Last updated : 16 June 2025
Thank you for taking the time to help us keep Apply.Build and our customers secure. We run a multi-tenant PaaS based in Finland and welcome reports of any vulnerability you find in our platform, APIs, or infrastructure.
| In scope | Out of scope |
|---|---|
| *.apply.build web apps & APIs |
Third-party customer applications
({tenant_app}.apps.apply.build)
|
| Control panel & billing portal | Denial-of-Service (volumetric) |
| Kubernetes / Kata isolation, eBPF network policy, WAF | Automated scans without prior authorisation |
| Public ingress endpoints and TLS configuration | Issues that require physical access or social-engineering of Codebite staff |
If you are unsure whether something is in scope, ask first at security@codebite.fi.
| Step | Timeline |
|---|---|
| Acknowledge receipt | ≤ 2 business days |
| Initial assessment & priority | ≤ 5 business days |
| Status update to reporter | Every 7 days until fixed |
| Public advisory / CVE (if applicable) | Mutually agreed |
| Non-retaliation | We will not pursue legal action when research follows this policy. |
During beta we do not offer monetary bounties, but we will:
Activities conducted in good faith and in compliance with this policy are considered authorised. If legal action is initiated by a third party, we will make clear to the authority that your actions were conducted pursuant to this policy.
© 2025 Codebite Oy