SAP takes the security of its products very seriously, with a comprehensive secure software development life-cycle process, clear quality and security standards for software development, and a dedicated Security Response process in place as the most visible evidences of its commitment. The SAP Security Response team is responsible for investigating all reported security vulnerabilities, working closely with reporters of vulnerabilities and SAP product development to provide patches, and informing customers about the patches and their importance. Since the integrity and security of business operations is crucial for businesses in all industries, SAP as a provider of business software is absolutely committed to maintaining the highest possible level of security within its products.
SAP encourages the responsible disclosure of security vulnerabilities. If you have detected a vulnerability in one of our software products – either in the latest or in a former product version – please inform us about the issue and follow the guidelines and processes in accordance with our Portal page “Report a Security Vulnerability to SAP”.
Give SAP sufficient time to develop suitable fixes
Fixing security vulnerabilities can be a long and arduous process as we work to develop a patch, ensure its compatibility with all relevant software versions, run comprehensive tests to ensure that the fixes run well and do not have any side-effects, and provide it to our customers.
As a vendor of business software we provide security fixes not only for the latest version, but also for many older versions of our software products. This means that we need to develop and thoroughly test feasible patches for a broad range of product versions, which can take time.
Do not publicize vulnerabilities until SAP customers have had time to deploy fixes
The deployment of patches for SAP enterprise systems is usually more complicated than a software upgrade on a consumer PC. Depending on the nature of the vulnerability, the deployment of patches often is not only done by an automated update; in some cases it requires manual configuration work in the system.
Some of our customers also have regular patching cycles, for instance on a monthly or a quarterly basis.
Inform the Security Response team about all your upcoming public advisories and external presentations with SAP product security content
SAP asks all security researchers to inform the Security Response team via PGP encrypted (Click here to get the public PGP key) e-mail to firstname.lastname@example.org about all upcoming talks on security conferences. We kindly ask them to also provide the planned content, even if it’s only a draft version. This could be in parallel with the “call for paper” reply.
We kindly ask to send each presentation with SAP product security content to the Security Response team via PGP encrypted e-mail to email@example.com at least 3 weeks in advance before the talk is given.
For your public advisories and external presentations with SAP product security content, please also note the following:
Legal Terms and Conditions
By submitting information about security threats and/or solution proposals (hereinafter together referred as "Feedback") to SAP:**