SAP Logo LeanIX is now part of SAP
Learn more About SAP
LeanIX

Responsible Disclosure Policy

About this policy

LeanIX appreciates and values the identification and reporting of security vulnerabilities carried out by well-intentioned, ethical security researchers.

This vulnerability disclosure policy applies to any vulnerabilities that you are considering reporting to us. We recommend reading this vulnerability disclosure policy fully before you report a vulnerability and always acting in compliance with it. Via this Responsible Disclosure policy, the Information Security Team of LeanIX provides a framework that allows for the safe, secure and responsible disclosure of weaknesses in our products and infrastructure, which can be exploited to perform unauthorised actions within a system. The purpose of this Policy is to enable the vulnerability to be reported responsibly and to be remediated or patched in order to retain the Confidentiality, Integrity and Availability of our services.

If you are a security researcher and you encounter a vulnerability, we would like to cooperate with you to fix the vulnerability before this can be misused.

How to Report

If you believe you have found a security vulnerability, please submit your report to us using the following email address: infosec@leanix.net

Your report should include details of:

  • To the extent possible, please include the following in your report:
  • Type of vulnerability or issue
  • Service, product or URL affected
  • Special configuration or requirements to reproduce the issue
  • Information necessary to reproduce the issue
  • Impact of the vulnerability together with an explanation of how an attacker could find it and exploit it

We welcome anonymous reports but we will not be able to share updates on the follow-up of the report.

What will we do with your report

Our information security experts will assess the finding and respond as soon as reasonably possible. Each case will be analysed individually. We kindly request you to provide us the reasonable opportunity and time for this analysis, to keep the information confidential, and not to disclose the vulnerability to others without consultation with LeanIX Information Security team.

Please note that LeanIX does not offer a bug bounty program. This means that LeanIX does not pay rewards for disclosed security vulnerabilities. This Policy is not intended to encourage hacking attempts in connection with LeanIX products and infrastructure, but to provide a responsible framework under which security vulnerability reports can be communicated and remediated. On a case by case basis, in consultation, we will consider providing public acknowledgement of your support.

Any personal details that we have received from your side will be processed by us in accordance with the LeanIX privacy notice for business customers, partners and counter-parties available at our commitments as a data controller. Your data will be processed for purposes of responding to your report and addressing the reported vulnerabilities.

Guidelines

You must:

  • Always comply with data protection rules and must not violate the privacy of our users, staff, contractors, services or systems
  • Securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law)
  • Report the vulnerability as soon as you can to prevent that threat actors exploit the vulnerability before we have a chance to fix it
  • Report the vulnerability with us while keeping the information confidential (in particular if it concerns personal data).

You must NOT:

  • Break any applicable law or regulations
  • Access unnecessary, excessive or significant amounts of data or modify data in our systems or services
  • Submit reports detailing non-exploitable vulnerabilities or reports indicating that the services do not fully align with “best practice”, for example missing security headers
  • Demand financial compensation in order to disclose any vulnerabilities
  • Disclose the vulnerability to others
  • Use social engineering to gain access to our IT infrastructure or services
  • Install your own backdoor in our systems to disclose the vulnerability as this may result in unnecessary damage and security risks
  • Exploit a vulnerability further than necessary to confirm the vulnerability finding
  • Modify or remove data from system
  • Modify the system
  • Use Denial of Service attacks or brute force access technology
  • Use phishing
  • Use aggressive automated scanning
  • Negatively impact the Confidentiality, Integrity or Availability of our services
  • Execute code on our systems
  • Attempt to penetrate the system further than necessary to confirm the vulnerability finding

Legal

This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law or which might cause LeanIX to be in breach of any of its legal obligations.

Questions

If at any time you have questions about the above policy, feel free to reach out to infosec@leanix.net