Currently Being Moderated

Acknowledgments to Security Researchers

The SAP Product Security Response Team thanks all researchers and security IT professionals that helped with discovering and solving security vulnerabilities. Their findings have helped SAP to maintain the security and safety of its customers' and partners' SAP systems.

Our acknowledgements page lists those professionals we have worked with successfully in the past. The acknowledgements are published on a monthly basis and mention all security researchers who helped to improve the security and integrity of our customers' IT systems by respecting our disclosure guidelines. We thank all security researchers for their excellent work and hope to continue the fruitful relationship between security professionals and SAP.

 

July 2014

ERNW, Florian Grunow, SAP Security Note 1988956

ERPScan, Dmitry Chastuhin, SAP Security Note 2011169

Red-Team, Dave Hewson, SAP Security Note 1962104

ZDI Disclosures, Shanoon, SAP Security Note 2028891

NTT Com Security, Stephen Breen, SAP Security Note 2036562

 

June 2014

Compass Security, Stefan Horlacher, SAP Security Note 1908531

ERPScan, Dmitry Chastuhin, Vahagn Varda SAP Security Note 2014881

Onapsis, Will Vandevanter, SAP Security Note 2015446

Onapsis, Will Vandevanter, SAP Security Note 2001109

Onapsis, Will Vandevanter, SAP Security Note 2001106

Onapsis, Will Vandevanter, SAP Security Note 1998990

Onapsis, Will Vandevanter, SAP Security Note 1941562

Onapsis, Nahuel D. Sánchez, SAP Security Note 1967780

Subgraph, David Mckinney, SAP Security Note 1981048

Subgraph, David Mckinney, SAP Security Note 1971270


May 2014

Atos IT Gmbh,Josè Manuel Lorenzo Lopez, SAP Security Note 1979438

ESNC, Ertunga Arsal, SAP Security Note 1889999

Onapsis, Will Vandevanter, SAP Security Note 2009696

Positive Technologies, Dmitry Gutsko, SAP Security Note 1997455

 

April 2014

Core Security, Martin Gallo, SAP Security Note 1986895

ERPSecurity, Joris van de Vis, SAP Security Note 1940405

ERPSecurity, Joris van de Vis, SAP Security Note 1971516

ESNC, Ertunga Arsal, SAP Security Note 1940405

Onapsis, Nahuel D. Sánchez, SAP Security Note 1974016

Onapsis, Will Vandevanter, SAP Security Note 1993349

Onapsis, Sergio Abraham, SAP Security Note 1929473

Onapsis, Nahuel D. Sánchez, SAP Security Note 1778940

Subgraph, David McKinney, SAP Security Note 1975842

University Bremen, Christian Liebig, SAP Security Note 1975842

University Bremen, Christian Liebig, SAP Security Note 2001778

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1987413

Virtual Forge, Andreas Wiegenstein & Xu Jia, SAP Security Note 1985100

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1983739

Virtual Forge, Frederik Weidemann, SAP Security Note 1878371


March 2014
Emaze Networks S.p.A. , Enrico Milanese, SAP Security Note 1946420

ERPSecurity, Joris van de Vis, SAP Security Note 1965610

ERPSecurity, Joris van de Vis, SAP Security Note 1884678

ESNC, Ertunga Arsal, SAP Security Note 1971238

Onapsis, Sergio Abraham, SAP Security Note 1964428

Onapsis, Sergio Abraham, Manuel Muradas, SAP Security Note 1963932

 

February 2014

ERPScan, Alexander Polyakov, SAP Security Note 1860923

ESNC, Ertunga Arsal, SAP Security Note 1945300

Onapsis, Sergio Abraham, SAP Security Note 1791081

Onapsis, Sergio Abraham, SAP Security Note 1768049

Onapsis, Sergio Abraham, SAP Security Note 1920323

Onapsis, Sergio Abraham, SAP Security Note 1915873

Onapsis, Sergio Abraham, SAP Security Note 1914777

Onapsis, Sergio Abraham, SAP Security Note 1911174

Onapsis, Sergio Abraham, SAP Security Note 1795463

Onapsis, Sergio Abraham, SAP Security Note 1789569

Onapsis, Sergio Abraham, SAP Security Note 1738965

Onapsis, Juan Pablo Perez Etchegoyen, Jordan Santarsieri, Pablo Muller, SAP Security Note 1939334

