Vulnerability Reporting Guidelines

Security Vulnerability Reporting

We take security seriously and appreciate the efforts of security researchers and ethical hackers in helping us maintain a secure platform. If you believe you've discovered a potential security vulnerability, we encourage you to report it to us following these guidelines.

Over 700,000 developers at companies around the world are part of the Software.com ecosystem. By collecting data across the stack, we provide insights to engineering teams that help them identify bottlenecks, remove blockers, and measure improvement over time.

What to Report

  • Security bugs in our software or infrastructure
  • Authentication or authorization flaws
  • Data exposure vulnerabilities
  • Cross-site scripting (XSS) vulnerabilities
  • SQL injection vulnerabilities
  • Other security-related issues that could compromise our systems or users

How to Report

Please send your vulnerability report to: security_team@software.com

Include the following information in your report:

  • Detailed description of the vulnerability
  • Steps to reproduce the issue
  • Proof of concept if available
  • Potential impact of the vulnerability
  • Your contact information for follow-up questions

Response Timeline

We are committed to the following response times:

  • Initial response: Within 24 hours
  • Status update: Every 5 business days
  • Vulnerability fix: Timeline depends on severity and complexity

Responsible Disclosure Policy

We kindly request that you:

  • Do not access or modify user data without explicit permission
  • Do not execute denial of service attacks
  • Do not use automated scanning tools without coordination
  • Do not disclose the vulnerability to others until it has been fixed
  • Provide reasonable time for us to address the issue before public disclosure

Recognition

We value the security research community and will:

  • Acknowledge your contribution after the vulnerability is fixed
  • Provide detailed information about how we fixed the issue

Out of Scope

The following types of bugs are not considered valid for our security bug bounty program:

  • Descriptive error messages
  • Social engineering attacks
  • Self-XSS
  • Reports from automated vulnerability scanners

Legal Safe Harbor

We will not pursue legal action against security researchers who:

  • Follow our responsible disclosure policy
  • Make a good faith effort to avoid privacy violations, data destruction, and service interruption
  • Do not exploit the security issue for their own gain

Thank you for helping us maintain a secure platform for all our users.

Data Platform

Accelerate your journey to more frequent deploys. Get automated, actionable metrics to help you identify and remove your top constraint.

Security

We securely store, process, and analyze your data so that you can use the Software.com platform with confidence.