explanation as to why the reported vulnerability has been rejected (false-positive, configuration level controls available to mitigate, etc.).
    • For accepted findings, Appian will classify the severity of the finding as Low/Medium/High/Critical.
  • Appian Support will provide analysis and assessment of the report and individual findings through the support case. 

Affected Versions

This article applies to all versions of Appian Cloud.

Last Reviewed: May 2021