CyberSecurity Maldives, Shabnoon Khalid, SAP Security Note 1905408

 

January 2014

ERPScan, Neyolov Evgeny, SAP Security Note 1828885

ERPScan, Dmitry Chastuhin, SAP Security Note 1788080

Emaze Networks S.p.A., Enrico Milanese, SAP Security Note 1932505

ERNW, Florian Grunow, SAP Security Note 1924853

ESNC, Ertunga Arsal, SAP Security Note 1886051

ESNC, Ertunga Arsal, SAP Security Note 1865109

Onapsis, Nahuel D. Sánchez, SAP Security Note 1894049

Onapsis, Juan Pablo Perez Etchegoyen, SAP Security Note,1865109
Onapsis
,
Nahuel D. Sánchez, SAP Security Note 1918333

Onapsis, Nahuel D. Sánchez, SAP Security Note 1917381

Onapsis, Jordan Santarsieri, SAP Security Note 1922547

Onapsis, Jordan Santarsieri, SAP Security Note 1910914

Onapsis, Will Vandevanter, SAP Security Note 1931399

SecuRing, Krzysztof Kotowicz, SAP Security Note 1916560

Virtual Forge, Andreas Wiegenstein & Xu Jia, SAP Security Note 1949046

Virtual Forge, Andreas Wiegenstein & Xu Jia, SAP Security Note 1898046

Virtual Forge, Xu Jia, SAP Security Note 1884596

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1956096

 

December 2013

AppSecInc, Martin Rakhmanov, SAP Security Note 1927859

Compass Security, Stefan Horlacher, SAP Security Note 1908562

Compass Security, Stefan Horlacher, SAP Security Note 1908647

ERPScan, Alexander Polyakov, SAP Security Note 1852146

ERPScan, Georgy Nosenko, SAP Security Note 1773912

ERPScan, Alexey Tyurin, Nikolay Mescherin, SAP Security Note 1917054

ERPSecurity, Joris van de Vis, SAP Security Note 1896642

ERPSecurity, Joris van de Vis, SAP Security Note 1900200

ERPSecurity, Joris van de Vis, SAP Security Note 1929338

ESNC, Ertunga Arsal, SAP Security Note 1782753

ESNC, Ertunga Arsal, SAP Security Note 1862392

ESNC, Ertunga Arsal, SAP Security Note 1909770

ESNC, Ertunga Arsal, SAP Security Note 1909858

Onapsis, Sergio Abraham, SAP Security Note 1911523

Onapsis, Sergio Abraham, SAP Security Note 1913554

Onapsis, Sergio Abraham, SAP Security Note 1926485

Sense of Security, Jason Edelstein, SAP Security Note 1802724

Simple solutions, Daniil Luzin, SAP Security Note 1925908

Virtual Forge, Andreas Wiegenstein & Xu Jia, SAP Security Note 1866296

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1896988

Virtual Forge, Frederik Weidemann, SAP Security Note 1819139

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1951875

 

November 2013

ERPScan, Nikolay Mescherin, SAP Security Note 1836718

ERPScan, Georgy Nosenko, SAP Security Note 1853140

ERPScan, Dmitriy Evdokimov, SAP Security Note 1864518

ERPScan, Alexey Tyurin, Nikolay Mescherin, SAP Security Note 1909665

ERPSecurity, Joris van de Vis, SAP Security Note 1903756

ERPSecurity, Joris van de Vis, SAP Security Note 1899146

ERPSecurity, Fred van de Langenberg, SAP Security Note 1898735

ESNC, Ertunga Arsal, SAP Security Note 1836314

ESNC, Ertunga Arsal, SAP Security Note 1917888

ESNC, Ertunga Arsal, SAP Security Note 1910737

ESNC, Ertunga Arsal, SAP Security Note 1907712

ESNC, Ertunga Arsal, SAP Security Note 1902986

ESNC, Ertunga Arsal, SAP Security Note 1902402

ESNC, Ertunga Arsal, Mert Suoglu, SAP Security Note 1905591

ESNC, Ertunga Arsal, SAP Security Note 1906568

ESNC, Ertunga Arsal, SAP Security Note 1843169

ESNC, Ertunga Arsal, SAP Security Note 1902611

Hacktics Advanced Security Center, Ernst & Young, Oren Hafif, Egor Pryadko, SAP Security Note 1861907

