Responsible Disclosure of Security Vulnerabilities

AppArmor is committed to secure and reliable technology

The security of our systems and data is the top priority of the AppArmor team. If you are an IT professional and have discovered a security vulnerability in any of our systems we appreciate your help in disclosing it to us in a responsible manner.

Current Customers and End Users

If you are a current customer or an end user, please contact our support team by email with details of the issue. Our team will give the issue top priority and immediately investigate.

Security Researchers

If you are a security researcher and think you have discovered a vulnerability, please contact our security immediately by email Additionally:

  • Please provide as much information as possible, including a way for us to reproduce the issue. Our security team will try to reproduce the issue that you report.
  • Please do not make your research or findings public (or share them with anyone) until we have had a adequate time to investigate and deploy a fix. We will notify you when the security vulnerability has been patched.
  • Tell us how to identify you and your organization so we may thank you for your assistance. Our company founders will personally contact you.

Permitted Research

Responsible security researchers are welcome to review our systems. We are grateful for your assistance in improving our systems and proactive disclosure, however AppArmor does not tolerate the following:

  • any attempt to access, modify or destroy "live" account or data
  • any attempt to disrupt or degrade our systems
  • any attempt to execute a "Denial of Service" attack
  • any research that involves a violation of any applicable law
Breaching the above in any way will result in contacting the relevant authorities.

Security Scanning Firms

Organizations who sell security products and services, and who wish to scan or test our systems without prior notice to our team are not welcome.

No Compensation

AppArmor does not compensate individuals or organizations for identifying vulnerabilities or performing security tests on our systems. Requests for monetary compensation will not be honored.


If you have questions about our responsible disclosure policy, please contact us.