Loading...


© 2024-2026 Approval Pathway. All rights reserved.
Last updated: 2025-10-03
We appreciate responsible security research. If you discover a security vulnerability affecting Approval Pathway services, please report it so we can fix it quickly and safely.
In-scope systems:
*.approvalpathway.com (web apps and APIs)
Services explicitly published by Approval Pathway (listed below)
Out-of-scope:
Third-party services (e.g., cloud provider infrastructure you don’t have an account on)
Customer systems and data not owned by Approval Pathway
Social engineering, physical attacks, and denial-of-service testing
If you’re unsure whether something is in-scope, submit a report and we’ll clarify.
Preferred contact method is email: security@approvalpathway.com
When reporting, please include:
Affected URL or system
Proof-of-concept (POC) steps to reproduce (as minimal and non-destructive as possible)
Impact assessment (what you can access or affect)
Your contact email and PGP public key (optional)
Do not include screenshots or attachments that contain real user data.
Rules of engagement (what we ask researchers to follow):
Don’t perform denial-of-service (DoS) or ransomware-style testing.
Don’t access, modify, or exfiltrate real user/customer data.
Don’t perform tests that would materially disrupt production systems.
Avoid automated mass-scanning that may affect availability.
If your testing accidentally accesses data, stop immediately and notify us.
Acknowledge receipt within 72 hours.
Provide an initial triage update within 14 days.
Work in good faith to remediate validated issues; we’ll provide status updates during remediation.
We will coordinate public disclosure with you and will not unreasonably delay publishing an advisory.
If you follow this VDP in good faith (you act reasonably and avoid privacy harm or service disruption), Approval Pathway will not pursue legal action against you for the activity described in your report. This safe-harbor does not apply to conduct that violates laws, privacy rights, or third-party agreements.
We may offer public acknowledgement or discretionary bounties for high-impact reports. A formal bug-bounty program is currently not in place. If you wish monetary compensation, indicate this in your report - we’ll evaluate case-by-case.
We expect coordinated disclosure: we and the reporter will agree on a reasonable public disclosure date after fix or mitigation.
If a serious exploit is being actively abused in the wild, we may shorten disclosure timelines.
We classify issues by impact (e.g., Critical, High, Medium, Low) based on confidentiality, integrity, and availability impact. Critical issues (remote code execution, data exfiltration affecting multiple customers) receive highest priority.
This policy is not a contract and does not create any legal rights or obligations. Approval Pathway reserves the right to change this policy at any time.
If you’d like public acknowledgement, state this in your report. We’ll maintain an acknowledgements page for researchers who opt-in.