KPMG, Agus Komang, SAP Security Note 1846945

Positive Technologies, Dmitry Sklyarov, Dmitry Gutsko SAP Security Note 1902611

Simple solutions, Daniil Luzin, SAP Security Note 1861907

 

October 2013

ERPScan, Alexander Polyakov, SAP Security Note 1854826

ESNC, Ertunga Arsal, SAP Security Note 1868140

ESNC, Ertunga Arsal, SAP Security Note 1876343

ESNC, Ertunga Arsal and Mert Suoglu, SAP Security Note 1853616

ESNC, Ertunga Arsal and Mert Suoglu, SAP Security Note 1885371

Onapsis, Nahuel D. Sánchez, SAP Security Note 1914778

Sense of Security, Chris Archimandritis, SAP Security Note 1911067

Virtual Forge, Andreas Wiegenstein & Xu Jia, SAP Security Note 1898055

Virtual Forge, Andreas Wiegenstein & Xu Jia, SAP Security Note 1902854

 

September 2013

AppSecInc, Martin Rakhmanov, SAP Security Note 1809246

AppSecInc, Martin Rakhmanov, SAP Security Note 1849356

AppSecInc, Martin Rakhmanov, SAP Security Note 1893558

AppSecInc, Martin Rakhmanov, SAP Security Note 1893561

AppSecInc, Martin Rakhmanov, SAP Security Note 1893556

AppSecInc, Martin Rakhmanov, SAP Security Note 1893440

AppSecInc, Vladimir Zakharevich, SAP Security Note 1893560

ERPScan, Alexander Polyakov, SAP Security Note 1783795

ERPScan, Dmitriy Evdokimov, SAP Security Note 1828801

ERPScan, Dmitriy Evdokimov, SAP Security Note 1879601

ERPScan, Nikolay Mescherin, SAP Security Note 1890819

ERPSecurity,Joris van de Vis, SAP Security Note 1888167

ERPSecurity,Joris van de Vis, SAP Security Note 1888502

ERPSecurity,Joris van de Vis, SAP Security Note 1672911

ERPSecurity,Joris van de Vis, SAP Security Note 1889895

ESNC, Ertunga Arsal, SAP Security Note 1842826

ESNC, Ertunga Arsal, SAP Security Note 1847590

ESNC, Ertunga Arsal, SAP Security Note 1860258

ESNC, Ertunga Arsal, SAP Security Note 1863278

ESNC, Ertunga Arsal, SAP Security Note 1881914

ESNC, Ertunga Arsal, SAP Security Note 1884512

Positive Technologies, Igor Bulatenko, SAP Security Note 1887341

Simple solutions, Daniil Luzin, SAP Security Note 1864915

Virtual Forge, Andreas Wiegenstein & Sven Neuz, SAP Security Note 1777053

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1871683

Virtual Forge, Andreas Wiegenstein & Xu Jia, SAP Security Note 1885611

Virtual Forge, Andreas Wiegenstein & Xu Jia, SAP Security Note 1896785

 

August 2013

akquinet AG, Ralf Kempf, SAP Security Note 1764298

Raiffeisen Informatik GmbH, Chris John Riley, SAP Security Note 1851123

ERPScan, Nikolay Mescherin, SAP Security Note 1840249

ERPSecurity, Joris van de Vis, SAP Security Note 1861791

Emaze Networks S.p.A., Enrico Milanese, SAP Security Note 1851123

ESNC, Ertunga Arsal, SAP Security Note 1772529

ESNC, Ertunga Arsal, SAP Security Note 1842817

ESNC, Ertunga Arsal, SAP Security Note 1845802

ESNC, Ertunga Arsal, SAP Security Note 1847217

ESNC, Ertunga Arsal, SAP Security Note 1852955

ESNC, Ertunga Arsal, SAP Security Note 1856296

ESNC, Ertunga Arsal, SAP Security Note 1860308

ESNC, Ertunga Arsal, SAP Security Note 1873131

Hacktics Advanced Security Center, Ernst & Young, Alex Mor, SAP Security Note 1835125

Hacktics Advanced Security Center, Ernst & Young, Alex Mor, SAP Security Note 1838451

