Disclosure Policy

1.1 General Statement

At Software AG, ensuring the safety and security of our systems and application platforms is paramount. We prioritize data security and appreciate the efforts of security researchers who contribute to maintaining our high standards.

If you are a security researcher and have identified a potential security vulnerability in our systems or applications, we encourage you to report it to us responsibly. The Software AG security team highly values the critical role that independent security researchers play in enhancing Internet security. We are committed to collaborating with researchers to verify and address any reported vulnerabilities in a responsible manner.

Before testing or reporting a vulnerability, please review this policy carefully. We assure you that all legitimate reports will be thoroughly investigated, and we will make every effort to promptly resolve any confirmed issues.

You undertake not to disclose, share or publicize an alleged or unresolved vulnerability with third parties.

Please note that this program does not offer monetary rewards for bug submissions.

Thank you for helping us keep Software AG secure.

1.2 Reporting a Potential Security Vulnerability

To report a potential security vulnerability, please privately share the details with Software AG by sending an email to csirt@softwareag.com with “Software AG – Potential Security Vulnerability” in the subject line. Ensure that you provide comprehensive details of the suspected vulnerability to enable our security team to validate and reproduce the issue effectively.

Please note that duplicates may occur if the vulnerability is already known to Software AG, either through prior reports from other researchers or identification by our security teams. In such cases, we will recognize the first report received as the unique submission, and any subsequent reports of the same issue will be marked as duplicates.

1.3 Attributes of a Good Report 

To assist our security team in effectively addressing the reported vulnerability, please include the following details in your report:

  • Reproduction Steps*: Provide detailed, step-by-step instructions on how to reproduce the
    vulnerability.
  • Relevant Links and URLs*: Include any links clicked, pages visited, and specific URLs involved.
  • Environment Details*: Mention the environment in which the vulnerability was discovered, including the operating system, browser, and any relevant software versions.
  • User Information: Mention any user IDs or accounts used, along with a clear description of their relationships and interactions.
  • Visual Aids: Attach images or videos that illustrate the issue, as these can be highly beneficial.
  • Impact Assessment: Describe the potential impact of the vulnerability, including possible risks and damages.
  • Technical Details: Provide any technical information or code snippets that can help in understanding the vulnerability.
  • Timeline: Include the date and time when the vulnerability was discovered and any subsequent tests were conducted.
  • Mitigation Suggestions: Offer any preliminary suggestions for mitigating or resolving the issue, if possible.
  • Confidentiality Request: Indicate if you wish for your report to remain confidential.

By including these details, you will help ensure that our team can promptly validate and address the vulnerability.

Items marked with * are considered mandatory.

1.4 Conduct

We encourage responsible discovery and reporting of vulnerabilities. However, to ensure a safe and productive collaboration, the following conduct is expected. If you adhere to this policy when reporting a potential security vulnerability to Software AG, we will not pursue legal action or law enforcement investigation against you in response to your report. We ask that you:

  • Allow Reasonable Time for Mitigation: Give us a reasonable amount of time to investigate and mitigate any reported issue before disclosing it publicly or sharing it with others. Depending on the complexity of the issue, this might take 90 days or more.
  • Respect Customer Data: Do not interact with, modify, or access data from a Software AG customer or potential customer without their explicit consent.
  • Avoid Privacy Violations and Disruptions: Make a good faith effort to avoid violating privacy, destroying data, or causing interruptions or degradation of our services.
  • Do Not Exploit Vulnerabilities: Refrain from exploiting any security issue you discover. This includes demonstrating additional risks or probing for further issues, such as attempting to compromise sensitive company data.
  • Adhere to Laws and Regulations: Ensure that you do not violate any applicable laws or regulations while conducting your research.

By following these guidelines, you help maintain a secure and cooperative environment for vulnerability disclosure.

1.5 Prohibited Activities

Software AG does not permit the following types of security research:

  • Negative Impact Actions: Performing actions that may negatively affect Software AG or its users, such as spam, brute force attacks, denial of service (DoS) attacks, etc.
  • Unauthorized Data Access: Accessing or attempting to access data or information that does not belong to you.
  • Data Destruction or Corruption: Destroying, corrupting, or attempting to destroy or corrupt data or information that does not belong to you.
  • Attacks on Personnel or Property: Conducting any kind of physical or electronic attack on Software AG personnel, property, or data centers.
  • Social Engineering: Engaging in social engineering tactics against any Software AG support desk, employee, or contractor.
  • Use of High-Throughput Automated Tools: Utilizing high-throughput automated tools that generate significant traffic and can disrupt services.
  • Legal and Contractual Violations: Violating any laws or breaching any agreements in order to discover vulnerabilities.

1.6 Program Exclusions

While we encourage any submission affecting the security of our products and services, unless evidence is provided demonstrating exploitability, the following examples are excluded from this program:

  • Clickjacking/UI redressing with no practical security impact
  • Content spoofing / text injection
  • Software version disclosure
  • Self-XSS (cross-site scripting issues must be exploitable via reflected, stored, or DOM-based attacks to be considered valid)
  • Logout and other instances of low-severity Cross-Site Request Forgery
  • Password and account recovery policies, such as reset link expiration or password complexity
  • Cross-site tracing (XST)
  • Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing OAuth tokens)
  • Missing HTTP security headers
  • Missing cookie flags on non-sensitive cookies
  • Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)
  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
  • Missing best practices in SSL/TLS configuration
  • Vulnerabilities that require disabling security features enabled in default configurations
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability
  • Use of known-vulnerable libraries without proof of exploitation, e.g. OpenSSL
  • Attacks requiring MITM (Man-in-the-Middle) or physical access to a user’s device

1.7 Commitment

Software AG greatly appreciates the efforts of security researchers who identify vulnerabilities and enable us to address issues that might affect our customers. We thank you for your dedication to helping us minimize risks to our customers and supporting our vision to enhance the overall security of our products and the Internet as a whole.