45466 policies in database
Link to program      
2020-02-11
2020-02-13
HCL Software Inc. logo
Thank
Gift
HOF
Reward

HCL Software Inc.

HCL Software recognizes how important the security community is in keeping our products and our customers safe. We thank you in advance for your contributions to our vulnerability disclosure program.

The HCL Software Vulnerability Management Team manages the receipt, investigation and internal coordination of security vulnerability information related to HCL Software offerings. This team will coordinate with HCL product and solutions teams to investigate and, if needed, identify the appropriate response plan. Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.

Please note, report status marked as triaged is subject to change pending the responding team's final analysis.

Customers and other entitled users of a product or solution should contact HCL Software Customer Support to report issues discovered in HCL offerings. If the HCL Software Customer Support Team determines that a reported issue is a security vulnerability, it will contact HCL Software Vulnerability Management Team, as needed.

Response Targets

HCL Software, Inc. will make a best effort to meet the following SLAs for hackers participating in our program:

| Type of Response | SLA in business days |

| ------------- | ------------- |

| First Response | 2 days |

| Time to Triage | 2 days |

| Time to Resolution | depends on severity and complexity |

We’ll try to keep you informed about our progress throughout the process.

If your report is not specifically related to HCL Software products that are listed in our structured scope section, please know that we can neither guarantee remediation timelines nor commit to closed loop communications around the vulnerability. We will gratefully accept these reports and pass them to the appropriate team, but we only commit to remediation timelines and communications for reports on our assets that are specifically in scope.

Disclosure Policy

  • Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.

  • Follow HackerOne's disclosure guidelines.

Demo Portal

Please visit our Demo Portal to explore products available in the HCL Software portfolio in a virtual sandbox environment. ==Register for free with your @wearehackerone address.== The following products are available in the demo portal:

  • HCL Clara

  • HCL Design Room Live!

  • HCL Digital Experience

  • HCL HERO for Workload Automation

  • HCL Informix

  • HCL Leap

  • HCL OneTest

  • HCL RealTime Software Tooling

  • HCL UrbanCode Deploy

  • HCL UrbanCode Velocity

  • HCL Workload Automation

  • HCL Z Data Tools

Program Rules

  • Initially, this Program Policy is limited to exploitable security vulnerabilities and CVE found in the products that HCL has acquired from IBM. Please see the list of In Scope products below. As we expand our Vulnerability Management Program, we will add more HCL Software products to this list.

  • To be eligible to participate in this program, you must not be under contract to perform security testing for HCL Corporation, or an HCL subsidiary, or HCL client within 6 months prior to submitting a report.

  • Only report vulnerabilities for HCL Software products that are currently in support. Check the “In Scope” section below for the product list. Only the current release and the previous release of any of these products are covered by this program.

  • To protect our customers, HCL Software does not publicly disclose or confirm security vulnerabilities until HCL Software has conducted an analysis of the product and issued fixes and/or mitigations. By submitting a vulnerability report to HCL Software, you agree to not publicly disclose or share the vulnerability with any third party until HCL Software confirms that the vulnerability has been remediated or you have received written permission from HCL Software to publish information about the vulnerability.

  • HCL Software does not participate in bug bounty awards programs at this time. In order for HCL to evaluate your vulnerability report, you agree to provide the following information about your finding: details on the software product and version, a description of the issue, the hardware platform, steps to reproduce the issue, and potential impact.

*Do not include any information that may identify an individual (such as a name, contact information, IP address or other similar information) in any attachments included in your vulnerability report.

  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

*When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).

  • Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.

  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.

  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

  • Clickjacking on pages with no sensitive state changing actions.

  • Unauthenticated/logout/login CSRF.

  • Attacks requiring MITM or physical access to a user's device.

  • Previously known vulnerable libraries without a working Proof of Concept.

  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.

  • Best practices that do not lead to an actionable vulnerability or do not have a CVE.

  • Any activity that could lead to the disruption of our service (DoS).

  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.

  • HCL software that has reached End Of Support (EOS) is not accepted and will receive a "Not Applicable" response.

*Publicly known data meant to be accessed by anyone.

  • Please note: if you find a directory listing and explain how it can lead to a malicious exploit then we'll accept it.

Legal Notice

By submitting a vulnerability report to HCL Software, you agree that HCL Software may use any information provided by you in such report for any HCL Software business purpose (including but not limited to reproduction of the vulnerability, remediation of the vulnerability and general development purposes), without requiring consent from or payment to you.

Also, it is important that you notify us if any such information or associated intellectual property is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.

Thank you for helping keep HCL Software and our customers safe!

In Scope

Scope Type Scope Name
application

HCL AppScan

application

HCL BigFix

application

HCL Commerce

application

HCL Connections

application

HCL Digital Experience (Portal & Content Manager)

application

HCL Domino

application

HCL Notes

application

HCL Sametime

application

HCL Unica

application

HCL Verse

application

HCL Clara

application

HCL HERO

application

HCL Atlas

application

HCL Design Room Live!

application

HCL Forms

application

HCL Informix

application

HCL Informix on Cloud

application

HCL Integration Platform (HIP)

application

HCL Leap

application

HCL OneTest

application

HCL One Test Embedded

application

HCL RealTime Software Tooling (RTist)

application

HCL Terminal Enterprise Access (TEA)

application

HCL UrbanCode Deploy

application

HCL UrbanCode Velocity

application

HCL Workload Automation (HWA)

application

HCL Workload Automation on AWS

application

HCL Z Asset Optimizer

application

HCL Z Data Tools


This program crawled on the 2020-02-11 is sorted as bounty.

FireBounty © 2015-2024

Legal notices | Privacy policy