IOACTIVE Security Research Adv, Ariel M. Sanchez, SAP Security Note 1880040

Onapsis, Jordan Santarsieri, SAP Security Note 1773651

Virtual Forge, Andreas Wiegenstein & Sandra Möckel, SAP Security Note 1688229

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1847811

Virtual Forge, Andreas Wiegenstein & Xu Jia, SAP Security Note 1772529

Virtual Forge, Andreas Wiegenstein, Gert Kremser, Sven Neuz & Xu Jia, SAP Security Note 1861791

 

July 2013

Comsec Global Consulting, Moshe Zioni, SAP Security Note 1823687

ERPScan, Dmitry Chastuhin, SAP Security Note 1831022

ERPScan, Dmitry Chastuhin, SAP Security Note 1831053

ESNC, Ertunga Arsal, SAP Security Note 1839699

ESNC, Ertunga Arsal, SAP Security Note 1851835

ESNC, Ertunga Arsal, SAP Security Note 1846653

ESNC, Ertunga Arsal, SAP Security Note 1853040

ESNC, Ertunga Arsal, SAP Security Note 1858474

ESNC, Ertunga Arsal, SAP Security Note 1858566

ESNC, Ertunga Arsal, SAP Security Note 1854252

ESNC, Ertunga Arsal, SAP Security Note 1860367

ESNC, Ertunga Arsal, SAP Security Note 1860278

ESNC, Ertunga Arsal, SAP Security Note 1856093

ESNC, Ertunga Arsal, SAP Security Note 1863091

ESNC, Ertunga Arsal, SAP Security Note 1846515

ESNC, Ertunga Arsal, SAP Security Note 1840304

ESNC, Ertunga Arsal, SAP Security Note 1852738

ESNC, Ertunga Arsal, SAP Security Note 1868012

ESNC, Ertunga Arsal, SAP Security Note 1864397

Simple Solutions, Daniil Luzin, SAP Security Note 1861295

 

June 2013

ERPSecurity, Joris van de Vis, SAP Security Note 1836717
ERPSecurity, Joris van de Vis, SAP Security Note 1805024

ERPSecurity, Joris van de Vis, SAP Security Note 1831463

ERPSecurity, Joris van de Vis, SAP Security Note 1774432

ESNC, Ertunga Arsal, SAP Security Note 1781594

ESNC, Ertunga Arsal, SAP Security Note 1834935

ESNC, Ertunga Arsal, SAP Security Note 1816331

ESNC, Ertunga Arsal, SAP Security Note 1842218

ESNC, Ertunga Arsal, SAP Security Note 1848319

ESNC, Ertunga Arsal, SAP Security Note 1849744

ESNC, Ertunga Arsal, SAP Security Note 1849559

ESNC, Ertunga Arsal, SAP Security Note 1848996

ESNC, Ertunga Arsal, SAP Security Note 1853852

ESNC, Ertunga Arsal, SAP Security Note 1826162

ESNC, Ertunga Arsal, SAP Security Note 1847645

KPMG, Agus Komang, SAP Security Note 1846952

Positive Technologies, Dmitry Gutsko,SAP Security Note 1844202

SEC Consult, Gerhard Wagner and Bernhard Mueller, SAP Security Note 1851914

SEC Consult, Gerhard Wagner and Bernhard Mueller, SAP Security Note 1852064

SEC Consult, Gerhard Wagner and Bernhard Mueller, SAP Security Note 1858107

Trustwerk GmbH, Ralf Nellessen, SAP Security Note 1853161

Virtual Forge, Xu Jia, SAP Security Note 1843082

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1842406

 

May 2013

CBACert, Commonwealth Bank of Australia, Jonathan Brossard, SAP Security Note 1791238

CBACert, Commonwealth Bank of Australia, Jonathan Brossard, SAP Security Note 1791490

ERPScan, Georgy Nosenko, SAP Security Note 1820666

ERPSecurity, Joris van de Vis, SAP Security Note 1729638

ERPSecurity, Joris van de Vis, SAP Security Note 1810809

ESNC, Ertunga Arsal, SAP Security Note 1787455

ESNC, Ertunga Arsal, SAP Security Note 1837030

ESNC, Ertunga Arsal and Mert Suoglu, SAP Security Note 1839758

Matthew Phillips, SAP Security Note 1840970

Onapsis , Jordan Santarsieri, SAP Security Note 1829584

Positive Technologies, Pavel Toporkov, SAP Security Note 1779578

Virtual Forge, Stefan Vogel, Frederik Weidemann, SAP Security Note 1718145

 

