Vulnerability Reporting Guidelines
Security Vulnerability Reporting
We take security seriously and appreciate the efforts of security researchers and ethical hackers in helping us maintain a secure platform. If you believe you've discovered a potential security vulnerability, we encourage you to report it to us following these guidelines.
Over 700,000 developers at companies around the world are part of the Software.com ecosystem. By collecting data across the stack, we provide insights to engineering teams that help them identify bottlenecks, remove blockers, and measure improvement over time.
What to Report
- Security bugs in our software or infrastructure
- Authentication or authorization flaws
- Data exposure vulnerabilities
- Cross-site scripting (XSS) vulnerabilities
- SQL injection vulnerabilities
- Other security-related issues that could compromise our systems or users
How to Report
Please send your vulnerability report to: security_team@software.com
Include the following information in your report:
- Detailed description of the vulnerability
- Steps to reproduce the issue
- Proof of concept if available
- Potential impact of the vulnerability
- Your contact information for follow-up questions
Response Timeline
We are committed to the following response times:
- Initial response: Within 24 hours
- Status update: Every 5 business days
- Vulnerability fix: Timeline depends on severity and complexity
Responsible Disclosure Policy
We kindly request that you:
- Do not access or modify user data without explicit permission
- Do not execute denial of service attacks
- Do not use automated scanning tools without coordination
- Do not disclose the vulnerability to others until it has been fixed
- Provide reasonable time for us to address the issue before public disclosure
Recognition
We value the security research community and will:
- Acknowledge your contribution after the vulnerability is fixed
- Provide detailed information about how we fixed the issue
Out of Scope
The following types of bugs are not considered valid for our security bug bounty program:
- Descriptive error messages
- Social engineering attacks
- Self-XSS
- Reports from automated vulnerability scanners
Legal Safe Harbor
We will not pursue legal action against security researchers who:
- Follow our responsible disclosure policy
- Make a good faith effort to avoid privacy violations, data destruction, and service interruption
- Do not exploit the security issue for their own gain
Thank you for helping us maintain a secure platform for all our users.
Data Platform
Accelerate your journey to more frequent deploys. Get automated, actionable metrics to help you identify and remove your top constraint.
Security
We securely store, process, and analyze your data so that you can use the Software.com platform with confidence.