At Informatica we take the security of your information seriously. If you believe you've detected a vulnerability within our products we'd like to hear about it by participating in our Responsible Disclosure Program.

If you believe you have discovered a vulnerability or have a security incident to report, please submit a bug report and someone will contact you in a timely manner. Please include a detailed summary of the issue you discovered so that we can attempt to reproduce it and assess its severity and impact.

To be eligible for recognition, you must:

• Be the first person to responsibly disclose the bug.

• Report a bug that could compromise our users' private data, circumvent the system's protections, or enable access to a system within our infrastructure.

Types of Recognition:

• Post on our Hall of Fame

Qualifying Properties:

• Any other domains and IP addresses owned by/operated by Informatica

Qualifying Vulnerabilities:

In general, any implementation issue that is reproducible and significantly affects the security of Informatica customers is likely in scope for this program. Typical types of issues include:

• Cross-site Scripting (XSS)

• Cross-site Request Forgery

• Server-Side Request Forgery (SSRF)

• SQL Injection

• Server-side Remote Code Execution (RCE)

• XML External Entity Attacks (XXE)

• Access Control Issues (Insecure Direct Object Reference issues, etc)

• Exposed Administrative Panels that don't require login credentials

• Directory Traversal Issues

• Local File Disclosure (LFD)

• Broken Authentication or authorization issues

• Broken cryptographic implementation w/ working exploit

• Circumvention of our framework's privacy and permission models

Non-Qualifying Vulnerabilities will be closed as Not Applicable:

The following issues are outside the scope of our recognition program:

• Best practices concerns

• Vulnerabilities affecting users of outdated or unsupported browsers or platforms

• Self-XSS that cannot be used to exploit other users

• Reports from automated tools or scans

• Denial of Service Attacks

• Host Header Injection

• Reflected File Download (RFD)

• Username Enumeration

• Physical or social engineering attempts (this includes phishing attacks against Informatica employees)

• Content injection issues

• Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)

• Missing autocomplete attributes

• Missing cookie flags

• Issues which require physical access to a victim’s computer

• Missing security headers which do not present an immediate security vulnerability

• SSL/TLS scan reports (this means output from sites such as SSL Labs)

• Banner grabbing issues (figuring out what web server we use, etc)

• Open ports without an accompanying proof-of-concept demonstrating vulnerability

• Open Redirect Vulnerabilities

• Publicly accessible login panels

• Recently disclosed 0day vulnerabilities - please give us two weeks before reporting these types of issues.

• identification of Informatica data in OSINT sources in absence of a working exploit (i.e shadowserver, rbl, etc).

• Email/SMS flooding attacks

• Issues related to software or protocols not under Informatica control

• Physical attempts against Informatica personnel, property or data centers

• Clickjacking and the issues exploited only by clickjacking

Rules of Engagement:

Please refrain from accessing sensitive information (by using a test account and/or system), performing actions that may negatively affect other Informatica users (denial of service), or sending reports from automated tools. If classified, personal, or other non-public information is accessed, finders agree not to use or disclose the information for any purpose and to delete it promptly.

Informatica reserves the right to assess each bug to determine if it qualifies.

Informatica makes every reasonable effort to protect the information in our care from loss, misuse, alteration or destruction. Only authorized employees and clients have access to the data that we gather and that access is limited by need. All employees who have access to client data are enjoined to maintain the confidentiality of such information. No method of transmission over the Internet or method of electronic storage is 100% secure; therefore, while we strive to use all commercially reasonable means to protect client information, that cannot guarantee absolute security.