April 2013

Virtual Forge, Sandra Möckel and Andreas Wiegenstein, SAP Security Note 1718022

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1827217

Onapsis, Juan Pablo Perez Etchegoyen, SAP Security Note 1757472
Onapsis, Juan Pablo Perez Etchegoyen, SAP Security Note 1819822
KPMG, Tan Kean Siong, SAP Security Note 1784771
ESNC, Ertunga Arsal, SAP Security Note1812581

INTEGRITY S.A., Bruno Morisson, SAP Security Note 1816536

ERPScan, Nikolay Mescherin, SAP Security Note 1821862

ERPScan, Nikolay Mescherin and Alexey Tyurin, SAP Security Note 1821019

 

March 2013

ESNC, Ertunga Arsal, SAP Security Note 1771567

ESNC, Ertunga Arsal and Mert Suoglu, SAP Security Note 1813734

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1789823

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1786822 

Virtual Forge, Andreas Wiegenstein and Xu Jia, SAP Security Note 1806435 

ERPScan, Alexander Polyakov, SAP Security Note 1784894

ERPScan, Alexander Polyakov, SAP Security Note 1789611

ERPScan, Nikolay Mescherin, SAP Security Note 1807196

ERPScan, Alexander Polyakov, SAP Security Note 1685106

Onapsis , Nahuel D. Sánchez, SAP Security Note 1789611

Positive Technologies, Arseny Reutov, SAP Security Note 1820894

 

February 2013

Core Security Consulting Services, Martin Gallo and Francisco Falcon, SAP Security Note 1800603 

ERPScan, Dmitry Chastuhin, SAP Security Note 1757675

ERPScan, Nikolay Mescherin, SAP Security Note 1446476

ERPSecurity,Joris van de Vis, SAP Security Note 1796264

ESNC, Ertunga Arsal, SAP Security Note 1750997

ESNC, Ertunga Arsal, SAP Security Note 1777228

ESNC, Ertunga Arsal, SAP Security Note 1788426

ESNC, Ertunga Arsal, SAP Security Note 1791089

ESNC, Ertunga Arsal, SAP Security Note 1792354

ESNC, Ertunga Arsal, SAP Security Note 1795948

MWR Labs, andContext IS, Dave Hartley, SAP Security Note 1764994

Onapsis , Nahuel D. Sánchez, SAP Security Note 1757675

Virtual Forge, Frederik Weidemann, SAP Security Note 1750997

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1788614

Virtual Forge, Xu Jia, Andreas  Wiegenstein, Frederik Weidemann and Markus Schumacher, SAP Security Note 1819543

 

January 2013

Compass Security AG, Axel Neumann, SAP Security Note 1784770

ERPScan, Alexey Tuyrin and Dmitry Chastuhin, SAP Security Note 1412864

ERPScan, Dmitry Chastuhin, SAP Security Note 1628537

ERPScan, Dmitry Chastuhin, SAP Security Note 1729293

ERPScan, Dmitry Chastuhin, SAP Security Note 1725390

ERPSecurity, Joris van de Vis, SAP Security Note 1674132
ERPSecurity, Joris van de Vis, SAP Security Note 1794299

ESNC, Ertunga Arsal, SAP Security Note 1674132

ESNC, Ertunga Arsal, SAP Security Note 1779317

ESNC, Ertunga Arsal and Mert Suoglu, SAP Security Note 1673016

ESNC, Ertunga Arsal, SAP Security Note 1776984

Finnish Communications Regulatory Authority (FICORA), Jussi, SAP Security Note 1731362

Onapsis , Juan Pablo Perez Etchegoyen, SAP Security Note 1755108

Virtual Forge, Xu Jia and Andreas Wiegenstein, SAP Security Note 1772208

Virtual Forge, Xu Jia and Andreas Wiegenstein, SAP Security Note 1785747

Virtual Forge, Xu Jia and Andreas Wiegenstein, SAP Security Note 1775422

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1784654

 

December 2012

ERPSecurity, Joris van de Vis, SAP Security Note 1771020
ERPSecurity, Joris van de Vis, SAP Security Note 1769099

