Skip to end of metadata
Go to start of metadata

Disclosure Guidelines for SAP Security Advisories


SAP takes the security of its products very seriously, with a comprehensive secure software development life-cycle process, clear quality and security standards for software development, and a dedicated Security Response process in place as the most visible evidences of its commitment. The SAP Security Response team is responsible for investigating all reported security vulnerabilities, working closely with reporters of vulnerabilities and SAP product development to provide patches, and informing customers about the patches and their importance. Since the integrity and security of business operations is crucial for businesses in all industries, SAP as a provider of business software is absolutely committed to maintaining the highest possible level of security within its products.
SAP encourages the responsible disclosure of security vulnerabilities. If you have detected a vulnerability in one of our software products – either in the latest or in a former product version – please inform us about the issue and follow the guidelines and processes in accordance with our Portal page “Report a Security Vulnerability to SAP”.

Give SAP sufficient time to develop suitable fixes
  • Fixing security vulnerabilities can be a long and arduous process as we work to develop a patch, ensure its compatibility with all relevant software versions, run comprehensive tests to ensure that the fixes run well and do not have any side-effects, and provide it to our customers.
  • As a vendor of business software we provide security fixes not only for the latest version, but also for many older versions of our software products. This means that we need to develop and thoroughly test feasible patches for a broad range of product versions, which can take time.
  • The Security Response team provides no credits if the researcher has disclosed the issue before the fix has been released.

Do not publicize vulnerabilities until SAP customers have had time to deploy fixes
  

  • The deployment of patches for SAP enterprise systems is usually more complicated than a software upgrade on a consumer PC. Depending on the nature of the vulnerability, the deployment of patches often is not only done by an automated update; in some cases it requires manual configuration work in the system.
  • Some of our customers also have regular patching cycles, for instance on a monthly or a quarterly basis.
  • In light of these circumstances, we ask all security researchers to give SAP customers sufficient time to implement patches in their SAP systems. As a rule of thumb, we suggest respecting an implementation time of three months once the patch is released. We ask all security researchers to not disseminate any kind of information or tools that would help to exploit the vulnerability during that time.
Inform the Security Response team about all your upcoming public advisories and external presentations with SAP product security content

SAP asks all security researchers to inform the Security Response team via PGP encrypted (Click here to get the public PGP key) e-mail to secure@sap.com about all upcoming talks on security conferences. We kindly ask them to also provide the planned content, even if it’s only a draft version. This could be in parallel with the “call for paper” reply.

We kindly ask to send each presentation with SAP product security content to the Security Response team via PGP encrypted e-mail to secure@sap.com at least 3 weeks in advance before the talk is given.

For your public advisories and external presentations with SAP product security content, please also note the following:
  • Take care that no Zero Days are disclosed during your presentation.
  • Disclose only issues where the fixing security note has been released at least three months ago.
  • The information on the slides should not be too detailed:
    • No exploits
    • No Proof of Concepts (PoC)
  • We kindly ask you to mention the fixing security note or hints to the corresponding SAP documentation for each disclosed issue.   


Legal Terms and Conditions

By submitting information about security threats and/or solution proposals (hereinafter together referred as "Feedback") to SAP:

  • You commit yourself to the principle expressed in this guideline to avoid any harm to SAP users and you therefore agree not to publicize information about threats and vulnerabilities of the SAP software before a fix and/or patch has been made available by SAP; AND
  • You agree that SAP may use such Feedback to update and/or improve its software; and you grant to SAP a non-exclusive, perpetual, irrevocable, worldwide, royalty-free license, with the right to sublicense to SAP's licensees and customers, under all relevant intellectual property rights, to use, publish, and disclose such Feedback in any manner SAP chooses and to display, perform, copy, make, have made, use, sell, and otherwise dispose of SAP's and its sub licensee’s products or services embodying Feedback in any manner and via any media SAP chooses, without reference to the source. SAP shall be entitled to use Feedback for any purpose without restriction or remuneration of any kind with respect to You and/or Your representatives; AND
  • You further agree that SAP may decide, in its sole discretion, to list your name and other personal information that you may provide for this purpose on the Acknowledgements page, unless you express to SAP your desire not to be mentioned. You may request at any time that your name and other personal information is deleted from the Acknowledgements page.  
  • No labels