Appwrite welcomes responsible security research and is committed to keeping our users, data, and infrastructure safe.

We only accept email reports. Please use this address for all vulnerability reports: [email protected]

Do not open public GitHub issues for security problems.

• Third-party integrations
• Rate-limit or brute-force findings
• Self-XSS or clickjacking on static marketing pages
• Missing SPF, DMARC, or DKIM records without an exploitable impact
• Vulnerabilities in dependencies with no viable exploit path

We will not pursue legal action or law-enforcement involvement for research that:

1. Targets only systems listed as in scope
2. Respects user privacy and does not exfiltrate data
3. Avoids service degradation or denial of service
4. Allows us reasonable time to remediate before public disclosure

Include the following for fastest triage:

• Clear title and summary of the issue
• Step-by-step reproduction or proof-of-concept
• Impact assessment
• Affected endpoint, repo, or component
• Suggested remediation if known

Screenshots and detailed logs are appreciated.

Discretionary swag bounties may be awarded, but are not guaranteed.

We will inform if a report is a duplicate and no further action will be taken.

Please wait until either the fix is live or 90 days have passed since our acknowledgment, whichever comes first, before publishing details. Extensions can be arranged by mutual agreement.

• Social engineering Appwrite core team or customers
• Physical attacks on offices or data centers
• Volumetric denial of service
• Automated scanning that degrades service for other users

Thank you for helping keep Appwrite secure.