ERPSecurity, Joris van de Vis, SAP Security Note 1773758

ERPSecurity, Joris van de Vis, SAP Security Note 1714607

ESNC, Ertunga Arsal and Mert Suoglu, SAP Security Note 1776695

ESNC, Ertunga Arsal, SAP Security Note 1772498

ESNC, Ertunga Arsal, SAP Security Note 1774903

ESNC, Ertunga Arsal and Anja Meiser, SAP Security Note 1771204

Virtual Forge, Xu Jia and Andreas Wiegenstein, SAP Security Note 1774903

 

November 2012

CIBER, Martin Voros, SAP Security Note, SAP Security Note 1597598

ERPScan, Alexey Tuyrin, SAP Security Note 1715040

ERPScan, Alexey Tuyrin, SAP Security Note 1734986

ERPScan, Dmitry Chastuhin, SAP Security Note 1679897

ERPSecurity, Joris van de Vis, SAP Security Note 1673713
ERPSecurity, Joris van de Vis, SAP Security Note 1652271

Onapsis, Juan Pablo Perez Etchegoyen, SAP Security Note, 1774568

Onapsis, Juan Pablo Perez Etchegoyen, SAP Security Note, 1758450

Onapsis, Juan Pablo Perez Etchegoyen, SAP Security Note, 1682613

Virtual Forge, Frederik Weidemann, SAP Security Note 1652271

Virtual Forge, Xu Jia, SAP Security Note 1686172

Virtual Forge, Xu Jia and Andreas Wiegenstein, SAP Security Note 1768068

 

October 2012

ERPScan, Alexandr Polyakov, SAP Security Note1724516

 

September 2012

Virtual Forge, Gert Kremser, SAP Security Note 1678732

ERPScan, Alexey Tuyrin, SAP Security Note1621534

ERPSecurity, Joris van de Vis, SAP Security Note 1668224
ESNC, Ertunga Arsal, SAP Security Note 1668224

 

August 2012

Virtual Forge, Sebastian Schinzel, SAP Security Note 1687334

Virtual Forge, Sebastian Schinzel, SAP Security Note 1684632
Virtual Forge,
Gert Kremser, SAP Security Note 1692988

Ruhr-Universität Bochum, Juraj Somorovsky,Tibor Jager, SAP Security Note 1687334
Ruhr-Universität Bochum, Juraj Somorovsky,Tibor Jager, SAP Security Note 1684632

ERPSecurity, Joris van de Vis, SAP Security Note 1727914
ERPSecurity, Joris van de Vis, SAP Security Note 1718613

ERPScan, Alexey Tuyrin, SAP Security Note 1728500
ERPScan, Alexander Polyakov, SAP Security Note 1669031

Positive Technologies, Ilya Smith, Maxim Tsoy, Kirill Mosolov, Evgeny Ryzhov, SAP Security Note 1663732

 

 

July 2012

ERPScan, Dmitry Chastuhin, SAP Security Note 1721309

ERPScan, Alexander Polyakov, Alexey Tuyrin, Alexandr Minojenko, SAP Security Note 1723641

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1686842

Virtual Forge, Andreas Wiegenstein & Frederik Weidemann, SAP Security Note 1720994

sec-1, Richard Jones, SAP Security Note 1723641

 

June 2012

ESNC, Ertunga Arsal, SAP Security Note 1691744

ESNC, Ertunga Arsal and Mert Suoglu, SAP Security Note 1537089

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1695286
Virtual Forge, Andreas Wiegenstein, SAP Security Note 1683644
Virtual Forge,
Andreas Wiegenstein, SAP Security Note 1684539

Virtual Forge, Frederik Weidemann & Markus Seibel (GM IT Business Service), SAP Security Note 1638779

ERPScan, Alexander Polyakov,  Alexey Tuyrin, Alexandr Minojenko, SAP Security Note 1707494
ERPScan
, Dmitry Chastuhin, SAP Security Note 1705800

CIBER, Martin Voros, SAP Security Note 1599567

akquinet AG, Ralf Kempf, SAP Security Note 1537089

 

