Disclosure Guidelines for SAP Security Advisories
Give SAP sufficient time to develop suitable fixes
Fixing security vulnerabilities can be a long and arduous process as we work to develop a patch, ensure its compatibility with all relevant software versions, run comprehensive tests to ensure that the fixes run well and do not have any side-effects, and provide it to our customers.
- As a vendor of business software we provide security fixes not only for the latest version, but also for many older versions of our software products. This means that we need to develop and thoroughly test feasible patches for a broad range of product versions, which can take time.
- The Security Response team provides no credits if the researcher has disclosed the issue before the fix has been released.
Do not publicize vulnerabilities until SAP customers have had time to deploy fixes
- The deployment of patches for SAP enterprise systems is usually more complicated than a software upgrade on a consumer PC. Depending on the nature of the vulnerability, the deployment of patches often is not only done by an automated update; in some cases it requires manual configuration work in the system.
- Some of our customers also have regular patching cycles, for instance on a monthly or a quarterly basis.
- In light of these circumstances, we ask all security researchers to give SAP customers sufficient time to implement patches in their SAP systems. As a rule of thumb, we suggest respecting an implementation time of three months once the patch is released. We ask all security researchers to not disseminate any kind of information or tools that would help to exploit the vulnerability during that time.
SAP asks all security researchers to inform the Security Response team via PGP encrypted (Click here to get the public PGP key) e-mail to firstname.lastname@example.org about all upcoming talks on security conferences. We kindly ask them to also provide the planned content, even if it’s only a draft version. This could be in parallel with the “call for paper” reply.
We kindly ask to send each presentation with SAP product security content to the Security Response team via PGP encrypted e-mail to email@example.com at least 3 weeks in advance before the talk is given.
- Take care that no Zero Days are disclosed during your presentation.
- Disclose only issues where the fixing security note has been released at least three months ago.
- The information on the slides should not be too detailed:
- No exploits
- No Proof of Concepts (PoC)
- We kindly ask you to mention the fixing security note or hints to the corresponding SAP documentation for each disclosed issue.
Legal Terms and Conditions
By submitting information about security threats and/or solution proposals (hereinafter together referred as "Feedback") to SAP:
- You commit yourself to the principle expressed in this guideline to avoid any harm to SAP users and you therefore agree not to publicize information about threats and vulnerabilities of the SAP software before a fix and/or patch has been made available by SAP; AND
- You agree that SAP may use such Feedback to update and/or improve its software; and you grant to SAP a non-exclusive, perpetual, irrevocable, worldwide, royalty-free license, with the right to sublicense to SAP's licensees and customers, under all relevant intellectual property rights, to use, publish, and disclose such Feedback in any manner SAP chooses and to display, perform, copy, make, have made, use, sell, and otherwise dispose of SAP's and its sub licensee’s products or services embodying Feedback in any manner and via any media SAP chooses, without reference to the source. SAP shall be entitled to use Feedback for any purpose without restriction or remuneration of any kind with respect to You and/or Your representatives; AND
- You further agree that SAP may decide, in its sole discretion, to list your name and other personal information that you may provide for this purpose on the Acknowledgements page, unless you express to SAP your desire not to be mentioned. You may request at any time that your name and other personal information is deleted from the Acknowledgements page.