Automation Anywhere Vulnerability Disclosure Policy

Automation Anywhere, Inc., the premier cloud-native robotic process automation company, is committed to ensuring the safety and security of the products and cloud services that we license to our customers.

As such, if you discover a vulnerability in the products or cloud services that are provided to our customers, Automation Anywhere appreciates your help in disclosing these vulnerabilities to our company in a responsible manner through the following:

1. Respect the rules. Operate within the rules set forth here or speak up if in strong disagreement with the rules.

2. Respect privacy. Make a good faith effort not to access or destroy another user’s data.

3. Be patient. Make a good faith effort to clarify and support their reports upon request.

4. Do no harm. Act for the common good through the prompt reporting of all found vulnerabilities. Never willfully exploit others without their permission.

Scope

This program shall only apply to products or SaaS services that we develop and license to our customers. This program does not apply to our website and non-service-oriented infrastructure.

Please note: Automation Anywhere does not condone any attempts to actively audit or exploit our cloud services, applications, and infrastructure.

This document applies to technical vulnerabilities on Automation Anywhere products or SaaS services that we develop and license to our customers.

The below are not in scope for testing.

Out of Scope Environments

*.automationanywhere.com web properties

Out of Scope Test Activities

• Testing not related to our SaaS environment such as corporate website

• Attacks involving stolen credentials or physical access to endpoint devices

• Automated Scans (without an exploitable PoC)

• Host Header Injection (without providing an exploitable scenario)

• Denial of Service (DoS) or DDoS

• DLL hijacking (without escalation of privileges)

Out of Scope Vulnerabilities

• Low Severity Clickjacking Vulnerabilities

• Issues present in older versions of browsers, plugins, or any other software

• Content Spoofing Vulnerabilities

• HTTP Trace method is enabled

Vulnerability Submissions

We encourage security researchers to share the details of any suspected vulnerabilities with the Automation Anywhere Security Team by submitting the form at the top of this page.

Automation Anywhere will review the submission to determine if the finding is valid and has not been previously reported.

At Automation Anywhere discretion, you may be eligible for monetary compensation for your efforts. 

We require security researchers to include detailed information with steps for us to reproduce the vulnerability.

Automation Anywhere will attempt to review and respond to your report within 5 business days of submission.

Publication of Vulnerability

Following the successful fix of the vulnerability, we will disclose the vulnerability and the successful remediation on our website, subject to the terms and conditions of the Responsible Disclosure Agreement. If you prefer to be credited by name, please let us know in writing (email sufficient). 

Bounty Program

Automation Anywhere does not provide financial reward related to discovered vulnerabilities. Automation Anywhere may provide attribution to publicly reported vulnerabilities that are validated as part of our triage process based upon agreement with the researcher and Automation Anywhere.

Our Commitment (Safe Harbor)

If you identify a valid security vulnerability in compliance with this Responsible Disclosure Policy and in good faith, Automation Anywhere commits to not engaging in legal action against you.