May 2012

Compass Security AG, Alexandre Herzog, 1626152

Positive Technologies, Vladimir Zarichny, 1687910

Affinion International, Sherif Mansour, SAP Security Note 1615019

ERPScan, Dmitry Chastuhin, SAP Security Note 1590866

ERPScan,, Alexey Tuyrin, SAP Security Note 1597066

ERPScan,, Alexey Tuyrin, SAP Security Note 1614834

ERPScan,, Dmitry Chastuhin, SAP Security Note 1675605

Zero Day Initiative, SAP Security Note 1685003

Zero Day Initiative, SAP Security Note 1662272

ERPSecurity, Joris van de Vis, SAP Security Note 1675533

ERPSecurity, Joris van de Vis, SAP Security Note 1682505

Core Security Consulting Services, Martin Gallo, 1687910

Context Information Security Ltd , Michael Jordon, Security Note 1341333

 

April 2012

Xiting AG, Julius von dem Bussche, SAP Security Note 1647225

Affinion International, Sherif Mansour, SAP Security Note 1652803

CIBER, Martin Voros, SAP Security Note 1657200

akquinet AG, Ralf Kempf, SAP Security Note 1590651

iDefense Labs, an anonymous researcher working with VeriSign iDefense Labs,

Sybase Patches EBF 20065, EBF 20066, EBF 20067, EBF 20068, EBF 20069 and EBF20070

 

March 2012

Virtual Forge, Andreas Wiegenstein, Frederik Weidemann & Sandra Möckel, SAP Security Note 1607850

Virtual Forge, Andreas Wiegenstein & Peter Werner, SAP Security Note 1580244

ERPScan, Dmitry Chastuhin, SAP Security Note 1656549

ERPScan, Alexey Tuyrin, SAP Security Note 1657891

CIBER, Martin Voros, SAP Security Note 1591427

Onapsi , Mariano Nunez Di Croce, SAP Security Note 1658947

Xiting AG, Julius von dem Bussche, SAP Security Note 1600755

 

February 2012

Virtual Forge, Sebastian Schinzel & Frederik Weidemann, SAP Security Note 1586410

Virtual Forge, Andreas Wiegenstein & Frederik Weidemann, SAP Security Note 1584930

Virtual Forge, Erich Prosche & Sandra M�ckel, SAP Security Note 1607529

Virtual Forge, Andreas Wiegenstein & Sven Neuz, SAP Security Note 1597597

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1661349

ERPSecurity, Joris van de Vis, SAP Security Note 1641329

ERPSecurity, Joris van de Vis, SAP Security Note 1644746

Zero Day Initiative, SAP Security Note 1649838

Zero Day Initiative, SAP Security Note 1649840

ESNC, Ertunga Arsal, SAP Security Note 1667805

akquinet AG, Ralf Kempf, SAP Security Note 1644043

 

January 2012

ERPScan, Alexey Sintsov, SAP Security Note 1619539

Virtual Forge, Andreas Wiegenstein & Peter Werner, SAP Security Note 1613621

 

Dezember 2011

ERPScan, Alexandr Polyakov, SAP Security Note 1568003

ERPScan, Alexey Tyurin, SAP Security Note 1594475

ERPScan, Dmitry Chastuhin, SAP Security Notes 1630293, 1584030, 1647871

Daimler TSS GmbH, Stefan Does, SAP Security Note 1647871

National Australia Bank, nabCERT Security Assurance, SAP Security Note 1583982

Virtual Forge, Markus Schumacher, SAP Security Note 1597391

Virtual Forge, Andreas Wiegenstein & Agnes Six, SAP Security Note 1576763

 

November 2011

ERPScan, Dmitriy Chastuchin, SAP Security Notes 1583300 , 1585527

ERPScan, Alexey Tuyrin, SAP Security Note 1595074

Virtual Forge, Andreas Wiegenstein, Gert Kremser, Sandra Moeckel, SAP Security Note 1595074

akquinet AG, Ralf Kempf, SAP Security Note 1605054

CIBER, Martin Voros, SAP Security Notes 1632020 ,1631458 , 1631460

Context Information Security Ltd , Nico Leidecker, SAP Security Note 1638811

Onapsis, Jordan Santarsieri, SAP Security Note 1589716

Xiting AG, Julius von dem Bussche, SAP Security Note 1616366

 

October 2011

ERPSecurity, Joris van de Vis, SAP Security Note 1577513

Virtual Forge, Andreas Wiegenstein, Xu Jia, SAP Security Note 1606808

Virtual Forge, Andreas Wiegenstein, Markus Schumacher, Sebastian Schinzel, SAP Security Note 1577513

