Skip to content
Appaloosa Scout

Compliance & privacy

Legal notices, privacy & responsible disclosure

Mandatory legal information (French LCEN 2004-575, GDPR art. 13-14) and responsible disclosure policy compliant with RFC 9116.

Site publisher

Legal entity
OB2J SAS
Form
French Simplified Joint-Stock Company (SAS)
Address
22 rue de l'Arcade, 75008 Paris, France
Trade register
Paris B 525 074 478
SIREN
525 074 478
EU VAT
FR41525074478
Share capital
10 000 €
Publication director
Julien Ott
Contact
scout@appaloosa.io

Hosting

Host
OB2J SAS
Location
France — sovereign VPS (SecNumCloud / ANSSI compatible)
Note
No user data is transferred outside the EU. No third-party CDN active on pages.

Privacy policy

Appaloosa Scout is designed to operate without user tracking. Below are the residual data processings.

No account, no cookie

Public pages create no session, cookie, or tracking token. Language preference is preserved via URL parameter (/en/...).

IP addresses

Source IPs of /submit and API calls are hashed (SHA-256 + server-side salt) for rate-limiting. Cleartext IPs are never stored. Standard web server logs (1 line per request) keep raw IPs for 7 days then rotate; they are not indexed nor cross-referenced.

/audit CSV file

The file is parsed in memory and the report is generated server-side for the duration of the request. No persistent storage, no third-party sharing. The report is dropped on browser close.

Received emails

Emails sent to scout@appaloosa.io or dpo@appaloosa.io are processed to answer the request (API key, report, GDPR right). Retention: 12 months unless a legal obligation requires longer.

Cookies

No third-party cookie, no analytics cookie. The only cookie possibly set is for the /admin area (HttpOnly, SameSite=Lax, session duration), restricted to OB2J administrators.

Your GDPR rights

Rights of access, rectification, erasure, restriction, opposition and portability (GDPR art. 15-22). If you used Scout without an account, we hold no identifying personal data about you. Requests linked to /submit require providing IP/timestamp for identification (reversibility via hash + salt).

Data Protection Officer (DPO)

DPO contact: dpo@appaloosa.io

Terms of use

Use of the site and API is free, subject to the points below.

  • Service provided "as is". Data comes from public sources (NVD, CISA KEV, vendor advisories) — no guarantee of completeness or accuracy is given. Any remediation decision remains the responsibility of the MDM administrator.
  • The API is rate-limited. Attempts to circumvent, massive scraping or DDoS are prohibited and may result in blocking.
  • Citing the data and inbound links are welcome — "Source: Appaloosa Scout (https://scout.appaloosa.io)" appreciated.
  • API keys are nominative. No sharing between organisations. Immediate revocation upon request.

Responsible disclosure

If you discover a vulnerability on Scout, please contact us BEFORE any publication.

  • Contact: security@appaloosa.io
  • Target response time: 72 business hours. Resolution / coordinated disclosure: 90 days max.
  • Scope: scout.appaloosa.io (front + API). Out-of-scope: NVD, CISA, upstream sources publicly cited.
  • No monetary bug bounty at this time. Public acknowledgment available on request.

/.well-known/security.txt (RFC 9116)

Last updated: 2026-05-14