The SAP Product Security Response Team thanks all researchers and security IT professionals that help with discovering and solving security vulnerabilities. Their findings continuously help SAP maintain the security and safety of its customers' and partners' SAP systems.
Our acknowledgements page lists those professionals we have worked with successfully in the past. We thank all security researchers for their excellent work and hope to continue the beneficial relationship between security professionals and SAP.
Security researchers who have helped SAP to improve the security and integrity of our customers' IT systems by respecting our disclosure guidelines this month are:
AKS IT Services, V. Lakshmi Kiran
Core Security, Martin Gallo
ERPScan, Alexey Tyurin, Dmitry Chastuhin, Igor Ilyin, Roman Bazhin, Vahagn Vardanyan
ERPSecurity, Joris van de Vis
Onapsis, Will Vandevanter
Subgraph, David Mckinney
Virtual Forge, Andreas Wiegenstein, Frederik Weidemann, Peter Werner, Xu Jia
Each Patch Day (second Tuesday of a month) the involved external researchers are listed with company name, link to their home page, and name of the person. Details about finding are not included. The order of the list is alphabetical according to company name.
For previous months' acknowledgments, visit the acknowledgments archive page.
To view the security notes released this Patch Day, visit the Support Portal.
SAP encourages the responsible disclosure of security vulnerabilities and therefore requests the researchers to follow the following general guidelines:
- If you have detected a vulnerability in one of our software products – either in the latest or in a former product version –you shall inform us about the issue and follow the guidelines and processes in accordance with our Portal page “Report a Security Vulnerability to SAP”.
- Give SAP sufficient time to develop suitable fixes.
- Do not publicize vulnerabilities until SAP customers have had enough time to deploy fixes.
- As a rule of thumb, we suggest respecting an implementation time of three months. We ask all security researchers to not disseminate any kind of information or tools that would help to exploit the vulnerability during that time.
- Provide us all of your external disclosures beforehand, such as advisories or presentations with SAP product security content for a review.
We honestly appreciate your work and certainly want to show this appreciation through credits on a public Web site. Nevertheless, SAP reserves the right to change or delete credits at any time.
For further information, read the Disclosure Guidelines for SAP Security Advisories.