ESNC GmbH, Ertunga Arsal, SAP Security Note 1577513

IBM, Dr. Emin Tatli, SAP Security Note 1567387

KPMG, Huynh Thien Tam, SAP Security Note 1567387

ERPScan, Dmitriy Evdokimov, SAP Security Note 1585652

VeriSign iDefense Labs, Abdul Aziz Hariri, Sybase Note 1095200

 

SAP Disclosure Guidelines

SAP takes the security of its products very seriously, with a comprehensive software development lifecycle process, clear quality and security standards for software development and a dedicated Product Security Response process in place as the most visible evidences of its commitment. The SAP Product Security Response team is responsible for investigating all reported security vulnerabilities, working closely with reporters of vulnerabilities and SAP product development to provide patches, and informing customers about the patches and their importance. Since the integrity and security of business operations is crucial for businesses in all industries, SAP as a provider of business software is absolutely committed to maintaining the highest possible level of security within its products.

 

Reporting Security Vulnerabilities

As an integral part of our continuous improvement process, we are very interested in reports on possible security vulnerabilities. However, to ensure a professional and efficient process, we ask all security researchers to adhere to the following guidelines when reporting potential security vulnerabilities.

 

Report the vulnerability to SAP

When you have detected a vulnerability in one of our software products – either in the latest or in a former product version – please inform us about the issue.

  • Our Product Security Response team is standing by to work with you closely to discuss the vulnerability.
  • A member of our team will get in touch with you shortly after receiving your message – either by e-mail or, if you wish, by telephone.
  • SAP customers who want to report a vulnerability should create a customer ticket in the corresponding support system.
  • All other reporters should send an email to secure@sap.com . When reporting a vulnerability to SAP, please use PGP for e-mail encryption. Get our public PGP key here .

 

Please give SAP sufficient time to develop suitable fixes

    • Fixing security vulnerabilities can be a long and arduous process as we work to develop a patch, ensure its compatibility with all relevant software versions, run comprehensive tests to ensure that the fixes run well and do not have any side-effects, and provide it to our customers.
    • As a vendor of business software we provide security fixes not only to the latest version but also for many older versions of our software products. This means that we need to develop and thoroughly test feasible patches for a broad range of product versions, which can take time.

Please do not publicize vulnerabilities until SAP customers have had time to deploy fixes

    • The deployment of patches for SAP enterprise systems is usually more complicated than a software upgrade on a consumer PC. Depending on the nature of the vulnerability, the deployment of patches often is not only done by an automated update; in some cases it requires manual configuration work in the system.
    • Some of our customers also have regular patching cycles, for instance on a monthly or a quarterly basis.
    • In light of these circumstances, we ask all security researchers to give SAP customers sufficient time to implement patches in their SAP systems. As a rule of thumb, we suggest respecting an implementation time of three months. We ask all security researchers to not disseminate any kind of information or tools that would help to exploit the vulnerability during that time.

 

Legal information - terms and conditions

By submitting information about security threats and/or solution proposals (hereinafter together referred to as "Feedback") to SAP:

  • You commit yourself to the principle expressed in this guideline to avoid any harm to SAP users and you therefore agree not to publicize information about threats and vulnerabilities of the SAP software before a fix and/or patch has been made available by SAP; AND
  • You agree that SAP may use such Feedback to update and/or improve its software; and you grant to SAP a non-exclusive, perpetual, irrevocable, worldwide, royalty-free license, with the right to sublicense to SAP's licensees and customers, under all relevant intellectual property rights, to use, publish, and disclose such Feedback in any manner SAP chooses and to display, perform, copy, make, have made, use, sell, and otherwise dispose of SAP's and its sublicensee's products or services embodying Feedback in any manner and via any media SAP chooses, without reference to the source. SAP shall be entitled to use Feedback for any purpose without restriction or remuneration of any kind with respect to You and/or Your representatives; AND
  • You further agree that SAP may decide, in its sole discretion, to list your name and other personal information that you may provide for this purpose on the Acknowledgements page, unless you express to SAP your desire not to be mentioned. You may request at any time that your name and other personal information is deleted from the Acknowledgements page.

Delete Document

Are you sure you want to delete this document?